Hilgraeve, Inc. - Terminal Emulation and File Transfer Software

Using DropChute Behind a Firewall

Generally, it's easier to call out from behind a firewall (sometimes called a proxy server) than it is to call in to a firewall-protected network computer. DropChute, however, makes it easy for both you and your firewall administrator while maintaining strict security measures that protect your network.

This section includes information and procedures that both users and firewall administrators need to know about using DropChute behind a firewall. The following sections provide general information and procedures for using or accessing DropChute through a firewall or proxy server:

See How to Call Out Through a Firewall
See How Others Call in Through Your Firewall
See Using a Special DropChute Port

Firewall administrators should review the sections for users and the following sections, so they can assure themselves of their network integrity and security with DropChute. Once you read and understand how DropChute communicates through the firewall, you can decide how to you want to configure your network. You then make setup recommendations for your users. The firewall administrator sections are:

See Benefits of the DropChute Approach to Firewalls
See Technical Summary for Firewall Administrators
See Firewall Setup Options for Users

How to Call Out Through a Firewall
Whether you're planning on sending or receiving files, it's generally easier for users behind a firewall to call out than it is for outside users to call in. This section defines some general steps you and your firewall administrator can take to ensure that you can access DropChute users outside your corporate firewall.

When configuring DropChute for calling out through a firewall, there are three general categories to consider:

See Invisible Proxy or Firewall
See Direct Connection
See Modified Client

Definitions for these three types of firewall or proxy servers are generally recognized, and your firewall administrator can tell you which type you have.

Invisible Proxy or Firewall
As its name implies, an invisible proxy server doesn't require special actions on the part of the user or application calling out. Simply enter the outside user's IP address or domain name in his/her DropChute Entry (or select When they are on the Internet, find and connect to them using address servers on the Address and Phone page of the other person's Properties notebook, and the firewall automatically intercepts the call and makes the connection for you. You and DropChute never need to know that a firewall stands between you and the outside user.

Direct Connection
With a direct connection proxy server, follow these steps to call out:

For each DropChute Entry that is outside your firewall, enter the IP address of the proxy server instead of the IP address of the outside user.
Once you connect to the proxy server, DropChute displays a terminal window with any prompts from the proxy server.
You respond to prompts with the user ID and/or password your proxy server requires, and the IP address (or domain name) of the person you're calling. If the person you are calling uses a dynamic IP address, you can right click on their entry in the phonebook or on the desktop and select Show Their IP Address to see what their IP address is at this moment.
When the proxy server accepts your authentication responses, it makes the connection to the destination PC.
When DropChute detects that it has a successful connection with another DropChute system, it dismisses the terminal window and begins its normal authentication process.
Use standard DropChute techniques for initiating chat sessions, sending notes, sending files, or picking up queued files.

Modified Client
Modified client proxy servers require client applications to support entry of two destination IP addresses: one for the proxy server and one for the actual destination. At this time, DropChute doesn't directly support this type of proxy server, but there are third-party products that work with DropChute to make connections through this type of firewall.

SOCKS is one of the more common protocols used by this type of proxy server. If your proxy server, such as WinGate, is compliant with version 4 or version 5 of SOCKS, then one of the following products will "socksify" DropChute and any other internet application on your desktop to enable them to make connections through the proxy server. SocksCap is available from NEC at: http://www.socks.nec.com. AutoSOCKS is available from Aventail at http://www.aventail.com.

You can install either of these products according to documentation that comes with them and configure them to socksify dcp.exe (or dce.exe). We anticipate adding direct support for this type of proxy server in a future release. Please contact Hilgraeve Sales if you want us to notify you when this feature becomes available.

How Others Call in Through Your Firewall
DropChute has several different techniques available that may make it possible for outside users to call in through a firewall. One approach assumes that your firewall only permits outgoing DropChute calls. Other approaches assume that your firewall permits incoming DropChute access.

