This page provides information on how you can have the NetCFax client connect to a NetCFax server when one or both are behind different firewalls/routers (typically using Internet access)

However, due to the ever present threat of network attacks in today's world, most such connections will need to be able to make connections through software or hardware firewalls and/or routers, and quite naturally this can always be the cause of some problems, as the firewall/router at both ends need to be  configured correctly to allow them both to communicate.  We hope this page will help you understand the ramifications and show you how to do this in the easiest possible way.

If you do not understand how TCP connections work, perhaps you shouldn't be reading this (necessarily technical) page, so we suggest you check out the other pages of this system to find out exactly how the combination of an IP address and a TCP port are the two major data items needed to make any TCP connection successfully. 

The main connection is always initiated by the client connecting to the server and this port handles a lot of the major functionality. This is always made on a single TCP port that is always specified by the fax server.  By default this is set to 7488 TCP, but it can of course be changed.  If a server changes this port, ALL CLIENTS will have to be notified so that they can also change it, as they cannot connect to the server unless they both use the same port.  We call this the "Primary Connection Port" (PCP).

The other important connection is initiated by the server to connect to the clients, and is used for important notifications and other data sent back to the clients, and this also handles a lot of functionality and is also made on a single TCP port.   We call this the "Secondary Connection Port" (SCP). 

Due to the special support that is required to allow multiple instances of a fax client to be running under Fast Task Switching (FTS) and/or Remote Desktop Sessions (RDP), it is necessary in those environments for each fax client to use a different port (as they all use the same IP address), so that each client can still receive the notifications that the server sends to each client specifically.  (See other Help system links for full information on why all this is necessary to support FTS and RDP enviroments).

The default configuration for the SCP is to allow it to dynamically identify and select and use any free TCP port.  However, you can configure the clients so that (either all or just some of them) use a single fixed port if you need to do so, but clients that use this setting cannot be running in FTS or RDP environments, because quite amazingly Windows decided it does not need to provide individual IP addresses for each RDP or FTS session, as has been discussed elsewhere in this Help System.

If a fixed port is used, the NetCFax default for this SCP is 7485 TCP, but you can of course change it if you wish to do so.  

Clearly, both of these ports (Primary and Secondary) must be allowed to connect on both networks if two way communications are going to be successful across any network and through the firewalls/routers that protect them so they are able to get to the internal IP addresses of the PC's the fax server and fax clients are running on.

NETWORK SCHEMA 1

Let's first look at the fax server end of this system, and handle the PCP connection (remember, this connection is always initiated by the fax clients, so starts off as an unsolicited inbound connection from the WAN. 

If we assume that the server is configured to use the default PCP of 7488 TCP, then this must be opened for Inbound and Outbound connections in the firewall/router. (in other words to allow both both LAN and WAN traffic to use it). To do this usually just means the addition of a new RULE that allows LAN and WAN traffic to use this port.

So, we think that was pretty easy so far ?

Now we need to look at the SCP used by the server to send notifications to the clients.  As we have seen above, this is where it can start to get more complex. If all clients that will connect to this server use the same SCP port then it is just as easy as configuring the PCP, simply open that port for Inbound and Outbound connections in the firewall/router. (in other words to allow both both LAN and WAN traffic to use it).

But what about if the fax clients are configured to use dynamic SCP's ?

NETWORK SCHEMA 2

When dynamic ports are used by the clients, it is potentially far more complex, as you clearly do not want to open all the ports on your firewall.  Therefore the client does provide a useful feature that lets you limit the range of ports they may use. Typically a range of ports covering a total of perhaps 100 is more than sufficient, but it can be as small as 10 or so if required.  This number is really governed by the number of fax clients that are running on the SAME IP address (in other words on machines providing FTS or RDP sessions)

When clients login to a fax server, they always send it the SCP they are using, and the server saves that information as part of their current login account and then uses the clients IP address and that port to send notifications to that client.

Therefore, you can decide what range of ports you are prepared to open, and then ensure all clients that will use this fax server also use that range.  Then set up a RULE in your firewall/router that allows inbound and outbound connections on that range.  You can in theory choose a range of ports starting anywhere after 1024 and going as high as 65000, or anywhere in between.  The ports below 1024 are basically reserved, but any good TCP manual will give you a list of all the common ports you should of course avoid such as SMTP (25), POP3 (110),  FTP (21) etc etc.

Shown below is an example of the Services we have configured in one of our NetGear FVS318 routers to allow fax system to connect between the US and the UK.

This list contains both PCP and SCP settings.
Below is a sample of the rules we have configured.
              

Naturally enough, we have shown this diagram with the ports set open for use as an example, but of course these are all shut down unless we are actually performing this testing.

CLIENT NETWORK SETUP

This is pretty well the same as that described above for the fax server's firewall. The PCP must of course be opened for two way communications. The major difference is that there may well be several clients on your network that all want to connect to the remote fax server, and that is absolutely fine. You will normally need to set up a RULE in the firewall/router for each client individually, so that notifications received from the fax server are routed to the correct fax clients.  Some routers allow more complex rules than others, so it is down to you to decide how best to achieve this with your particular equipment.

Generally, Routers allow you to create a rule with a name, the port or range of ports you want to allow (or block) and the IP address of the machine all connections on those ports are to be sent to.  Some allow a range of IP addresses to be entered, although this is probably not very helpful in this case.

We hope this information has proved useful to you ?

BACK TO INDEX PAGE