RMI Through Firewalls

Similar Messages

• RMI Callbacks & Firewalls

  I am developing a java application where the client initiates a request to the server, then passes a remote object to the server, so that the server may do call backs.
  the problem is that the client is behind a firewall, and thusly when the server attempts to create a connection back to the client it fails.
  is it possible to have the client call back go through the existing socket, rather than creating a new one?
  the existing socket is the one the client opened to the server to connect in the first place?
  I have seen third party apps(rmi doves, rmiproxy) but i am wondering if this can be implemented easily with out the use of third party software?
  Thanks,
  dan

  Hi Dan,
  There are very easy ways to do this, and very complicated, depending on how many users your expecting. If the number is not too large, (<1000 or so) here is, quite likely, the very simplest method:
  Have clients call a getData method on the server object, it would be implemented something like this: public synchronized Data getData() {
     wait();
     return data;
  }Now clients would create a separate thread to call this function, since it will block until there is a callback from the server.
  Next the server object has a corresponding internal method:synchronized void setData(Data data) {
     this.data = data;
     notifyAll();
  }This will cause all blocked clients to return with the callback data via their outbound socket. When the thread is finished processing the callback functionality, it simply calls getData again.
  This is fast, simple, and easy; its problem is its potential to create a large number of blocked threads at the server. These do not consume a lot of compute cycles, but definitely memory.
  If you would like some other options, I host a free project for simple yet powerful RMI interoperation, at java.net:
  https://cajo.dev.java.net
  It should give you even more ideas!
  Good luck,
  John

• RMI and Firewalls

  Hi folks,
  I have a sun cluster on which I put my RMI server, clients connect to server through a firewall. My problem, since it's a clustered environment we get physical IP addresses and logical IP addresses, clients if they ahve to connect to the server without firewall they have to see only logical IP addresses and not the physical. That works fine, but when there is a firewall the setting is different. If my logical IP is, say 120.30.40.10 and my physical IPs are 120.30.40.6, 120.30.40.7 .... The firewall is configured to let clients connect to, say IP 180.70.40.4 and it transltes that to the logical IP address. When client is trying to make a lookup it connects to 180.70.40.4 which will be translated to 120.30.40.10. It passes this step and manages to get a reference to the server, but when it tries to invoke a method on that server it 's rejected by the Firewall. The cleint is getting RMI exception connection refused to 120.30.40.6, which is the physical IP of the server. After discussion with security team they said that the client is trying to initiate another connection to that physical IP which is not allowed by firewall.
  My question is how to avoid the client connecting to the physical IP address. it seems that it's done internally in the RMI protocol.

  I solved that problem by setting the property java.rmi.server.hostname=external_IP_address which solved the external client problem. But that raised anothe rproblem, since I have internal clients as well they couldn't connect to the sever becasue it's on an external ip adress it's giving me connection refused to that IP.
  What's the solution in this case, I need somebody to help me ...
  Thanx

• Messaging through Firewalls ?

  Hi !
  Please let me explain to you my problem and should you know the answer, please post it, I'm at my wits end :
  I am developing a client / server structure for a distributed game using Applets. I am required to do either the server and the client. The problem is that the server will be installed behind a firewall filtering almost all ports but HTTP.
  - I wonder how I could do it to a message connection through filtering ? Is it possible to use port 80 for this kind of connections ?
  - What other options are available ?
  - Could you please post an example of a client / server structure using your solution ?
  thanx in advance,
  Pau Almar
  http://www.upcnet.es/~pag

  Hi aresIco,
  JMS specifications do not define any particular transport for the flow of messages from client to server. It depends on the JMS provider to support different transports.
  FioranoMQ provides support for messaging over the HTTP layer and using it you can solve the problem that you are facing. Using the HTTP support provided by FioranoMQ the messaging clients use a HTTP client implementation so that all messaging requests are sent to the FioranoMQ server over HTTP where a Web server wrapper receives this request and processes it accordingly.
  This support can be configured across proxies and firewalls and the FioranoMQ server can be run on port 80 as well.
  For detailed information on the HTTP/HTTPS support refer to the chapter on Transport Layer and Tunneling in the FMQDevGuide from the following link:
  http://www.fiorano.com/downloads/fmq/FMQDevGuide.pdf
  You can also run applets over the FioranoMQ server. For more information on the same refer to the chapter on Developing and Deploying Applets in the same guide mentioned above.
  For any help regarding FioranoMQ and in setting up your scenario you can contact [email protected] anytime.
  Cheers
  Amit Bhasin
  FioranoSoftware Inc.
  http://www.fiorano.com