When Your Firewall Prohibits Inbound Calls
If your firewall prohibits inbound calls, you must specify this during installation or on the Advanced Connection Setup dialog. To access this dialog, follow these steps:

Display the DropChute Options notebook, and select the Connection tab.
Click the Advanced... button to display the Advanced Connection Setup dialog.
Make sure the Wait for calls on this TCP/IP port edit field specifies the port authorized for incoming DropChute calls by your firewall administrator.
Make sure the Firewall prohibits inbound connection radio button is selected.
If your firewall administrator recommends a different value for Poll address server for connection requests , type the new value in the edit or use the spin buttons to modify the current value.
Click OK in the dialog and again in the Options notebook.
Make sure you are waiting for calls.

You can now receive calls and files from users outside your firewall. If you're interested in a technical discussion of how this works, See How Reverse Connections Work.

Note: If both you and the other person are behind firewalls, one of you MUST have a firewall that permits inbound DropChute access.

Incoming Call Authentication
One approach to allowing outsiders access is for the firewall proxy server to require authentication steps before permitting incoming connections. With this approach, the general steps are:

The caller either enters the IP address (or domain name) of your computer (or selects When they are on the Internet, find and connect to them using address servers ) on the Address and Phone page of the Properties notebook of the DropChute entry that represents you.
The caller attempts to send files, send a note, pick up queued files, or initiate a chat session.
When the outside caller connects with the corporate proxy server, the proxy server sends an authentication message. The caller's DropChute automatically displays a terminal window with the proxy server's message.
The caller responds to login or other authentication prompts from the proxy server.
When the proxy server accepts the caller's authentication responses, it completes the connection to the DropChute PC inside the firewall.
When DropChute detects that it has a successful connection with another DropChute system, it dismisses the terminal window and begins its normal authentication and connection process.

Taking Advantage of DropChute Security and Authentication
Because DropChute provides tight security and user authentication options, your firewall administrator may safely allow outside DropChute users to establish inbound connections on either the default DropChute port or a special port (See Using a Special DropChute Port, below). Your firewall administrator will provide you with the settings you must use to allow your DropChute program to accept connections from users outside the firewall.

Using a Special DropChute Port
This approach gives firewall administrators the assurance that outside hackers can't get full access to the network through some unexpected telnet server. For more discussion of this problem and how DropChute solves these security issues, See Benefits of the DropChute Approach to Firewalls, and See Technical Summary for Firewall Administrators.

If your firewall administrator decides to configure a special port for DropChute access, you must correctly configure your DropChute program. DropChute on your associates' computers automatically adjust for the port you specify if the other person looks for you on an address server. If the other person uses a permanent IP address for you, he/she must manually make the change.

In general, the steps required for permitting access through a firewall with a custom port address are:

The firewall administrator establishes a port for DropChute Internet connection. In this case, the firewall administrator selects some port other than port 23, since this port is used by most telnet clients and servers. The firewall administrator may assign a single port for everyone behind the firewall, or may assign a unique port number for each user and use TCP mapping on the proxy server. The choice depends on the type of firewall used by your organization.
Using standard telnet or TCP mapping tools available with the proxy server, the firewall administrator specifies that this new port permits inbound connections.
The firewall administrator communicates the port number to DropChute users on his/her network.
Internal users set up the DropChute port address in the Advanced Connection Setup dialog of the Connection page of the Options notebook.
If the firewall administrator sets the new port to prohibit incoming calls, See When Your Firewall Prohibits Inbound Calls.
Outside users set up a DropChute entry for you.
Both inside and outside users can then connect through the corporate firewall just as they would for any other DropChute connection.

Benefits of the DropChute Approach to Firewalls
Firewall administrators of corporate intranets can safely permit employees to use DropChute to exchange files with outside DropChute users through the Internet. They can do this with confidence because DropChute can authenticate users and encrypt all connections. Basically, DropChute emulates telnet data, yet avoids security risks of telnet access because DropChute doesn't support any telnet server commands.

