Callback cannot be done if client behind firewall. But WHY?

I've read a lot of threads regarding callback is not achievable if client is behind firewall. But i couldn't find the DETAILED reason for that. Can anyone explain that?
Thank,
Jax

In order for a server to asynchronously callback a client, it must create an inbound socket connection to the client, to send the message. This is precisely the type of thing a firewall is designed to prevent.
To receive callbacks, the firewall would have to open a specific port for inbound connections to the client, and the server would have to be aware of this port as well.

Similar Messages

  • RMI Clients behind firewall

    When the RMI client behind firewall tries to access the server the following error is thrown up:
    java.rmi.ConnectIOException: Exception creating connection to: 10.130.12.128; ne
    sted exception is:
    java.net.NoRouteToHostException: Operation timed out: no further informa
    tion
    java.net.NoRouteToHostException: Operation timed out: no further information
    at java.net.PlainSocketImpl.socketConnect(Native Method)
    at java.net.PlainSocketImpl.doConnect(Unknown Source)
    at java.net.PlainSocketImpl.connectToAddress(Unknown Source)
    at java.net.PlainSocketImpl.connect(Unknown Source)
    at java.net.Socket.<init>(Unknown Source)
    at java.net.Socket.<init>(Unknown Source)
    at sun.rmi.transport.proxy.RMIDirectSocketFactory.createSocket(Unknown S
    ource)
    at sun.rmi.transport.proxy.RMIMasterSocketFactory.createSocket(Unknown S
    ource)
    at sun.rmi.transport.tcp.TCPEndpoint.newSocket(Unknown Source)
    at sun.rmi.transport.tcp.TCPChannel.createConnection(Unknown Source)
    at sun.rmi.transport.tcp.TCPChannel.newConnection(Unknown Source)
    at sun.rmi.server.UnicastRef.invoke(Unknown Source)
    at RMIFaxServer_Stub.getResult(Unknown Source)
    at FaxTest.main(FaxTest.java:51)

    your client is behind the firewall but the server you're trying to access has an address 10.x.x.x which says that it too is behind a firewall and not on the Internet, or is the server in a DMZ. It sounds more like a networking issue than a java problem at this point. If the server is on some side of a firewall, you may need a some sort of "permit established" config setting added to the firewall. Just a thought.

  • Multiple ichat clients behind firewall?

    IS it possible to have multiple ichat clients behind a firewall? I've just bought a macbook pro and would like to purchase two more for ichat functionality. Two of these will be behind one firewall, the other across the country. I can't find any documentation other than how to configure a single ichat client.
    Is it possible? It's ok if we have to purchase an xserve and run some kind of server our end - I just want it to work.
    Message was edited by: paulgami

    Hi paulgami,
    iChat will work behind a firewall or routing device.
    With routing device the easiest method is UPnP which allows the Apps to open the ports and allows multiple computers to use the same ports.
    A device that has Port Triggering can also allow multiple computers to use the same ports.
    If you mean that you want the Bonjour side or even the Jabber side (in the iChat Server in OS X serve) to be in the same Network you will have to look to setting up VPNs (virtual Private Networks) to cover the distances you are talking about.
    It may be just semantics but it helps if we know which bit of iChat you are talking about.
    Tiger 10.4.x OS X Serve has an Jabber Server that can be used with the Jabber side of iChat (iChat 3.x)
    Each computer already has the iChat Client.
    There are also Public Jabber servers including Googletalk to use with the Jabber side of iChat.
    The Main Buddy list obviously uses the AIM service and again this can be world wide.
    iChat also has the Bonjour side. This can find any other Mac on the same network. It uses the user's Address Book to broadcast a Screen Name for the other iChat clients (separate buddy List)
    Possibly start here
    http://www.ralphjohnsuk.dsl.pipex.com/index.html
    Just getting started ?
    http://www.siriusaddict.com/ichat.html
    Collaboration Services Forum in OS XServer
    http://discussions.apple.com/forum.jspa?forumID=700
    8:44 PM Monday; August 13, 2007

  • Cannot download file over https behind firewall ?

