Callback cannot be done if client behind firewall. But WHY?
I've read a lot of threads regarding callback is not achievable if client is behind firewall. But i couldn't find the DETAILED reason for that. Can anyone explain that?
Thank,
Jax
In order for a server to asynchronously callback a client, it must create an inbound socket connection to the client, to send the message. This is precisely the type of thing a firewall is designed to prevent.
To receive callbacks, the firewall would have to open a specific port for inbound connections to the client, and the server would have to be aware of this port as well.
Similar Messages
-
When the RMI client behind firewall tries to access the server the following error is thrown up:
java.rmi.ConnectIOException: Exception creating connection to: 10.130.12.128; ne
sted exception is:
java.net.NoRouteToHostException: Operation timed out: no further informa
tion
java.net.NoRouteToHostException: Operation timed out: no further information
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.PlainSocketImpl.doConnect(Unknown Source)
at java.net.PlainSocketImpl.connectToAddress(Unknown Source)
at java.net.PlainSocketImpl.connect(Unknown Source)
at java.net.Socket.<init>(Unknown Source)
at java.net.Socket.<init>(Unknown Source)
at sun.rmi.transport.proxy.RMIDirectSocketFactory.createSocket(Unknown S
ource)
at sun.rmi.transport.proxy.RMIMasterSocketFactory.createSocket(Unknown S
ource)
at sun.rmi.transport.tcp.TCPEndpoint.newSocket(Unknown Source)
at sun.rmi.transport.tcp.TCPChannel.createConnection(Unknown Source)
at sun.rmi.transport.tcp.TCPChannel.newConnection(Unknown Source)
at sun.rmi.server.UnicastRef.invoke(Unknown Source)
at RMIFaxServer_Stub.getResult(Unknown Source)
at FaxTest.main(FaxTest.java:51)your client is behind the firewall but the server you're trying to access has an address 10.x.x.x which says that it too is behind a firewall and not on the Internet, or is the server in a DMZ. It sounds more like a networking issue than a java problem at this point. If the server is on some side of a firewall, you may need a some sort of "permit established" config setting added to the firewall. Just a thought.
-
Multiple ichat clients behind firewall?
IS it possible to have multiple ichat clients behind a firewall? I've just bought a macbook pro and would like to purchase two more for ichat functionality. Two of these will be behind one firewall, the other across the country. I can't find any documentation other than how to configure a single ichat client.
Is it possible? It's ok if we have to purchase an xserve and run some kind of server our end - I just want it to work.
Message was edited by: paulgamiHi paulgami,
iChat will work behind a firewall or routing device.
With routing device the easiest method is UPnP which allows the Apps to open the ports and allows multiple computers to use the same ports.
A device that has Port Triggering can also allow multiple computers to use the same ports.
If you mean that you want the Bonjour side or even the Jabber side (in the iChat Server in OS X serve) to be in the same Network you will have to look to setting up VPNs (virtual Private Networks) to cover the distances you are talking about.
It may be just semantics but it helps if we know which bit of iChat you are talking about.
Tiger 10.4.x OS X Serve has an Jabber Server that can be used with the Jabber side of iChat (iChat 3.x)
Each computer already has the iChat Client.
There are also Public Jabber servers including Googletalk to use with the Jabber side of iChat.
The Main Buddy list obviously uses the AIM service and again this can be world wide.
iChat also has the Bonjour side. This can find any other Mac on the same network. It uses the user's Address Book to broadcast a Screen Name for the other iChat clients (separate buddy List)
Possibly start here
http://www.ralphjohnsuk.dsl.pipex.com/index.html
Just getting started ?
http://www.siriusaddict.com/ichat.html
Collaboration Services Forum in OS XServer
http://discussions.apple.com/forum.jspa?forumID=700
8:44 PM Monday; August 13, 2007 -
Cannot download file over https behind firewall ?
