Getting Server+Glacier2+Client to work through a firewall?

Gravitas

Hi,

When I run the demo in "Ice-3.4.1-demos\democs\Glacier2\callback", it works fine on my local machine. It also works fine if I run everything on the remote machine.

However, if I attempt to connect Local PC >> Remote PC, it halts on:

-- 3/10/2011 19:30:42:382 client.exe: Network: trying to establish tcp connection to 184.72.249.87:4063

Setup:
* Local PC: Windows 7, running "client.exe".
* Remote PC: Windows Server 2008, on the internet, running "server.exe" and "glacier2router --Ice.Config=config.glacier2"

Open ports:

* No ports are open on the Local PC.
* Ports 4063 and 10000 are open on the Remote PC, hardware firewall (Amazon EC2 web configuration), for both TCP and UDP.
* Ports 4063 and 10000 are open on the Remote PC, software firewall (Windows Server 2008 R2), for both TCP and UDP.

* File "config.client" on the Local PC (Windows 7).

Ice.Default.Router=DemoGlacier2/router:tcp -p 4063 -h 184.72.249.87
Callback.Client.Endpoints=
Callback.Proxy=callback:tcp -h 127.0.0.1 -p 10000
<snip>

184.72.243.87 is the static IP of the Remote PC.

* File "Glacier2.config" on the Remote PC (Windows Server 2008):

Glacier2.InstanceName=DemoGlacier2
Glacier2.Client.Endpoints=tcp -p 4063 -h 127.0.0.1
Glacier2.Server.Endpoints=tcp -h 127.0.0.1
Glacier2.PermissionsVerifier=DemoGlacier2/NullPermissionsVerifier
<snip>

* File: "config.server" on the Remote PC (Windows Server 2008):

Callback.Server.Endpoints=tcp -h 127.0.0.1 -p 10000

bernard

Hi Shane,

If you suspect a firewall issue, you can use telnet to check if you can reach the Ice server.

Firewall is not the issue here:

Glacier2.InstanceName=DemoGlacier2
Glacier2.Client.Endpoints=tcp -p 4063 -h 127.0.0.1
Glacier2.Server.Endpoints=tcp -h 127.0.0.1
Glacier2.PermissionsVerifier=DemoGlacier2/NullPermissionsVerifier
<snip>

Glacier2 needs to listen on an external interface to be reached through this external interface... You need something like:

Glacier2.Client.Endpoints=tcp -p 4063 -h EXT_IP

where EXT_IP corresponds to the IP address of the network interface you want to use for remote communications (that's not your elastic IP with Amazon EC2).

Best regards,
Bernard

Gravitas

Glacier2 needs to listen on external interface to be reach through this external interface... You need something like:

Glacier2.Client.Endpoints=tcp -p 4063 -h EXT_IP

where EXT_IP corresponds to the IP address of the network interface you want to use for remote communications (that's not your elastic IP with Amazon EC2).

Excellent! Now everything works perfectly. The internal IP address of my network adapter on Amazon EC2 is 10.214.39.163 (I got that with ipconfig). I replaced every instance of 127.0.0.1 with this IP address to make it work. Thank you so much for your timely response - your tech support is fantastic.

Gravitas

On the Local PC side, I need the following setting in "config.client" in order to make the callback work through a firewall:

#
# This must match the value of Callback.Server.Endpoints in
# config.server.
#
#Callback.Proxy=callback:tcp -h 127.0.0.1 -p 25000
Callback.Proxy=callback:tcp -h 10.214.39.163 -p 25000

The IP address "10.214.39.163" is the IP address for the network card (not the Amazon Elastic IP) for the remote Amazon EC2 instance.

This presents a problem: there is too much coupling between the server and the remote clients. If this IP address changes, then it will break all of the clients. Is there any way to avoid this problem, perhaps by setting up a proxy, or instead referring to "localhost" instead of the IP address, etc?

Gravitas

Everything works now.

I can answer my own question: the only place that the IP address of the network adapter needs to be hard coded is in the glacier2 router configuration file. Everything else can be 127.0.0.1. This means that config.server refers to 127.0.0.1, so config.client can refer to that as well which eliminates the dependence of the client on any setting internal to the server.

bernard

Hi Shane,

Here, the 'Callback' is the object in the server (behind Glacier2), and the Callback.Proxy is the proxy that the actual client to this server (= the Glacier2 router) will use.

If your Glacier2 router and your server are on the same host, you can use 127.0.0.1 for your Glacier2.Server.Endpoints [Glacier2 router config], Callback.Server.Endpoints [server config] and also your Callback.Proxy [client config].

If they are on different hosts, 127.0.0.1 won't work, and you'll need a proxy like Callback.Proxy=callback:tcp -h 10.214.39.163 -p 25000

Naturally, hard-coding IP addresses and port numbers may not be practical or desirable. The solution overall is to use both Glacier2 and IceGrid; this way your client can use indirect proxies to reach the server through Glacier2, typically "well-known proxies" for the initial objects.

Best regards,
Bernard

Gravitas

Thank you for your reply. According to the docs, I could use 0.0.0.0 or * to avoid having to hard code the IP address of the network adapter into into the Glacier2 configuratiom file.

I'd absolutely love to get to the point of hosting two services within IceGrid + Glacoer2 behind the firewall, but there are no working demos that I could find and every combination of settngs I have tried hasn't worked. I am currrently re-reading the user manual, cover to cover.

Do you happen to know of a working demo that shows how to deploy two services, within Icebox+Glacier2 (with callbacks preferably) on an internet server, behind a firewall?

I'd love to meet my deadline, but I might have to end up hard coding a port for each service and opening up the firewall (which wont be as efficient as your recommended method).