The last post explained how to find a PNRP registered service. What else do you have to do for e.g. exposing a WCF service over the P2P infrastructure?
Code-wise nothing. If the WCF service listens on all NICs (the default), a client can do a resolution via the peer DNS name and connect to it. Easy.
Well – hold on – does that mean that arbitrary clients can now traverse my NAT and connect to my intranet machine? Kind of – yes…
For the service to be accessible you also have to adjust firewall rules:
- the port the service is listening on must be openend (this will allow normal TCP/IP traffic to the endpoint)
- to allow Teredo traffic to the service, additionally the “allow edge traversal” option must be checked. This option is only available via the advanced firewall (available via Administrative Tools or MMC). See screenshot:
So to recap – these are the prereqs for a globally reachable service:
- P2P (PNRP and Teredo) must work properly
- the service must be registered
- the client (or peer) must know the peer name
- the endpoint port must be opened in the firewall
- Teredo traffic must be allowed for this port
But one thing is very true, you now allow (internet) inbound traffic to an intranet hosted service, which has some implications:
- there is probably no security around that intranet machine (like a DMZ).
- intranet machines are typically not hardened for exposing internet services.
- this means that if the service has some security problem (e.g. directory traversal etc), there are no safe-nets that will stop an attacker e.g. accessing other machines or system resources.
- your administrators may not like this!
Typical P2P scenarios don’t necessarily involve publicly known peer names, so you maybe only have a limited exposure. But still – the traffic bypasses perimeter security and goes directly into the intranet. So be careful.