• RMI passing firewalls

  I hope anyone can help me with this:
  I am trying to call a RMI server from a Client passing to natting firewalls, meaning my client has a private IP address and the server is installed on a node with a private ip address.
  On the server side the firewall is set up to forward all calls on port 1099 to the private ip address of the server node.
  So when I call the server from the client I use the public ip address of the firewall
  I have done some network tracing and I can see first this stream:
  TCP local ip:2002->public ip:1099 [SYN]
  TCP public ip:1099->local ip:2002 [SYN, ACK]
  TCP local ip:2002->public ip:1099 [ACK]
  RMI local ip:2002->public ip:1099 JRMI, Version: 2, StreamProtocal
  RMI public ip:1099->local ip:2002 JRMI, ProtocolAck
  RMI local ip:2002->public ip:1099 Continuation
  RMI local ip:2002->public ip:1099 JRMI, Call
  RMI public ip:1099->local ip:2002 JRMI, ReturnData
  TCP local ip:2002->public ip:1099 [ACK]
  TCP local ip:2002->public ip:1099 [FIN, ACK]
  TCP public ip:1099->local ip:2002 [ACK]
  TCP public ip:1099->local ip:2002 [FIN, ACK]
  TCP local ip:2002->public ip:1099 [ACK]
  The connection is ended and the RMI client tries again on another port (this is build into the program).
  No data is ever returned.
  In the Protocol Ack I can see that the EndPointIdentifier is pointing to the public ip address of the client side firewall. In the continuation I see the client nodes private ip address.
  Now, if I open a vpn connection to the remote network (the vpn ip address of my host is listed in the hosts file of the server node) then data is returned. Obviously they are returned on the vpn connection, but why?
  The client vpn ip address is not on the same network as the client private ip address.
  A network trace produces the same stream as above except for the connection being closed.
  Can anyone explain the behaviour and - hopefully - point me in a direction how to solve this.
  All help is most appreciated.
  cwolfhagen

  I found the solution myself.
  Reason being that I hadn't quite understood the intricacies of RMI and data communication (I could blame my english - it's not my mother tongue).
  But in order for anyone else who may have the same problem, I will post my solution.
  First it is important to understand that RMI is using two ports - the RMI port to the registry (default 1099 - but you can pass a port number to the contructor) and a 'data' port, the ServerSocket, which is default picked randomly (port 0).
  This port must be fixed so that you can define this to your firewall. You can either do this be modifying the createServerSocket method in your SocketFactory or by (in the newer JSKs) giving the port number as an argument to the exportObject methods or to the UnicastRemoteObject constructors.
  If your firewall/router is using Network Address Translation there is another little trick:
  Specify the public ip address/hostname of the firewall as a parameter to the JVM (-Djava.rmi.server.hostname=public hostname) when you are starting your server application and have your firewall forwarding all requests on your defined RMI port and serverSocket port to the private IP address of the server application machine.
  Of course your outgoing firewall from the client has to allow communication on the same ports.
  AND VOILA - you can connect.
  I hope this can be of assistance to others.
  Happy brewing.
  cwolfhagen

• RMI through JDeveloper

  I was wondering if there was a way of running rmic through the menu in JDeveloper . Similarly, is it possible to run rmiregistry through JDeveloper.
  Regards,
  Paul.