    I have a program to download files :
    public class TestServlet
         public static void main(String args[]){
        Authenticator.setDefault(new AuthImpl());
         if (args.length!=2){
          System.out.println("Proper Usage: java -Dhttp.proxyHost=172.21.32.166 -Dhttp.proxyPort=80 TestServlet RemoteFileURL LocalFileName");
           System.out.println("Usage Example:java -Dhttp.proxyHost=199.67.138.83 -Dhttp.proxyPort=8080 TestServlet https://url.com/csv/file.zip file.zip");
          System.exit(0);
         DataOutputStream out=null;
         FileOutputStream fOut=null;
         try
          trustAllHttpsCertificates();
          String urlStr = args[0];
              HostnameVerifier hv = new HostnameVerifier() {
                   public boolean verify(String urlHostName, SSLSession session) {
                        System.out.println("Warning: URL Host: "+urlHostName+" vs. "+session.getPeerHost());
                        return true;
             HttpsURLConnection.setDefaultHostnameVerifier(hv);
              System.out.println("\nConnecting to Website . . . "+urlStr);
              URL url = new URL(urlStr == null ? "https://url/Downloads/WC.csv" : urlStr);
              System.out.println("\nConnecting . . . . ");
              BufferedReader in = new BufferedReader(new InputStreamReader(url.openStream()));
              System.out.println(". . . Connected");
              System.out.print("\nDownloading the file . . . ");
              int buff;
              fOut=new FileOutputStream(args[1]);
              System.out.print(" . .");
              out=new DataOutputStream(fOut);
              System.out.print(" . .");
              while ((buff = in.read()) != -1) {
                fOut.write(buff);
              in.close();
            System.out.println(" . . . Done \n");
          catch (Exception e) {
                e.printStackTrace();
           finally {
              try{
                   fOut.flush();
                   fOut.close();
                   System.exit(0);
               catch(Exception e){
                   e.printStackTrace();
        HostnameVerifier hv = new HostnameVerifier()
            public boolean verify(String urlHostName, SSLSession session) {
                //System.out.println("Warning: URL Host: " + urlHostName + " vs. " + session.getPeerHost());
                return true;
        private static void trustAllHttpsCertificates() throws Exception
             //  Create a trust manager that does not validate certificate chains:
            javax.net.ssl.TrustManager[] trustAllCerts =  new javax.net.ssl.TrustManager[1];
            javax.net.ssl.TrustManager tm = new miTM();
            trustAllCerts[0] = tm;
              javax.net.ssl.SSLContext sc = javax.net.ssl.SSLContext.getInstance("SSL");
            sc.init(null, trustAllCerts, null);
            javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
        public static class miTM implements javax.net.ssl.TrustManager, javax.net.ssl.X509TrustManager {
            public java.security.cert.X509Certificate[] getAcceptedIssuers() {
                return null;
            public boolean isServerTrusted(java.security.cert.X509Certificate[] certs) {
                return true;
            public boolean isClientTrusted(java.security.cert.X509Certificate[] certs) {
                return true;
            public void checkServerTrusted(java.security.cert.X509Certificate[] certs, String authType)
                    throws java.security.cert.CertificateException {
                return;
            public void checkClientTrusted(java.security.cert.X509Certificate[] certs, String authType)
                    throws java.security.cert.CertificateException {
                return;
       public static class AuthImpl extends Authenticator {
       protected PasswordAuthentication getPasswordAuthentication() {
          String username = new String("guest");
    String password = new String ("guest");
           return new PasswordAuthentication(username, password.toCharArray());
    }This program works fine for downloading files, over both http and https from my home. When I run this on my desktop in the office it can download files over http, but cannot download https files.
    When I try to download files over https, I get the foll. exception:
    java.net.UnknownHostException: www.site.com
    at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:153)
    at java.net.Socket.connect(Socket.java:452)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.connect(DashoA12275)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.<init>(DashoA12275)
    at com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl.createSocket(DashoA12275)
    at sun.net.www.protocol.https.HttpsClient.doConnect(DashoA12275)
    There are 2 differences here, one being that my office desktop sits behind a firewall and there is a proxy in between.
    In the office I run the program as :
    java -Dhttp.proxyHost -Dhttp.proxyPort TestServlet URL [filename]
    eg.:
    java -Dhttp.proxyHost=235.67.138.84 -Dhttp.proxyPort=8080 TestServlet https://site.com/portal/Downloads/file.csv file.csv
    This url requires authentication, the userid and pwd are hardcoded in the code.
    Now, my problem is I cannot understand why this error would come. Is it because of the firewall or because of the proxy ?
    Why is it that I can download over http successfully from my office desktop? If the problem is with the firewall or proxy, then even http protocol urls should give the same problem.
    Please help.
    Vinay
    Message was edited by:
    vinay_dsouza
    Message was edited by:
    vinay_dsouza