I have a program to download files :
public class TestServlet
public static void main(String args[]){
Authenticator.setDefault(new AuthImpl());
if (args.length!=2){
System.out.println("Proper Usage: java -Dhttp.proxyHost=172.21.32.166 -Dhttp.proxyPort=80 TestServlet RemoteFileURL LocalFileName");
System.out.println("Usage Example:java -Dhttp.proxyHost=199.67.138.83 -Dhttp.proxyPort=8080 TestServlet https://url.com/csv/file.zip file.zip");
System.exit(0);
DataOutputStream out=null;
FileOutputStream fOut=null;
try
trustAllHttpsCertificates();
String urlStr = args[0];
HostnameVerifier hv = new HostnameVerifier() {
public boolean verify(String urlHostName, SSLSession session) {
System.out.println("Warning: URL Host: "+urlHostName+" vs. "+session.getPeerHost());
return true;
HttpsURLConnection.setDefaultHostnameVerifier(hv);
System.out.println("\nConnecting to Website . . . "+urlStr);
URL url = new URL(urlStr == null ? "https://url/Downloads/WC.csv" : urlStr);
System.out.println("\nConnecting . . . . ");
BufferedReader in = new BufferedReader(new InputStreamReader(url.openStream()));
System.out.println(". . . Connected");
System.out.print("\nDownloading the file . . . ");
int buff;
fOut=new FileOutputStream(args[1]);
System.out.print(" . .");
out=new DataOutputStream(fOut);
System.out.print(" . .");
while ((buff = in.read()) != -1) {
fOut.write(buff);
in.close();
System.out.println(" . . . Done \n");
catch (Exception e) {
e.printStackTrace();
finally {
try{
fOut.flush();
fOut.close();
System.exit(0);
catch(Exception e){
e.printStackTrace();
HostnameVerifier hv = new HostnameVerifier()
public boolean verify(String urlHostName, SSLSession session) {
//System.out.println("Warning: URL Host: " + urlHostName + " vs. " + session.getPeerHost());
return true;
private static void trustAllHttpsCertificates() throws Exception
// Create a trust manager that does not validate certificate chains:
javax.net.ssl.TrustManager[] trustAllCerts = new javax.net.ssl.TrustManager[1];
javax.net.ssl.TrustManager tm = new miTM();
trustAllCerts[0] = tm;
javax.net.ssl.SSLContext sc = javax.net.ssl.SSLContext.getInstance("SSL");
sc.init(null, trustAllCerts, null);
javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
public static class miTM implements javax.net.ssl.TrustManager, javax.net.ssl.X509TrustManager {
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return null;
public boolean isServerTrusted(java.security.cert.X509Certificate[] certs) {
return true;
public boolean isClientTrusted(java.security.cert.X509Certificate[] certs) {
return true;
public void checkServerTrusted(java.security.cert.X509Certificate[] certs, String authType)
throws java.security.cert.CertificateException {
return;
public void checkClientTrusted(java.security.cert.X509Certificate[] certs, String authType)
throws java.security.cert.CertificateException {
return;
public static class AuthImpl extends Authenticator {
protected PasswordAuthentication getPasswordAuthentication() {
String username = new String("guest");
String password = new String ("guest");
return new PasswordAuthentication(username, password.toCharArray());
}This program works fine for downloading files, over both http and https from my home. When I run this on my desktop in the office it can download files over http, but cannot download https files.
When I try to download files over https, I get the foll. exception:
java.net.UnknownHostException: www.site.com
at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:153)
at java.net.Socket.connect(Socket.java:452)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.connect(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.<init>(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl.createSocket(DashoA12275)
at sun.net.www.protocol.https.HttpsClient.doConnect(DashoA12275)
There are 2 differences here, one being that my office desktop sits behind a firewall and there is a proxy in between.
In the office I run the program as :
java -Dhttp.proxyHost -Dhttp.proxyPort TestServlet URL [filename]
eg.:
java -Dhttp.proxyHost=235.67.138.84 -Dhttp.proxyPort=8080 TestServlet https://site.com/portal/Downloads/file.csv file.csv
This url requires authentication, the userid and pwd are hardcoded in the code.
Now, my problem is I cannot understand why this error would come. Is it because of the firewall or because of the proxy ?
Why is it that I can download over http successfully from my office desktop? If the problem is with the firewall or proxy, then even http protocol urls should give the same problem.
Please help.
Vinay
Message was edited by:
vinay_dsouza
Message was edited by:
vinay_dsouzaIf you are using HTTPS you should be setting
https.proxyHost
https.proxyPortnot the http.* ones. -
Rmi/iiop with clients behind firewall?
I have a client app (standalone/applet) that will be running behind a firewall and I'm trying to connect it to S1AS7 through rmi/iiop. I keep getting some connection exceptions on the server when it tries to connect back to the client. Is there anyway to find out which port the server tries to connect to the client so I can open up that port with the firewall? Is there any other workarounds?
Check out the below document. This is a document for the earlier version of the appserver, but I guess this part should still hold good in S1AS 7 :
http://docs.sun.com/source/816-5777-10/jpgrichc.htm#24425
Basically, during the RMI-IIOP communication, the ports are assigned dynamically and hence we cannot exactly say which ports will be used for the response.