Firewall administrators can use standard firewall tools to do any of the following:

Permit outside DropChute access to specific computers from other specific IP addresses outside the firewall.
Set up user authentication for incoming calls.
Configure the firewall to permit access to DropChute while avoiding other telnet access by simply dedicating a unique port address rather than the standard port used by telnet clients and servers (port 23). DropChute doesn't support any telnet server commands, so no malicious actions can occur.

In addition to the security provided by the DropChute communications protocol, firewall and system administrators can further enhance network security and integrity by requiring DropChute Pro or DropChute Enterprise for all internal users. The additional measures they take are:

Require DropChute Pro or DropChute Enterprise for all internal users who want to let outsiders connect to them because these programs support advanced HyperGuard virus filtering and data encryption.

Note: To use data encryption, both parties exchanging files must have DropChute Pro or DropChute Enterprise. DropChute Lite, the small free version of DropChute, lacks this capability.

Internal users select Arm HyperGuard virus filter in the Receiving properties page.

Both internal and outside users must access the Security properties page and select the same security options in each other's DropChute entry. DropChute supports public/private key encryption to give the highest level of data security available.

Technical Summary for Firewall Administrators
DropChute uses two IP ports when communicating over the Internet: port 389 for communication with the address server
(ldap.dropchute.com ) and port 23 (by default) for the actual DropChute data stream. DropChute makes outgoing connections to an Internet address server on port 389 for the following functions:

When placing a call, if an entry is configured to use the address server to look up the IP address and port number of the other party.
When waiting for calls, to post its own IP address on the address server. This is the default selection in the Advanced Connection Setup dialog.
Periodically, DropChute checks the address server to determine which DropChute entries are currently waiting for calls on the Internet. This happens if the user selects Show waiting-for-calls status of my DropChute entries check box on the General page of the DropChute Options notebook.
When the firewall has a DropChute port defined that prohibits inbound connection and DropChute is waiting for calls, DropChute periodically checks the address server to determine if others are attempting to connect with the user behind the firewall. This happens if the user selects the Firewall prohibits inbound connection radio button in the Advanced Connection Setup dialog (See When Your Firewall Prohibits Inbound Calls and See How Reverse Connections Work).

Communication with the address server uses LDAP (Lightweight Directory Access Protocol). If your firewall permits LDAP access or passes through outgoing connections on port 389, all these features will work.

Disabling LDAP Access
If you have a proxy server that automatically dials an ISP to create a shared network connection to the Internet and DropChute runs on other computers on the network, you may find that your dial-up connection is being re-established every time DropChute checks to see who is waiting for calls. To avoid this problem you may want to disable the Show-waiting-for-calls status of my DropChute entries on the General page of the DropChute Options notebook.

Note: This is only an issue when DropChute is running on a different computer than the one making the dial-up connection. When a computer with DropChute uses Dial-Up Networking, DropChute automatically disables this type of network traffic when the computer is not connected to the Internet.

Another reason for disabling LDAP is if you don't want to permit connections on port 389. You can have users configure DropChute so that it doesn't use port 389 by having them take the following actions:

Unselect Show waiting-for-calls status of my DropChute entries check box on the General page of the DropChute Options notebook.
Unselect Post my IP address on this Internet address server check box in the Advanced Connection Setup dialog.
Users behind a firewall must define permanent IP addresses (or domain names) for all DropChute entries. Thus, your users will be unable to reach DropChute users outside the firewall with dial-up Internet access or dynamic IP addresses.
Note: If you create a .reg file for network installations, you can unselect the first two options by default for all users.