    If you are using HTTPS you should be setting
    https.proxyHost
    https.proxyPortnot the http.* ones.

  • Rmi/iiop with clients behind firewall?

    I have a client app (standalone/applet) that will be running behind a firewall and I'm trying to connect it to S1AS7 through rmi/iiop. I keep getting some connection exceptions on the server when it tries to connect back to the client. Is there anyway to find out which port the server tries to connect to the client so I can open up that port with the firewall? Is there any other workarounds?

    Check out the below document. This is a document for the earlier version of the appserver, but I guess this part should still hold good in S1AS 7 :
    http://docs.sun.com/source/816-5777-10/jpgrichc.htm#24425
    Basically, during the RMI-IIOP communication, the ports are assigned dynamically and hence we cannot exactly say which ports will be used for the response.
    As a general rule of thumb, the response will be going through the ephemeral ports. (Ephemeral ports are temporary ports assigned by a machine's IP stack, and are assigned from a designated range of ports for this purpose. When the connection terminates, the ephemeral port is available for reuse, although most IP stacks won't reuse that port number until the entire pool of ephemeral ports have been used. So, if the client program reconnects, it will be assigned a different ephemeral port number for its side of the new connection.)
    So, it is advisable to open the the entire ephemeral port range in the firewall.
    On Solaris, the ephemeral port range can be determined using the below command :
    # /usr/sbin/ndd /dev/tcp tcp_smallest_anon_port tcp_largest_anon_port
    These values could also be altered using the below commands :
    # /usr/sbin/ndd -set /dev/tcp tcp_smallest_anon_port 49152
    # /usr/sbin/ndd -set /dev/tcp tcp_largest_anon_port 61000
    Hope that helps...
    Cheers,
    VM

  • Java Rmi Client behind firewall

    What port should be opened to let rmi traffic passing through firewall to weblogic app server?

    Dahan <[email protected]> writes:
    What port should be opened to let rmi traffic passing through firewall to weblogic app server?The port the server is listening on?
    andy

  • Rmi callback implemention behind firewall

    hi ,
    I am working on a project which requires the callback
    implementation.Now because the client applet which is
    behind a proxy , the server is not able to call a method
    on the client side through the client remote object it
    has ... i think that is because of HTTP ....
    if there is any solution to the above problem
    please let me know at the earliest...
    thanks in advance,
    nishit.

    The problem is inherent in the design of RMI, and there is no solution. (If you look in the RMI forum you will see miles of text discussing this problem.)

  • What are prerequisite for Design Studio Client tool behind firewall?

