Configuring WCF for NATs and Firewalls
This article is now a part of the Windows SDK.
I've been providing the contents for this article in bits and pieces but now the whole thing is assembled together. If you've been wondering how to make your WCF application safer for NATs and firewalls, this should help you out.
Working with NATs and Firewalls
The client and server side of a network connection frequently do not have a direct and open path for communication. Packets are filtered, routed, analyzed, and transformed both on the endpoint machines and by intermediate machines on the network. Network Address Translators (NATs) and firewalls are common examples of intermediate applications that can participate network communication.
Windows Communication Foundation (WCF) transports and message exchange patterns react differently to the presence of NATs and firewalls. This document describes how NATs and firewalls function in common network topologies. Recommendations for specific combinations of WCF transports and message exchange patterns are given that help make your applications more robust to NATs and firewalls on the network.
How NATs Affect Communication
Network address translation was created to enable several machines to share a single external IP address. A port-remapping NAT maps an internal IP address and port for a connection to an external IP address with a new port number. The new port number allows the NAT to correlate return traffic with the original communication. Many home users now have an IP address that is only privately routable and rely on a NAT to provide global routing of packets.
A NAT does not provide a security boundary. However, common NAT configurations prevent the internal machines from being directly addressed. This both protects the internal machines from some unwanted connections and makes it difficult to write server applications that need to asynchronously send data back to the client. The NAT rewrites the addresses in packets to make it seem like connections are originating at the NAT machine. This causes the server to fail when it attempts to open a connection back to the client. If the server uses the client's perceived address, it will fail because the client address is not publicly routable. If the server uses the NAT's address, it will fail to connect because no application is listening on that machine.
Some NATs support the configuration of forwarding rules to allow external machines to connect to a particular internal machine. The instructions for configuring forwarding rules varies between different NATs and asking end users to change their NAT configuration is not recommended for most applications. Many end users either cannot or do not want to change their NAT configuration for a particular application.
How Firewalls Affect Communication
A firewall is a software or hardware device that applies rules to the traffic passing through to decide whether to allow or deny passage. Firewalls can be configured to examine incoming, outgoing, or both streams of traffic. The firewall provides a security boundary for the network at either the edge of the network or on the endpoint host. Business users have traditionally kept their servers behind a firewall to prevent malicious attacks. Since the introduction of the personal firewall in Windows XP Service Pack 2, the number of home users behind a firewall has greatly increased as well. This makes it very likely that one or both ends of a connection will have a firewall examining packets.
Firewalls vary greatly in terms of their complexity and capability for examining packets. Simple firewalls apply rules based on the source and destination addresses and ports in packets. Intelligent firewalls can also examine the contents of packets to make decisions. These firewalls come in many different configuration and are often used for specialized applications.
A common configuration for a home user firewall is to prohibit incoming connections unless an outgoing connection was made to that machine previously. A common configuration for a business user firewall is to prohibit incoming connections on all ports except a group specifically identified. An example is a firewall that prohibits connections on all ports except for ports 80 and 443 to provide HTTP and HTTPS service. Managed firewalls exist for both home and business users that permit a trusted user or process on the machine to change the firewall configuration. Managed firewalls are more common for home users where there is not a corporate policy controlling network usage.
Using Teredo
Teredo is an IPv6 transition technology that enables the direct addressability of machines behind a NAT. Teredo relies on the use of a public and globally routable server to advertise potential connections. The Teredo server gives the application client and server a common meeting point at which they can exchange connection information. The machines then request a temporary Teredo address and packets are tunneled through the existing network. Teredo support in WCF requires enabling IPv6 and Teredo support in the operating system. Teredo is supported by Windows XP and later operating system. Windows Vista and later operating systems support IPv6 by default and only require the user to enable Teredo. Windows XP SP2 and Windows Server 2003 require the user to enable both IPv6 and Teredo. See the Teredo Overview for Microsoft Windows for more information.
