Kbase P5540: How to configure the Appserver with a firewall
| Autor |
Progress Software Corporation - Progress |
| Acesso |
Público |
| Publicação |
10/29/2008 |
|
Status: Verified
GOAL:
How to configure the Appserver with a firewall
GOAL:
How do I set up the Appserver with a firewall?
FACT(s) (Environment):
All Supported Operating Systems
Progress 9.x
OpenEdge Server Technology Category: AppServer
FIX:
The first thing to confirm is that the AIA adapter is being used with the AppServer configuration. If there is no AIA in the configuration and the AppServer is being used, then no firewall should be involved. The firewall would separate the Internet (thus the AIA adapter enters the configuration) from the network in which the AppServer is running. If the AIA is in the picture then the point of failure is between the client (AIA) and the NameServer.
This is what happens during the communication process between the NameServer and the Messenger/AIA/brokers: The NameServer listens on a UDP port (default is 5162). UDP is a one-way broadcast, so when a Messenger/AIA/broker sends a message to the NameServer it does so to the port number of the NameServer and the communication is done, there is no open connection between the two processes. In order for the Messenger/AIA/broker to receive a response back from the NameServer, it needs to listen on its own UDP port number. This number is arbitrarily assigned by the operating system and it is this UDP port number the Name Server uses to respond to. Since the broker and the NameServer should exist on the same side of the firewall, there should be no problem using random port numbers when communicating between these two - the operating system always assigns a free UDP port number. The problem arises when the NameServer has to communicate with the AIA or WebSpeed messenger because these processes usually sit on the other side of the firewall. The NameServer listens on only one port number, so the firewall can be configured so that only one UDP port number is open for incoming traffic. However, the firewall would have to have all of its outgoing UDP ports opened in order for the NameServer to successfully communicate with the AIA/Messenger (the range is 1024 to 65535 - a whole lot of ports) .
To help reduce the number of ports required to be open, in Progress 9.1B we introduced the minNSClientPort and maxNSClientPort options. These are set on the Messenger and AIA instances. To work with this, it is necessary to configure a range of UDP ports on the firewall and open them up for outgoing traffic. then it would be necessary to configure the appropriate WebSpeed Messenger/AIA adapter instance and set the range accordingly. It is not possible to limit the range to a single port number.
For example, the cgiip messenger creates a new process for every client request coming in. There could be hundreds running simultaneously, but that does not mean that many open UDP ports are required, because most of the connection time occurs via tcp between client and WebSpeed Agent/AppServer. What is suggested is trial and error to find the right number of ports to open for each specific configuration.
How to diagnose your issue:
1) Ignore the internet for a moment - check to make sure that everything is up and running.
Query the AppServer broker and make sure that it reports at least one AppServer is available.
Query the NameServer, make sure that it sees the AppServer. Open a 4GL client (within the firewall) and write some code that executes client server.
If all this works, the basic AppServer infrastructure is sound and we can focus on the next step.
2) Examine the Firewall and AIA configuration.
Is it possible to get the AIA OK screen in a browser? Go through all of the checks to make sure that the JSE is up and running and that the AIA instance is configured correctly.
If step one is working and AIA is working then it is necessary to examine the firewall configuration in greater detail. Check to see if the outgoing UDP ports are open. If they are closed, then the NameServer can't send a response back to the client. (Use the range described above to help limit the number of outgoing UDP ports) Check to make sure. that the UDP port number of the NameServer is open for incoming traffic.
If Network Address Translation (NAT) is being used, examine the translation table (use the appropriate vendor documentation to figure out how to do this - remember even when not using an actual NAT, there may be a firewall that provides the same type of capabilities.) Find out what the real IP address the host of the AppServer broker is running on and match it to what the NAT expects to get from the outside world. Take the external IP address and in the ubroker.properties file add
"registrationMode= OutSide IP Address;"
to the instance of the AppServer broker. Stop the broker and restart it to make sure that the new parameter is picked up. It should not be any harder than that to use the registrationMode option. Run a query on the NameServer and verify that the asbroker has registered with the NameServer and that the host/IP address is listed as well. Authenticate to ensure that it picked up the correct one. .