As a general rule of thumb, the response will be going through the ephemeral ports. (Ephemeral ports are temporary ports assigned by a machine's IP stack, and are assigned from a designated range of ports for this purpose. When the connection terminates, the ephemeral port is available for reuse, although most IP stacks won't reuse that port number until the entire pool of ephemeral ports have been used. So, if the client program reconnects, it will be assigned a different ephemeral port number for its side of the new connection.)
So, it is advisable to open the the entire ephemeral port range in the firewall.
On Solaris, the ephemeral port range can be determined using the below command :
# /usr/sbin/ndd /dev/tcp tcp_smallest_anon_port tcp_largest_anon_port
These values could also be altered using the below commands :
# /usr/sbin/ndd -set /dev/tcp tcp_smallest_anon_port 49152
# /usr/sbin/ndd -set /dev/tcp tcp_largest_anon_port 61000
Hope that helps...
Cheers,
VM -
Java Rmi Client behind firewall
What port should be opened to let rmi traffic passing through firewall to weblogic app server?
Dahan <[email protected]> writes:
What port should be opened to let rmi traffic passing through firewall to weblogic app server?The port the server is listening on?
andy -
Rmi callback implemention behind firewall
hi ,
I am working on a project which requires the callback
implementation.Now because the client applet which is
behind a proxy , the server is not able to call a method
on the client side through the client remote object it
has ... i think that is because of HTTP ....
if there is any solution to the above problem
please let me know at the earliest...
thanks in advance,
nishit.The problem is inherent in the design of RMI, and there is no solution. (If you look in the RMI forum you will see miles of text discussing this problem.)
-
What are prerequisite for Design Studio Client tool behind firewall?
Hi Experts,
Can you tell me what are prerequisites for Design Studio Client tool behind firewall?
Best Regards,
PushkarHi Pushkar,
In which 'mode' would you like to use the Design Studio Client application. Connected to the BI platform, SAP HANA, etc?
With kind regards,
Martijn -
I have been searching for a solution for this issue with all that google knows......
I have my client behind NAT with ip 192.168.27.1
And the server behind NAT with some ip (i am not really worried abt this)
Now I register a client object to server for notification. SImply a hash table in server stores all my client objects. On a expected change, I invoke a method in my client objects.
In this scenario I happened to observer that the client objects sent to server had the client ip (192.168.27.1) inside it and not the NAT ip through which they went out.
So when I went invoke the remote method nothing interestingly happens as the client cannot be located.
I tried creating custom sockets in client and binding it to NAT ip --> obvious bind exception for a ip that is not with client
Setting the NAT ip as java.rmi.hostname in client --> no effect, since still the server is trying to notify (192.16827.1)
Help me to root out this issue. I feel that there must be a solution for this, otherwise RMI it would not have been this much successful.Hi turing,
thanks for your reply
actually my question is
"maybe if you try using the "real" ip (www,whatismyip.com)
your program will work. "
how to do this in the scenario I explained.
Most of the discussions I saw in this forum are about server behind NAT and resolution approach for it. I can't find an answer for this even in the post you mentioned.
Simply,
When I register a client object in server, how will the server identify the client to notify, when the client is behind NAT.
Will the ip address that the remote object carries will also be NAT'ed. I don't see this happening. -
PAT with a single public IP and several servers behind firewall
Hi,
New to the ASA 5505 8.4 software version, but here is what I'm trying to do:
Single static public IP: 16.2.3.4
Need to PAT several ports to three separate servers behind firewall
One server houses email, pptp server, ftp server and web services: 10.1.20.91
One server houses drac management (port 445): 10.1.20.92
One server is the IP phone server using a range of ports: 10.1.20.156
Basically, need to PAT the ports associated with each server to the respective servers behind the ASA 5505.
Here is what I have. Is anything missing from this config? Do I need to include a global policy for PPTP and SMTP?
