Can you achieve encrypted bi-directional communication using WCF when the client can be behind a proxy,a firewall or a NAT?

Question

I have a client and a server both written in .net 3.5 so I've got no interoperability issues.

The server is fully accessible on port 443 (I'm hosting it so I can open other ports if needed)

The client is however less accessible. It's often behind a corporate firewall, or behind a NAT, or uses an http/https proxy to connect to the internet.

I need to establish an encrypted bi-directionnal communication between the client and the server.

The two bidirectional channels provided in WCF don't seem to do the trick :

NetTcpBinding doesn't seem to support http proxies (source)
WSDualHttpBinding requires that the client has a public URI that provides a callback endpoint for the service, which is unfortunately not the case here (source)

Can WCF establish this kind of encrypted bi-directional connection (silently using https tunelling if needed), without tuning the firewall/proxy settings on the client side ?

What exactly do you mean with "bi-directional" communication? Should the server be able to send an unsollicited request to the client, or just a "synchronous" response? — Arnout, Dec 18 '08 at 14:06
Unsollicited. In other words, the server should be able to invoke a callback method on the client. This is possible to fake using synchronous responses (it's called polling), but this has some obvious downsides (latency, performance) — Brann, Dec 18 '08 at 14:52
I can't imagine that a typical firewall will support the unsollicited scenario... I think that faking it (i.e. have connections always be initiated by the client) is your best bet. — Arnout, Dec 18 '08 at 15:18
This scenario works well with a firewall using NetTcpBinding. The client initiates the connection (so it's ok for the firewall), and the connection is kept alive. Then, anything can transit on it in both directions. The problem is that NetTcpBinding doesn't seems to work when a proxy is involved. — Brann, Dec 18 '08 at 15:41

score 1 · Answer 1 · answered Dec 18 '08 at 15:30

1

You are looking for a technology called Comet. Wikipedia entry If you Google "comet wcf" you'll find articles that should point you in the right direction.

answered Dec 18 '08 at 15:30

Joel Lucsy

8,520
1
29
35

Indeed, what i'm looking for is a working WCF implementation of Comet. The existing ones (NetTcpBinding and WSDualHttpBinding) doesn't work in some proxy/firewall scenarii. I googled "comet wcf" but only found people seeking such an implementation, or trying to build one. – Brann Dec 18 '08 at 15:55
1

Hmm, sorry, you're right. How about this link? http://www.codeproject.com/KB/WCF/WCFFormHosting.aspx?fid=1532167&df=90&mpp=25&noise=3&sort=Position&view=Quick – Joel Lucsy Dec 18 '08 at 18:47
This link describes what the NetTcpBinding does (it's indeed fine for bidirectionnal communication, as mentionned in my initial post). However this channel doesn't seem to work well with proxies. – Brann Dec 19 '08 at 09:26

score 0 · Answer 2 · answered Dec 18 '08 at 12:38

0

Yes. You can use WSDualHttpBinding or NetTcpBinding.

answered Dec 18 '08 at 12:38

WSDualHttpBinding won't work with a firewall, and NetTcpBinding won't work with a proxy. I edited the initial question to provide more details on those issues. – Brann Dec 18 '08 at 14:53

score 0 · Answer 3 · answered Dec 18 '08 at 14:08

0

A reasonable firewall should allow this kind of behaviour. Since communication is initiated by the client, a stateful firewall will allow the communications channel to remain open, but only between the two well-known endpoints.

answered Dec 18 '08 at 14:08

ZombieSheep

29,603
12
67
114

Brann · Answer 4 · 2009-03-12T15:45:15.753

I found some interesting information here

Basically, one can edit the app.config file like this :

<system.net>
   <defaultProxy useDefaultCredentials="true">
      <proxy bypassonlocal="False" proxyaddress="http://gateway:8080" />
   </defaultProxy>
</system.net>

I'm not sure it works for NetTcpBinding, although the article claims it works for custom bindings. I'll give it a try and let you know what happend.

UPDATE : it doesn't work (the defaultproxy configuration works only for http and https requests)

score 0 · Answer 5 · edited May 23 '17 at 10:27

0

According to this answer I got for a similar question, .NET v4 does work through a NAT with the WSDualHttpBinding class. Your question was asked a couple of years ago, so that wasn't an option for you then...

edited May 23 '17 at 10:27

Community

1
1

answered Dec 24 '10 at 12:24

Shaul Behr

36,951
69
249
387

joshperry · Answer 6 · 2009-04-17T19:17:48.493

I have a similar need, and I saw this article about the Comet-esque feature that they've provided for Silverlight 2 over WCF: Silverlight Polling Duplex.

I haven't tried it yet but I'm thinking that the assembly built against the desktop runtime may include the client classes as well, if that's the case then this may be usable outside of Silverlight.

Edit: I checked both assemblies and they both implement the same Bindings and Channels, it looks like the same code just built against the desktop framework; so you should be able to use the "Server" assembly in a desktop application.

Can you achieve encrypted bi-directional communication using WCF when the client can be behind a proxy,a firewall or a NAT?

6 Answers6