  Here is the build.xml (relevant areas only) after editing. I added the "rmi" target. Note that your implementation files need to be named xxxImpl.java for this approach to work. I run rmiregistry outside of JDeveloper and can then run the server and client inside JDeveloper.
  Best,
  Joe
  <?xml version="1.0" encoding="windows-1252" ?>
  <!--Ant buildfile generated by Oracle JDeveloper 10g-->
  <!--Generated Nov 30, 2005 2:37:05 PM-->
  <project name="jGuru" default="all" basedir=".">
  <property file="build.properties"/>
  <target name="init">
  <tstamp/>
  <mkdir dir="${output.dir}"/>
  </target>
  <target name="all" description="Build the project" depends="compile,rmi,copy"/>
  <target name="rmi" description="Compile Java RMI Interfaces" depends="init,compile">
  <rmic base="${output.dir}" includes="**/*Impl.class"/>
  </target>
  <target name="compile" description="Compile Java source files" depends="init">
  <javac destdir="${output.dir}" debug="${javac.debug}"
  nowarn="${javac.nowarn}" deprecation="${javac.deprecation}"
  encoding="Cp1252">
  <src path="src"/>
  </javac>
  </target>
  </project>

• RMI through ProxyServer URGENT!!!

  Hi,
  Now the RMI Client-Server works fine through Internet. When I try to connect via Proxy Server, it fails with the following message
  "java.net.NoRouteToHostException".
  I have set the following properties in client machine.
  http.proxySet=true
  http.proxyHost=xxx.xxx.x.x
  http.proxyPort=yyyy
  Thanking you in advance.

  Maybe the RMI port must be changed, or given permission to pass through the proxy. Something innocent like "80" would be an interesting attempt.

• RMI through a firewall

  Has anybody been able to do this. I have an RMI server that will attach on a non-firewalled machine but won't on the machine I really need it on. Can anyone tell me what needs to be done admistratively or programmactically?
  Steve

  I looked into RMI over a firewall once.
  The port 80 solution, called Http Tunnelling, at the time ( 2 years ago ) required a custom servlet intercepting all the RMI calls, then it forwarded the call on to the actual RMI server..... messy.
  In the end I recommened writing an RMI Custom Socket Factory.
  Not as hard as it looks, and source is available.
  It meant that you could have your own properties file which dictated the ports the RMI used. So you might have something like
  rmi_ports=1900-2000
  You parse the properties file, and only attempt to open ports in that range.
  The firewall will off course have to open that range of ports too.
  I never implemented this, but did research it a few years back.
  Maybe there's a more up-to-date solution.... maybe not.
  But that's my 2 cents ( in Euro not dollars ! )
  regards,
  Owen
  http://java.sun.com/j2se/1.5.0/docs/guide/rmi/socketfactory/index.html

• DTU Access Through Firewalls - Help Please

  Hi Everyone,
  I'm trying to connect some DTUs between two customer sites where they have 2 FOGs configured. I hope to use AMGH eventually but at the moment I'm just testing connectivity between the sites. I'm told that the firewalls between the sites are permitting all incoming TCP and UDP traffic to each site.
  To test this I have been ssh'ing from site A to site B's SR servers and can also get to the web interface of both SR servers at site B from site A. I realise this doesn't really test the UDP side of things.
  So here's the problem: The DTU at site A has the GUI firmware on and I've configured it to look for the primary SR server at site B. When I switch the DTU on it correctly obtains an IP address from DHCP at site A and then proceeds to try and talk to the SR server at site B. It seems to do this correctly and the SRSS web interface at site B shows a pseudo session has been created, however, the DTU at site A sits with the OSD 26B error (waiting for x session I believe).
  Apart from the firewalls being incorrectly configured is there anything else I need to do do on the SR Servers to permit the DTUs getting x sessions?
  Many thanks.
  Chris
  Edited by: mac_chris on Dec 30, 2009 9:08 AM

  UPDATE:
  Following some interesting conversations with the third party looking after the network it looks like this was a firewall configuration issue. It was indeed the case that no UDP traffic was able to get from site B to site A which is why the DTUs at site A pointing at site B weren't showing a session.
  DTUs at site A can now get sessions from site B so all is well.
  Edited by: mac_chris on Jan 7, 2010 2:40 AM