    Hi Experts,
    Can you tell me what are prerequisites for Design Studio Client tool behind firewall?
    Best Regards,
    Pushkar

    Hi Pushkar,
    In which 'mode' would you like to use the Design Studio Client application. Connected to the BI platform, SAP HANA, etc?
    With kind regards,
    Martijn

  • Client behind NAT

    I have been searching for a solution for this issue with all that google knows......
    I have my client behind NAT with ip 192.168.27.1
    And the server behind NAT with some ip (i am not really worried abt this)
    Now I register a client object to server for notification. SImply a hash table in server stores all my client objects. On a expected change, I invoke a method in my client objects.
    In this scenario I happened to observer that the client objects sent to server had the client ip (192.168.27.1) inside it and not the NAT ip through which they went out.
    So when I went invoke the remote method nothing interestingly happens as the client cannot be located.
    I tried creating custom sockets in client and binding it to NAT ip --> obvious bind exception for a ip that is not with client
    Setting the NAT ip as java.rmi.hostname in client --> no effect, since still the server is trying to notify (192.16827.1)
    Help me to root out this issue. I feel that there must be a solution for this, otherwise RMI it would not have been this much successful.

    Hi turing,
    thanks for your reply
    actually my question is
    "maybe if you try using the "real" ip (www,whatismyip.com)
    your program will work. "
    how to do this in the scenario I explained.
    Most of the discussions I saw in this forum are about server behind NAT and resolution approach for it. I can't find an answer for this even in the post you mentioned.
    Simply,
    When I register a client object in server, how will the server identify the client to notify, when the client is behind NAT.
    Will the ip address that the remote object carries will also be NAT'ed. I don't see this happening.

  • PAT with a single public IP and several servers behind firewall

    Hi,
    New to the ASA 5505 8.4 software version, but here is what I'm trying to do:
    Single static public IP:  16.2.3.4
    Need to PAT several ports to three separate servers behind firewall
    One server houses email, pptp server, ftp server and web services: 10.1.20.91
    One server houses drac management (port 445): 10.1.20.92
    One server is the IP phone server using a range of ports: 10.1.20.156
    Basically, need to PAT the ports associated with each server to the respective servers behind the ASA 5505. 
    Here is what I have.  Is anything missing from this config? Do I need to include a global policy for PPTP and SMTP?
    ASA Version 8.4(4)1
    hostname kaa-pix
    names
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ip address 10.1.20.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address 16.2.3.4 255.255.255.0
    ftp mode passive
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object network server_smtp
    host 10.1.20.91
    object service Port_25
    service tcp source eq smtp
    object service Port_3389
    service tcp source eq 3389
    object service Port_1723
    service tcp source eq pptp
    object service Port_21
    service tcp source eq ftp
    object service Port_443
    service tcp source eq https
    object service Port_444
    service tcp source eq 444
    object network drac
    host 10.1.20.92
    object service Port_445
    service tcp source eq 445
    access-list acl-out extended permit icmp any any echo-reply
    access-list acl-out extended permit icmp any any
    access-list acl-out extended permit tcp any interface outside eq pptp
    access-list acl-out extended permit tcp any object server_smtp eq smtp
    access-list acl-out extended permit tcp any object server_smtp eq pptp
    access-list acl-out extended permit tcp any object server_smtp eq 3389
    access-list acl-out extended permit tcp any object server_smtp eq ftp
    access-list acl-out extended permit tcp any object server_smtp eq https
    access-list acl-out extended permit tcp any object server_smtp eq 444
    access-list acl-out extended permit tcp any object drac eq 445
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    nat (inside,outside) source static server_smtp interface service Port_25 Port_25
    nat (inside,outside) source static server_smtp interface service Port_3389 Port_
    3389
    nat (inside,outside) source static server_smtp interface service Port_1723 Port_
    1723
    nat (inside,outside) source static server_smtp interface service Port_21 Port_21
    nat (inside,outside) source static server_smtp interface service Port_443 Port_4
    43
    nat (inside,outside) source static server_smtp interface service Port_444 Port_4
    44
    nat (inside,outside) source static drac interface service Port_445 Port_445
    object network obj_any
    nat (inside,outside) dynamic interface
    route outside 0.0.0.0 0.0.0.0 16.2.3.1 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    telnet timeout 5
    ssh timeout 5
    ssh key-exchange group dh-group1-sha1
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    prompt hostname context
    no call-home reporting anonymous