ASA Version 8.4(4)1
hostname kaa-pix
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.1.20.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 16.2.3.4 255.255.255.0
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network server_smtp
host 10.1.20.91
object service Port_25
service tcp source eq smtp
object service Port_3389
service tcp source eq 3389
object service Port_1723
service tcp source eq pptp
object service Port_21
service tcp source eq ftp
object service Port_443
service tcp source eq https
object service Port_444
service tcp source eq 444
object network drac
host 10.1.20.92
object service Port_445
service tcp source eq 445
access-list acl-out extended permit icmp any any echo-reply
access-list acl-out extended permit icmp any any
access-list acl-out extended permit tcp any interface outside eq pptp
access-list acl-out extended permit tcp any object server_smtp eq smtp
access-list acl-out extended permit tcp any object server_smtp eq pptp
access-list acl-out extended permit tcp any object server_smtp eq 3389
access-list acl-out extended permit tcp any object server_smtp eq ftp
access-list acl-out extended permit tcp any object server_smtp eq https
access-list acl-out extended permit tcp any object server_smtp eq 444
access-list acl-out extended permit tcp any object drac eq 445
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static server_smtp interface service Port_25 Port_25
nat (inside,outside) source static server_smtp interface service Port_3389 Port_
3389
nat (inside,outside) source static server_smtp interface service Port_1723 Port_
1723
nat (inside,outside) source static server_smtp interface service Port_21 Port_21
nat (inside,outside) source static server_smtp interface service Port_443 Port_4
43
nat (inside,outside) source static server_smtp interface service Port_444 Port_4
44
nat (inside,outside) source static drac interface service Port_445 Port_445
object network obj_any
nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 16.2.3.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
prompt hostname context
no call-home reporting anonymousThanks Lcambron...I got PPTP to work. Everything else works fine. I can access email, access my web server, FTP server, and PPTP server. However, from the above configuration, I cannot access my DRAC over the internet..The DRAC runs on a different internal server, and over port 445. So I have th following lines:
object network drac
host 10.1.20.92
object service Port_445
service tcp source eq 445
access-list acl-out extended permit tcp any object drac eq 445
nat (inside,outside) source static drac interface service Port_445 Port_445
Am I missing something here? Internally, i can telnet to port 445 on 10.1.20.92, so I know it is listening. However, externally, i cannot telnet to my external ip address of the ASA through port 445.
Thanks -
Not able to get the ObjectInputStream in my client across firewall
HI,
I have my application running on Oracle 10g server.I have a servlet which converts a pdf file to stream and writes it to outputstream
// the code in the server is as below
String location = stRealPath + "\\" + pdfloc;
byte[] returnData = null;
returnData = (byte[])pdfGenerateBean.getGeneratedPDFStream(hashData); // this method returns the byte array of the file
outStream.writeObject(returnData);
On my client I have a java class which reads this stream and creates a pdf file
// the client code is as below
InputStream inPdf = msg.sendPostMessage(hashPDF);
ObjectInputStream returnPdf = new ObjectInputStream(inPdf);
inPdf = null;
byte[] pdfStream = (byte[])returnPdf.readObject(); --------getting error here
File f = new File(".");
FileOutputStream out = null;
String loadDirectory = f.getAbsolutePath();
pdfFile = loadDirectory + pdfFilename;
out = new FileOutputStream(pdfFile);
out.write(pdfStream);
out.flush();
out.close();
// this is working fine acroos my network and i am getting the stream on my client outside my firewall.But when a client of mine accesses it from inside his firewall, he is getting this exception.
java.io.EOFException
at java.io.DataInputStream.readFully(Unknown Source)
at java.io.ObjectInputStream.readFully(Unknown Source)
at java.io.DataInputStream.readObject(Unknown Source)
How could the problem be? Is there any setting in the firewall due to which the Stream is not available.Or do i have to send data in any other format.
Thanks in advance
NavinThat's odd because firewalls usually let outbound requests pass through. My last-ditch firewall workaround is to use port 443. Once you have connected, it cannot know what is being transmitted, so it will sometimes let payloads through that are blocked on other ports.
- Saish -
Issue with Adobe flex data.xml file not reachable from bsp behind firewall
Hi Gurus,
I have a problem with the <mx:HTTPService> tag the following is the actual tag,
<mx:HTTPService
id="Srv"
url="data.xml"
useProxy="false"
method="POST" result="resultHandler(event)"/>
When accessed locally I can see the data in the flex as the data.xml can be reached. when the same is accessed from internet behind firewall, the url is entirely different and the .swf file in the BSP page cannot access the data.xml. I cannot give the absolute url in the tag as the BSP page application is accessed differently in different servers. any help on this would be greatly appreciated
Thanks
AkbarSorry somehow I missed this question, an even easier way to do this is to allow your Flash movie to "script" ( this is the default behavior for a Flex application ) and then call some javascript to obtain exactly what the page URL is and then go from there to get your data:
import flash.external.ExternalInterface;
import mx.utils.URLUtil;
var
if(ExternalInterface.available){
pageURL = ExternalInterface.call("window.location.href.toString");
// Do whatever you need with the URL here.
var serverName:String = URLUtil.getServerNameWithPort(pageURL);
-d -
Adding devices behind firewall
i have just installed an AirPort Extreme and want to add my thermostat so i can access them remotely. Do i need to add the MAC address and or IP Address of the thermostats? How do i do this and where?
