How would one connect two clients behind firewalls?

Question

When using an instant messaging application like Live Messenger or the desktop client for Google Talk, computers can transfer files between one another. I can't say for sure, but I'm fairly certain that the data being transferred between computers does not go through Microsoft's or Google's IM servers, rather the two computers with the IM software communicate directly with each other. I'm wondering if or how this direct connection between the clients is established and how I would implement something similar myself.

I have some experience working with personal networks but I only understand a client-server relationship, where the server is always listening (and ports are not blocked by a firewall) and the client makes a request to the server whenever data is needed.

Answer 1

If I were implementing this, I'd look at a couple of options.

1) Have the firewall forward a given port to a PC inside the network. This will let you connect to a server from the outside world.

2) Have the client(s) behind the firewall connect to a visible server outside of the firewall.

In short, at least one party in the conversation needs to be visible (the server) to the other(s) so they can connect to it. Regardless of how, once a connection is made, the client and server will be able to communicate back and forth without any problems.

Answer 2

There is a method used by many clients called "pin holing":

I send a UDP packet at you, which pokes a hole in my firewall (allowing UDP packets, assumed to be responses by my firewall, to be sent by you and received by me). That packet gets discarded by your firewall.

You send a UDP packet to me, poking a hole in your firewall. That packet should reach me, at which point I can send another one to reach you and we can communicate, through our firewalls, over UDP.

Answer 3

Do what most trojans do:

Reverse Connection

EDIT:

with two machines behind firewalls, you would need some kind of third 'Proxy'

Darknight

Answer 4

I've used a program called Hamachi which is a bit like a peer-to-peer vpn (virtual network-to-network). Then I wrote the client server applications as is. It was a quick way to get the functionality of connecting over the Internet without the trickery needed for dealing with NAT routers.

If you need to do it 'properly', one of the common methods is udp hole punching. When you send a web request your firewall knows to expect back data in response. The trick is that both client A and client B contact a server on the Internet. The server passes details of the request client A made to client B and and vice versa. Once the initial connection is established they can continue communicate even if the main server is no longer there.

Answer 5

If both clients are behind a firewall that hasn't been pinholed and no VPN software is being employed they are communicating through a 3rd party server. Period.