• Missing feature or bug? - NetGroup video does not go through firewalls/NATs

  I am developing an application based on NetGroup Video. I observed following
  - Without any NAT/firewall - "NetGroup.post" and audio/video DOES work
  - One client inside NAT/firewall - "NetGroup.post" works, video and audio DOES NOT work
  - After manually punching holes in NAT/firewall (outside of application), both audio and video started working. As soon as hole was closed, both audio/video stopped again.
  It seems like NetGroup P2P connections do not do NAT/firewall hole punching. Can somebody from adobe confirm this to be true (or not true). If true, is it a known issue, will it be fixed soon? If not, I may have to implement a hole punching algorithem in my application.
  Any information / help is appreciated.

  Hi Michael, thanks for quick reply. My reply as below:
  1. Yes the text chat works over NetGroup while video does not work (Video is connected through a different NetGroup)
  2. results of cc.rtmfp.net as follows:
  Event: NetConnection.ConnectivityCheck.Results info:
  receiveDifferentAddressDifferentPortAllowed: false
  code: NetConnection.ConnectivityCheck.Results
  publicAddressIsLocal: false
  level: status
  description: Connectivity Check Results
  sendAfterIntroductionAllowed: true
  sendAfterIntroductionPreservesSourceAddress: true
  receiveSameAddressSamePortAllowed: true
  sendAfterIntroductionPreservesSourcePort: true
  localAddresses: 10.0.0.2:52964,[2001:0:4137:9e76:28c8:22e8:8302:dec1]:52965
  publicPortMatchesLocalPort: true
  receiveSameAddressDifferentPortAllowed: false
  publicAddress: 124.253.33.62:52964
  3. My code to send video is as follows:
  var id:String = "user1";
  // code to send video
  var groupSpec:GroupSpecifier = new GroupSpecifier(id);
  groupSpec.ipMulticastMemberUpdatesEnabled = true;
  groupSpec.multicastEnabled = true;
  groupSpec.postingEnabled = true;
  groupSpec.objectReplicationEnabled = true;
  groupSpec.routingEnabled = true;
  groupSpec.serverChannelEnabled = true;
  outgoingStream = new NetStream(netConnection, sendVideoNetGroupSpec.groupspecWithAuthorizations());
  var mic:Microphone = Microphone.getMicrophone();
  mic.gain = 100;
  outgoingStream.attachAudio(mic);
  var camera:Camera = Camera.getCamera();
  camera.setMode(320, 240, 15);
  outgoingStream.attachCamera(camera);
  outgoingStream.publish(id);
  break;
  4. Code to receive video on the other end is as follows:
  var groupSpec:GroupSpecifier = new GroupSpecifier(id);
  groupSpec.ipMulticastMemberUpdatesEnabled = true;
  groupSpec.multicastEnabled = true;
  groupSpec.postingEnabled = true;
  groupSpec.objectReplicationEnabled = true;
  groupSpec.routingEnabled = true;
  groupSpec.serverChannelEnabled = true;
  var incomingStream:NetStream = new NetStream(netConnection, chatTopicNeighbourList[i].videoNetGroupSpec.groupspecWithAuthorizations());
  incomingStream.receiveVideo(true);
  incomingStream.receiveAudio(true);
  var st:SoundTransform = new SoundTransform(1);
  incomingStream.soundTransform = st;
  var remoteVideo:Video = new Video();
  remoteVideo.width = 120;
  remoteVideo.height = 68;
  remoteVideo.attachNetStream(incomingStream);
  videoDisplay.addChild(remoteVideo);
  incomingStream as NetStream.play(id);

• XML Messaging through firewalls

  Hi !
  Please let me explain to you my problem and should you know the answer, please post it, I'm at my wits end :
  I am developing a client / server structure for a distributed game using Applets. I am required to do either the server and the client. The problem is that the server will be installed behind a firewall filtering almost all ports but HTTP.
  - I wonder how I could do it to use XML Messaging connection through filtering ? Is it possible to use port 80 for JAXM connections ?
  - If not JAXM solution, what other options are available ?
  - Could you please post an example of a client / server structure using your solution ?
  thanx in advance,
  Pau Almar
  http://www.upcnet.es/~pag

  Is it possible to use port 80 for JAXM connections ?yes, it is just a matter of configuration of your web server.

