How to access a web service behind a NAT?

Question

We have a product we are deploying to some small businesses. It is basically a RESTful API over SSL using Tomcat. This is installed on the server in the small business and i

Answer 1

I had to do something similar in the past and I believe the best option is the first one you proposed.

You can do in the easy way, using ssh with its -R option, using publick key auth and a couple of scripts to check for connectivity. Don't forget the various keep alive and timeout features of ssh.

Don't worry about the performances. Use unprivileged users and ports if you can. Don't bother to setup a CA, the public key of each remote server is easier to maintain unless you are in the thousands.

Monitoring is quite simple. Each server should test the service on the central server. If it fails either the tunnel is down or there's no connectivity. Restarting the tunnel will not harm in any case.

Or you can do it at the network level, using IPsec (strongswan). This can be trickier to setup and it's the option I used but I will use SSH the next time, it would have saved me a lot of time.