Hi,
TACACS+ authentication service between Network devices and AAA Server is running on TCP 49. The 2004-5000 port range is only applicable if you need to access ACS Server (for management purposes) from outside/internet. In your case, if you need to access your devices behind firewall from external network, what you need is map your internal network devices with public IP, and open ddesired service port, e.g SSH (tcp 22) on your Firewall outside interface ACL to allow incoming access.
For your internal devices, you need to have appropriate AAA configuration that point to ACS (e.g TACACS+). In your ACS, set these devices as AAA Client, and configured appropriate IP, secret key and using TACACS+.
Before you test ssh access from internet/external network, test your SSH access locally. It must be successful to get AAA to authenticate your SSH connection request.
http://www.cisco.com/en/US/partner/products/sw/secursw/ps2086/products_user_guide_chapter09186a008052e996.html
Hope this helps.
Rgds,
AK -
We have a sever behind firewall, the SMTP ports are opened on firewall. When the application tries to send mail using java mail API, I get the following error. Anything worng with firewall (or) mail api ?
javax.mail.SendFailedException: Sending failed;
nested exception is:
javax.mail.MessagingException: 530 5.7.3 Client was not authenticated
at javax.mail.Transport.send0(Transport.java:219)
at javax.mail.Transport.send(Transport.java:81)I think you have made it to the mail server (sounds like exchange). Looks like the server is setup to require authentication on incoming SMTP requests. Look here
http://www.experts-exchange.com/Networking/Email_Groupware/Exchange_Server/Q_20250036.html
Of course, I could be wrong and your firewall has a custom message for SMTP traffic which isn't coming from a 'authorized' mail server or a authenicating proxy server. -
Wireless printing behind firewall
Greetings. Since upgrading to 10.5, I am no longer able to wirelessly print behind firewall unless I check "set access for specific services and applications" under system preferences/security/firewall (on computer allowing printer sharing). I would think that I could print after checking "allow only essential services," since printer sharing is on, and this shows in the list of "specific services" allowed. I was hoping that this would be solved after upgrading to 10.5.3, but it is not.
This applies to all connected USB printers. Router is a Lyksys WRT54GS.
Although probably unnecessary, I would prefer to use the more secure firewall setting ( "allow only essential services"). Any ideas would be appreciated.You need to have the right equipment. You have to put ISP equipment on the DMZ. What you need is an access point that resides on your inside internal network. This AP will associate clients and would place these clients on your internal network. Then you would configure your infrastructure to route the traffic how you wish. The reason you can't do what you want is that an ISP wifi router only has one route it knows..... That is what it knows from the wan port. So all traffic leaves the wan port via the ISP default gateway.
Posted from my mobile device.
Maybe you are looking for
-
How to reference the Parent view Object attribute in Child View object
Hi , I have the requirememt to generate Tree like struture to display Salary from joining date to retirement date in yearly form.I have writtent two Pl/SQL function to return parent node and child nodes(based on selected year). 1.First function --> I
-
Test-path where a directory in the path is variable
My company has a series of fax lines and associated file shares. Faxes are processed & then dropped off into these file shares. From that point a service runs about every 60 seconds to look for files in these directories to import into a database. If
-
Error while creating vendor contact person using vmd_ei_api
Hi, while craeting vendor contact person using maintain_bapi of vmd_ei_api class iam getting error like 'Specify address number or address handle'. code : CALL FUNCTION 'BAPI_PARTNEREMPLOYEE_GETINTNUM' EXPORTING quantity = 1 IMPORTING * RETURN = cont
-
In SE51 in want to group 2 radiobuttons , i want it in Line editor
Hi , due do some technical problem graphical painter is not working only line editor is working. Please help me in grouping 2 radio buttons in line editor. if it is step by step it will be great. Thank you in advance.
-
Sometimes my photos are coming out hazy or foggy. This is occurring my and my wife's 4. I also notice that if I hold my wife's 4 and my 4 side by side, the image on one viewfinder will appear darker than the other. I don't know what to make of the ha