    Thanks Lcambron...I got PPTP to work.  Everything else works fine.  I can access email, access my web server, FTP server, and PPTP server.  However, from the above configuration, I cannot access my DRAC over the internet..The DRAC runs on a different internal server, and over port 445.  So I have th following lines:
    object network drac
    host 10.1.20.92
    object service Port_445
    service tcp source eq 445
    access-list acl-out extended permit tcp any object drac eq 445
    nat (inside,outside) source static drac interface service Port_445 Port_445
    Am I missing something here?  Internally, i can telnet to port 445 on 10.1.20.92, so I know it is listening.  However, externally, i cannot telnet to my external ip address of the ASA through port 445. 
    Thanks

  • Not able to get the ObjectInputStream in my client across firewall

    HI,
    I have my application running on Oracle 10g server.I have a servlet which converts a pdf file to stream and writes it to outputstream
    // the code in the server is as below
    String location = stRealPath + "\\" + pdfloc;               
    byte[] returnData = null;
    returnData = (byte[])pdfGenerateBean.getGeneratedPDFStream(hashData); // this method returns the byte array of the file
    outStream.writeObject(returnData);
    On my client I have a java class which reads this stream and creates a pdf file
    // the client code is as below
    InputStream inPdf = msg.sendPostMessage(hashPDF);
    ObjectInputStream returnPdf = new ObjectInputStream(inPdf);
    inPdf = null;
    byte[] pdfStream = (byte[])returnPdf.readObject(); --------getting error here
    File f = new File(".");
    FileOutputStream out = null;
    String loadDirectory = f.getAbsolutePath();
    pdfFile = loadDirectory + pdfFilename;
    out = new FileOutputStream(pdfFile);
    out.write(pdfStream);
    out.flush();
    out.close();
    // this is working fine acroos my network and i am getting the stream on my client outside my firewall.But when a client of mine accesses it from inside his firewall, he is getting this exception.
    java.io.EOFException
         at java.io.DataInputStream.readFully(Unknown Source)
         at java.io.ObjectInputStream.readFully(Unknown Source)
         at java.io.DataInputStream.readObject(Unknown Source)
    How could the problem be? Is there any setting in the firewall due to which the Stream is not available.Or do i have to send data in any other format.
    Thanks in advance
    Navin

    That's odd because firewalls usually let outbound requests pass through. My last-ditch firewall workaround is to use port 443. Once you have connected, it cannot know what is being transmitted, so it will sometimes let payloads through that are blocked on other ports.
    - Saish

  • Issue with Adobe flex data.xml file not reachable from bsp behind firewall

    Hi Gurus,
    I have a problem with the <mx:HTTPService> tag the following is the actual tag,
    <mx:HTTPService
    id="Srv"
    url="data.xml"
    useProxy="false"
    method="POST" result="resultHandler(event)"/>
    When accessed locally I can see the data in the flex as the data.xml can be reached. when the same is accessed from internet behind firewall, the url is entirely different and the .swf file in the BSP page cannot access the data.xml. I cannot give the absolute url in the tag as the BSP page application is accessed differently in different servers. any help on this would be greatly appreciated
    Thanks
    Akbar

    Sorry somehow I missed this question, an even easier way to do this is to allow your Flash movie to "script" ( this is the default behavior for a Flex application ) and then call some javascript to obtain exactly what the page URL is and then go from there to get your data:
    import flash.external.ExternalInterface;
    import mx.utils.URLUtil;
    var
    if(ExternalInterface.available){
         pageURL = ExternalInterface.call("window.location.href.toString");
    // Do whatever you need with the URL here.
         var serverName:String = URLUtil.getServerNameWithPort(pageURL);
    -d

  • Adding devices behind firewall

    i have just installed an AirPort Extreme and want to add my thermostat so i can access them remotely.  Do i need to add the MAC address and or IP Address of the thermostats?  How do i do this and where?