Choosing a Transport and Message Exchange Pattern
Selecting a transport and message exchange pattern is a three-step process.
1. Analyze the addressability of the endpoint machines. Enterprise servers commonly have direct addressability while end users commonly have their addressability blocked by NATs. If both endpoints are behind a NAT, such as in peer-to-peer scenarios between end users, then a technology like Teredo may be required to provide addressability.
2. Analyze the protocol and port restrictions of the endpoint machines. Enterprise servers are typically behind strong firewalls that block many ports. However, port 80 is frequently open to permit HTTP traffic and port 443 is open to permit HTTPS traffic. End users are less likely to have port restrictions but may be behind a firewall that only permits outgoing connections. Some firewalls permit management by applications on the endpoint to selectively open connections.
3. Compute the transports and message exchange patterns that are permitted by the addressability and port restrictions of the network.
A common topology for client-server applications is to have clients that are behind a NAT without Teredo with outbound-only firewall and a server that is directly addressable with a strong firewall. In this scenario, the TCP transport with duplex message exchange pattern and HTTP transport with request-reply message exchange pattern work well. A common topology for peer-to-peer applications is to have both endpoints behind NATs and firewalls. In this scenario, and in scenarios where the network topology is unknown, consider the following recommendations.
· Do not use dual transports. A dual transport opens more connections, which reduces the chance of connecting successfully.
· Do support establishing back-channels over the originating connection. Using back channels, such as in duplex TCP, opens fewer connections, which increases the chance of connecting successfully.
· Do employ a reachable service for either registering endpoints or relaying traffic. Using a globally reachable connection service, such as a Teredo server, greatly increases the chance of connecting successfully when the network topology is restrictive or unknown.
The following tables examine the One Way, Request-Reply, and Duplex message exchange patterns, and the standard TCP, TCP with Teredo, and standard and dual HTTP transports in WCF.
Addressability |
Server Direct |
Server Direct with NAT traversal |
Server NAT |
Server NAT with NAT traversal |
Client Direct |
Any transport and MEP |
Any transport and MEP |
Not supported |
Not supported |
Client Direct with NAT traversal |
Any transport and MEP |
Any transport and MEP |
Not supported |
TCP with Teredo and any MEP3 |
Client NAT |
Any non-dual transport and MEP1 |
Any non-dual transport and MEP1 |
Not supported |
Not supported |
Client NAT with NAT traversal |
Any non-dual transport and MEP1 |
All but dual HTTP and any MEP123 |
Not supported |
TCP with Teredo and any MEP3 |
1: Duplex MEP requires TCP transport
2: Dual TCP transport requires Teredo
3: Windows Vista has a machine-wide configuration option to support HTTP with Teredo
Firewall Restrictions |
Server Open |
Server with Managed Firewall |
Server with HTTP Only Firewall |
Server with Outbound Only Firewall |
Client Open |
Any transport and MEP |
Any transport and MEP |
Any HTTP transport and MEP |
Not supported |
Client with Managed Firewall |
Any non-dual transport and MEP1 |
Any non-dual transport and MEP1 |
Any HTTP transport and MEP |
Not supported |
Client with HTTP Only Firewall |
Any HTTP transport and MEP |
Any HTTP transport and MEP |
Any HTTP transport and MEP |
Not supported |
Client with Outbound Only Firewall |
Any non-dual transport and MEP1 |
Any non-dual transport and MEP1 |
Any HTTP transport and any non-duplex MEP |
Not supported |
1: Duplex MEP requires TCP transport
Next time: Building a Custom File Transport, Part 8: Channel Listener
Comments
Anonymous
May 01, 2006
I've gotten several questions about how transport security works. I'm putting together a list of transport...Anonymous
July 24, 2006
I still get a lot of hits for the series of documentation articles I did back in April and May. All...Anonymous
October 17, 2006
I've gotten several questions about how transport security works. I'm putting together a list of transportAnonymous
January 03, 2007
I started this blog back in February hoping to produce a daily post throughout the entire month. I had