I’m a jack of all trades and master of none, and today I’m dabbling in IT. Tonight’s category is a few questions how client-server software does its job. Suppose I have 100 local workstations with client software installed on each workstation. Far, far away is a server with the complementary server software on it. I understand the client s/w on each workstation will frequently ping the server and retrieve whatever specific data is to be sent to the respective workstation(s) per server ping.
My questions are:
a) When it comes to opening a port in the firewall so the client-server s/w can communicate, does each and every workstation need a port open to ping the server? Or, is there some way “one port fits all”…knowing all workstations are behind the same firewall. (FYI: The server is reached by a https website via port 443.) If each workstation needs its own port opened in the firewall, is each workstation identified by MAC address…so the firewall has the correct port open for the correct workstations (and not other workstations)?
b) How does the server track which data packages will go to the correct workstation? Does the server manage this by knowing each workstations’ MAC address, I assume?
c) If the server can also auto-generate emails, and each client knows to retrieve the respective emails, is the client actually retrieving emails via port 443? Or, say STMP port 25? Hmm, or maybe it’s not the client retrieving the auto-emails at all? Is this strictly an Outlook function from wherever emails may come from in cyberspace? (The latter doesn’t seem right as Outlook only looks for one email server, doesn’t it? Or, perhaps a professional version of Outlook be configured to check multiple email servers?)
Thanks in advance for helping me sort this out. Please keep it as simple as possible. If I left out some critical info, please state your assumptions. Thx!
a.1) Depending on how tight your security policies are, each client machine may require that the client application be given permission to run.
a.2) It’s possible (depending on local security tightness) that the network firewall sitting between your LAN and the rest of the Internet will require that traffic from the client machines be allowed outbound to the port that the destination server is listening on.
a.3) It’s probable that the remote server will need the port opened on it’s local network firewall to allow traffic on the port that the server is listening on.
b) Through the magic of NAT, Packet Encapsulation, and TCP sessions. It’s too complicated to get into here, but the short version is that the server doesn’t care about the MAC address of the client. It only cares about the client’s apparent IP address, TCP port, and TCP session tracking information.
c) The server is likely generating emails through a completely separate application protocol. Meaning it sends the messages via SMTP (and through several layers of mail relays, spam filters, and the like) to the client’s mail server. The client, via Outlook or a POP client or whatever, then retrieves the messages via its own session with the mail server.
Well its kind of obscure, but the OP’s question about outlook’s connection to the mail server is more complicated… because in fact outlook can use 443 to connect to a private exchange server.
Outlook can connect to Exchange through the Internet by using remote procedure call (RPC) over HTTP (and we know they mean HTTPS , because thats HTTP over SSL ). This is like outlook connecting to the microsoft/hotmail server via HTTPS. Or the mail server can have other ports open with email-only (exchange, imap, pop3 ) protocols in use on them. Well that reminds me, the port would be restricted to one protocol, but HTTP is a protocol and it can then have a stack of apps under it.
Anyway, to simplify the answers,
443 is one port for all clients, because in Internet Protocol, a connection is identified by the tuple “source ip address, source port, destination ip address, destination port”.
The clients just use a random port number for each connection attempt, so programs can open a new port at the client side, so the one client company can have many connections to the servers port 443.
And MAC addresses are probably isn’t used for security or identification. 1, its not very good security, and 2, its only done inside one LAN… the apparent MAC address could change .(and apparent source ip address could change too.)
(a) Your clients are on a subnet (or several) behind a firewall. The strictness depends on the rules of the firewall. Typically (but not always) firewall rules deal with IP addresses and/or other means of ID’ing workstations (i.e. maybe talk to local server, get Active Directory group membership, user authorization from Windows logon on workstation, etc.)
Typical rules say “allow port 443 out” or such. (and permit any port that replies to that to return as a reply). You could specifically single out just a workstation, or group of workstations to be allowed out on that port, or specifically blocked. That is the art of writing firewall rules.
(b) The server opens a “connection” with the workstation. MAC address is only relevant within the same subnet. Outside of that, it’s strictly IP address. When a server gets a request on port 443, it (usually) replies on a higher port number, randomly picked unique to that conversation. It sends the packet back addressed to the client workstation’s IP address, and the firewalls and routers in between take care of figuring out how to deliver it. The workstation network’s firewall has taken note of the reply IP address and allows that traffic through.
(C) Outlook is a client, which gets email from a server. If this remote server is also an email server, and holds the email for the workstation (i.e. it’s the “mycompany.com” email server) then outlook will use the typical POP/SMTP ports or whatever (which also must be open on the firewall) to retrieve the email. If not, the server must know how to send to the correct email server for that email address. (typically, it would look up the MX record for “mycompany.com” on its DNS server. Or it’s hard-coded in a local HOSTS file on the server) It would then send the email to the appropriate server, where Outlook would pick it up with the appropriate protocol - POP/SMTP, IMAP, or Exchange depending on the server.
Note that ActiveSync, which some clients like iPhone use to collect email from Exchange email servers, also uses port 443…
One follow-up question: If the client initiates communication with the server, is it by any means possible the server’s response is not considered incoming traffic (with respect to the client?). I ask because I know, typically, incoming traffic is restricted unless a request for an exception is made. The two statements seem contradictory, but is there some way this may be possible?
Firewalls are usually “stateful”. They remember the outgoing client connection, and match the incoming server reply with the existing connection, thus allowing it (based on the above-mentioned tuple of [source IP, source port, destination IP, destination port]).
Of course, there are exceptions, and not all firewalls are stateful. But I think that you would be pretty safe to assume that it is.