    Hi,
    TACACS+ authentication service between Network devices and AAA Server is running on TCP 49. The 2004-5000 port range is only applicable if you need to access ACS Server (for management purposes) from outside/internet. In your case, if you need to access your devices behind firewall from external network, what you need is map your internal network devices with public IP, and open ddesired service port, e.g SSH (tcp 22) on your Firewall outside interface ACL to allow incoming access.
    For your internal devices, you need to have appropriate AAA configuration that point to ACS (e.g TACACS+). In your ACS, set these devices as AAA Client, and configured appropriate IP, secret key and using TACACS+.
    Before you test ssh access from internet/external network, test your SSH access locally. It must be successful to get AAA to authenticate your SSH connection request.
    http://www.cisco.com/en/US/partner/products/sw/secursw/ps2086/products_user_guide_chapter09186a008052e996.html
    Hope this helps.
    Rgds,
    AK

  • SMTP behind Firewall

    We have a sever behind firewall, the SMTP ports are opened on firewall. When the application tries to send mail using java mail API, I get the following error. Anything worng with firewall (or) mail api ?
    javax.mail.SendFailedException: Sending failed;
    nested exception is:
    javax.mail.MessagingException: 530 5.7.3 Client was not authenticated
    at javax.mail.Transport.send0(Transport.java:219)
    at javax.mail.Transport.send(Transport.java:81)

    I think you have made it to the mail server (sounds like exchange). Looks like the server is setup to require authentication on incoming SMTP requests. Look here
    http://www.experts-exchange.com/Networking/Email_Groupware/Exchange_Server/Q_20250036.html
    Of course, I could be wrong and your firewall has a custom message for SMTP traffic which isn't coming from a 'authorized' mail server or a authenicating proxy server.

  • Wireless printing behind firewall

    Greetings. Since upgrading to 10.5, I am no longer able to wirelessly print behind firewall unless I check "set access for specific services and applications" under system preferences/security/firewall (on computer allowing printer sharing). I would think that I could print after checking "allow only essential services," since printer sharing is on, and this shows in the list of "specific services" allowed. I was hoping that this would be solved after upgrading to 10.5.3, but it is not.
    This applies to all connected USB printers. Router is a Lyksys WRT54GS.
    Although probably unnecessary, I would prefer to use the more secure firewall setting ( "allow only essential services"). Any ideas would be appreciated.

    You need to have the right equipment. You have to put ISP equipment on the DMZ. What you need is an access point that resides on your inside internal network. This AP will associate clients and would place these clients on your internal network. Then you would configure your infrastructure to route the traffic how you wish. The reason you can't do what you want is that an ISP wifi router only has one route it knows..... That is what it knows from the wan port. So all traffic leaves the wan port via the ISP default gateway.
    Posted from my mobile device.

Maybe you are looking for

  • How to reference the Parent view Object attribute in Child View object

    Hi , I have the requirememt to generate Tree like struture to display Salary from joining date to retirement date in yearly form.I have writtent two Pl/SQL function to return parent node and child nodes(based on selected year). 1.First function --> I

  • Test-path where a directory in the path is variable

    My company has a series of fax lines and associated file shares. Faxes are processed & then dropped off into these file shares. From that point a service runs about every 60 seconds to look for files in these directories to import into a database. If

  • Error while creating vendor contact person using vmd_ei_api

    Hi, while craeting vendor contact person using maintain_bapi of vmd_ei_api class iam getting error like 'Specify address number or address handle'. code : CALL FUNCTION 'BAPI_PARTNEREMPLOYEE_GETINTNUM' EXPORTING quantity = 1 IMPORTING * RETURN = cont

  • In SE51 in want to group 2 radiobuttons , i want it in Line editor

    Hi , due do some technical problem graphical painter is not working only line editor is working. Please help me in grouping 2 radio buttons in line editor. if it is step by step it will be great. Thank you in advance.

  • Photos are sometimes hazy

    Sometimes my photos are coming out hazy or foggy. This is occurring my and my wife's 4. I also notice that if I hold my wife's 4 and my 4 side by side, the image on one viewfinder will appear darker than the other. I don't know what to make of the ha