• Streaming through firewalls.

  Hello,
  How can I send RTP stream from a machine to other machine which is on a different network. Since both machines are behind their firewalls, how this is achieved?.Some kind of Tunneling mechanisim?. Can RTPSockets help?.

  emstol wrote:
  I don't know udp/tcp protocols very well, but does it really work?
  captfoss wrote:
  +Note: Because computer A sent something to computer B, computer A is expecting to get a response from computer B.A sends data to B by udp. In this scenario A can not expect response because it use udp. In udp there is no responses.In UDP there are most certainly responses, though they're generated by application code rather than the protocol stack.
  The "response" being talked about here is about the NAT setup. NATs aren't all that useful if they don't make some record of outgoing packet streams, (Notice I'm not using the word connection) as they wouldn't be able to direct "reply packets" (either TCP or UDP) back to the originating host. "Reply packets" sound connection oriented, but they're not. A "Reply Packet" is just a packet that uses as a destination, an IP/Port combination that was previously a source of an IP packet. (This applies to both TCP and UDP) In this way, if you have two hosts behind firewalls, all you need to is establish what public IP/port the NAT will be using on both sides, (The Rendevous Server step) send a packet to the target machine on this IP/port (this establishes the first stream path) then have the target machine send a packet back to you on that same port. (This establishes the stream path on the second firewall, and since both sides now have that path, the two machines can communicate) Some firewalls are very strict strict, and the "reply packet" must have the same source port and IP as the original packet's destination port and IP. Such a firewall is called a Symmetric Firewall, and it's the hardest type of firewall to bypass. Most are "full cone" which means only the NAT's side of the IP/Port pair need to match, and in such a case, both machines can send packets directly to each other, immediately after using the rendevous server. Don't bet on the firewall you're needing to bypass being this type however. If you make your method work for bypassing symmetric firewalls, you'll bypass any other type as well. (Except UDP Port Blocking, in which case, you're SOL)
  Edited by: sh0ckbyt3 on Dec 28, 2008 5:43 PM

• RMI Through Apache-Weblogic Bridge

  Hi,
  How to use RMI in apache-weblogic bridge
  Thanks,
  Siva E.

  [email protected] (srinivasa reddy) wrote in
  <39bb039e$[email protected]>:
  >
  hi,
  I have a basic question, does webloigc support apache-weblogic
  bridge with mod_ssl/any ssl installed on apache.
  thanks & regards
  [email protected]
  There is a mod_wl_ssl.so in sp4 (i believe). mod_ssl extends Apaches API
  and thereby breaks the WebLogic bridge. For raven installations you need
  mod_wl_ssl_rave.so because raven extends the API even further.
  Joel
  E-Mail: (jbf (at) proceedo dot com)

• RMI through firewall

  I want to know if RMI http tunniling works fine, or if it is hard to do.
  Before I start to testing, I need to clarify some doubts.
  Why JDK windows distribution doesn't have java-rmi.cgi file for http tunneling?
  The bin directory has a file java-rmi.exe that I don't know what it does. I couldn't find many information about this.

  Because you should use the RMI servlet that comes in the samples.

• Allowing app store through firewalls

  Hi,
  My Iphone is connected to the WiFI at my company.
  i have a D-Link Firewall installed and it seems to be blocking the app store connections.
  i can only browse the " Updates " section from the phone's app store, but other stuff like top 5 or featured or any other tab down there gives " could not connect to app store "
  in my firewall log i seem to be getting this IP frequently so i think that's it.
  93.186.135.51
  93.186.135.10
  i live in Egypt.
  is there a web URL it connects to that translates to something in this IP range or something? if not how do i get it past the firewall?
  thanks in advance.

  If you can't get help from the network administrator, you'll have to connect to another network or use a public VPN service such as StrongVPN (not a recommendation.)