Connection Using a Firewall that Does Not Support LDAP
If you have a proxy server that doesn't explicitly support LDAP, you may need to establish a mapping of outgoing connections on port 389 to a specific location. If so, you should specify ldap.dropchute.com as the destination for such connections. In addition, users inside the firewall need to specify the name or IP address of their proxy server. Have your users follow these steps:

Internal users set up the name or IP address of the proxy server in the Advanced Connection Setup dialog of the Connection page of the Options notebook.
1. Display the DropChute Options notebook.
2. Select the Connection page.
3. Select the Through my local area network radio button and I nternet or intranet check box
4. Click the Advanced... button to display the Advanced Connection Setup dialog.
5. Select the Post my IP address on this Internet address server check box, and change the edit/drop-down list to the name or IP address of the proxy server.
6. For each DropChute entry created by internal users, they must specify the name or IP address of the proxy server in the Advanced Address and Phone Setup dialog of the Address and Phone page of the entry properties notebook.
  1. Display the properties notebook for a DropChute entry.
  2. Select the Address and Phone page.
  3. Select the When they are on the Internet, find and connect to them using address servers radio button.
  4. Click the Advanced... button to display the Advanced Address and Phone Setup dialog.
  5. Change the Find and connect to them using this Internet address server edit/drop-down list to the name or IP address of the proxy server.
1. Note: To have your users define the same actions for several DropChute entries, it may be helpful for them to follow the procedures in this section using the Template for New Entries notebook rather than for a specific entry. Then, whenever they create a new entry, it will automatically have the correct address server defined.

DropChute Data Exchange
By default, DropChute uses port 23 (normally the default telnet port) for all other communications. All of the data exchanged by two users (file exchange, chat, notes, etc.) are multiplexed through one network or modem connection. For DropChute to make outgoing connections, the firewall must be configured to allow outgoing connections on port 23 or the TCP port selected by the other person for his/her incoming port.

To allow incoming DropChute connections (as a result of someone else connecting to a DropChute user while that user is waiting for calls) your firewall must be configured to pass incoming telnet connections on the port you defined for incoming DropChute connections. It is often possible to be quite restrictive in what you allow, for example, passing through only connections from a specified set of IP addresses to specific internal IP addresses.

As a firewall administrator, you can require your users to configure DropChute to use a port other than port 23. Have your DropChute users refer to See Using a Special DropChute Port and provide them with the port number for use with DropChute.

How Reverse Connections Work
DropChute uses a special, secure procedure, called a reverse connection , to allow users behind a firewall to receive calls, even if the firewall does not permit inbound connections. When a user behind a firewall specifies that the firewall prohibits inbound connections (See When Your Firewall Prohibits Inbound Calls), DropChute performs the following operations:

It posts unique name (and some additional information) of the user behind the firewall on the address server.
Note: DropChute posts information on the address server in a manner that makes it very difficult for others to snoop. Genreally, only another DropChute program that knows a posted unique name can access information about a user on the address server.
1. The firewall-protected user's DropChute periodically checks the address server to see if anyone is attempting to connect with him/her.
2. DropChute programs attempting to connect to a user behind a firewall post their desire on the address server. The user attempting the connection is informed that their correspondent is behind a firewall and that connection may take a few moments to complete (defined by the user behind the firewall in the Advanced Connection Setup dialog -- See When Your Firewall Prohibits Inbound Calls).
3. During one of its periodic polling operations, the DropChute program behind the firewall determines that someone is attempting to connect to it. It obtains the unique name and other information about the user attempting to make the connection.
4. The DropChute program behind the firewall makes an outgoing call through the firewall to the person attempting to connect.
5. The two DropChute programs go through their normal user authentication and security handshaking.
6. Normal data exchange for notes, files, chatting, and voice takes place between the two users, using specified security options, until one or the other disconnects.

Firewall Setup Options for Users
Firewall administrators (in conjunction with network administrators) should provide the following information to their users:

Whether your firewall permits inbound calls, and if so, the TCP/IP port number to use.
If the port prohibits inbound connections, a time users should enter in the P oll address server for connection requests edit field in the Advanced Connection Setup dialog (See When Your Firewall Prohibits Inbound Calls).
Other security options that users should select to meet network standards.