SC6 through firewall not possible!!!

[tommy]

Just stumbled across this topic on support.peregrine.com

"SAS-W10-N8FK"

Who on earth would prioritize moving a pc from one network plug to another and be able to reconnect over the ability to connect through a firewall with the eclipse client???

[sigtb02]

Were can i find this topic I tried searching with the term SAS-W10-N8FK. No results.

[tommy]

It looks like the document have been removed.

[brunodg]

the original document:

documentID=SAS-W10-N8FKendDocumentID subject=ServiceCenter 6: How to connect through a firewall - why the eclipse client does not allow these connectionsendSubject DOCID=/155/KB/53d/c2c8/c2c8endDOCID

ServiceCenter 6: How to connect through a firewall - why the eclipse client does not allow these connections

Product: ServiceCenter Executables & RTE (Runtime Environment)
Versions:
DB Engine:
Operating System: Creation Date: 10/01/2004 09:30:51
Last Modified Date: 12/01/2004 08:41:10
Widest Audience: Advanced Customers
Document ID: SAS-W10-N8FK

Q U E S T I O N or T O P I C

If a client wants to connect to a ServiceCenter server behind a firewall, the web tier has to be used. This is because the eclipse client opens a new TCP port for communication between client and server. This new TCP port will be a nonpredictable number, thus connecting through a firewall with the Eclipse (SOAP) client will not work. What is the reason for using a separate port number for each connection?


A N S W E R or C O N T E N T

The SC 6 web client is the only solution for users connecting from outside a firewall at this point. That way the end-user is using a browser and the server is the web server running our web tier. HTTPS should be used for the web tier, for the same reasons it would not be used for web mail and other applications requiring secure connections. The port number can be any TCP port, usually it is 80 for a web application, unless that port is used by another application. It is much easier and more secure to require users outside the firewall to use the SC 6 web client via a browser and use HTTPS to connect that browser to our web tier through the firewall than to try to deploy Eclipse clients outside the firewall.

Explanation of the difference between earlier releases and SC 6
In earlier versions of SC the proprietary client-server protocol is entirely connection-oriented. The initial TCP connection request to the express listener port is the only TCP connection request that is made by the client. The firewall sees this TCP connection request to an allowed port, and allows the TCP session to be established between the two IP addresses. Once established, the TCP session is maintained until the user logs off, or his client session is timed out on the server.

The SC6 client-server protocol works differently:
The client first makes an HTTP SOAP request to the express TCP port. This causes a TCP connection request that looks to the firewall just like an SC 5 or SC 4 connection request. It is to an allowed TCP port, so it gets through and the initial TCP connection is established, and the initial SOAP request from the client is handled by the server. Now the server responds to this initial SOAP message with a SOAP response containing a private TCP port number allocated specifically for the new client, and then closes the initial HTTP connection. This terminates that initial TCP connection. The new TCP port number is being generated by the operating system. When a TCP server application wishes the OS to assign a TCP port number, it calls the "bind" function with a port number of zero, and then calls "getsockname" to retrieve the kernel-assigned port number. Once the new port number is received the Eclipse client makes a new HTTP or HTTPS request to the indicated TCP port, which the new server process for the client is listening on. This new HTTP request causes a new TCP connection request to arrive at the firewall, but from the viewpoint of the firewall, the TCP port number is an arbitrary number that was allocated for this new client, and is unknown to the firewall, so the request fails.

This new protocol in SC6 was a consequence of two factors:
1. Changing the client server protocol to be SOAP over HTTP (where client "sessions" do not have the same boundaries as TCP connections. In other words, a given client session with SC 6 can span any number of separate HTTP or HTTPS connections, although we use HTTP Keep-Alive to the maximum extent possible)
And
2. The fact that in SC 6 as in earlier versions the server is not multi-threaded like a regular web server is. For example, a new server process must be spawned for each client that connects.

These two factors mandate a private TCP port for each client. This is because in HTTP, either the client or the server is free to terminate the current connection at any time. As such, the client will occasionally need to make a new connection request to the server to reconnect with the same server process that it was previously in session with.

This has benefits such as in SC6, an Eclipse client "connection" with the server can be created and if the network connection is terminated (for example, the laptop being used is disconnected from the network to be moved to another location and reconnected) and reestablished, the client works. The disadvantage is that connections through a fire wall will fail from an eclipse client.

Defining Ephemeral Port Ranges on Supported Operating Systems

AIX
AIX uses the "no" command to set network options. AIX uses two separate ephemeral port ranges, one for TCP and UDP. Both of these default to the values 32768 through 65535:

# /usr/sbin/no -a | fgrep ephemeral
tcp_ephemeral_low = 32768
tcp_ephemeral_high = 65535
udp_ephemeral_low = 32768
udp_ephemeral_high = 65535

The default range is sufficient, but it can be changed using the no command. The following is an example that sets the TCP ephemeral port range to 49152 through 65535:

# /usr/sbin/no -o tcp_ephemeral_low=49152 -o tcp_ephemeral_high=65535

The options which are set with "no" must be done each time the system starts up. One way to do that is to edit /etc/rc.tcpip and insert the "no" commands just before the script starts running the server daemons.

HP-UX
HP-UX uses the "ndd" utility program to change tunable IP stack parameters. The ephemeral ports on HP-UX can be tuned individually for both TCP and UDP, so there are really two separate ephemeral port ranges. HP-UX also provides options to change the privileged port range (ports only processes running with superuser privileges can use).

HP-UX does use Peregrine's recommended port range (49152 through 65535) and this should reduce the need to change the range from the default values.

The example below shows how to query the existing values for the TCP ephemeral ports, and change the range to 50001 through 61000:

# /usr/bin/ndd /dev/tcp tcp_smallest_anon_port tcp_largest_anon_port
49152

65535
# /usr/bin/ndd -set /dev/tcp tcp_smallest_anon_port 50001
# /usr/bin/ndd -set /dev/tcp tcp_largest_anon_port 61000
# /usr/bin/ndd /dev/tcp tcp_smallest_anon_port tcp_largest_anon_port
50001

61000

Note: If the range values are changed, the change must be done each time the system boots. As stated previously, the default values are sufficient and as such the need to change the range values should be minimized. However, if there is a need to change these values, the preferred method for HP-UX is to edit the file /etc/rc.config.d/nddconf and add entries. For example, the following lines might be appended to the /etc/rc.config.d/nddconf file:

TRANSPORT_NAME[0]=tcp
NDD_NAME[0]=tcp_largest_anon_port
NDD_VALUE[0]=65535

TRANSPORT_NAME[1]=tcp
NDD_NAME[1]=tcp_smallest_anon_port
NDD_VALUE[1]=49152

If this is done, ensure that the entries are numbered accordingly. For example, if there are 4 entries already present. They would be numbered 0 through 3 (i.e. TRANSPORT_NAME[3]=...). In that case, the appended entries need to be numbered after the existing entries.

Another option instead of editing /etc/rc.config.d/nddconf is to create a startup script to do the same thing. The following is an example of such a script:

#!/bin/sh
#
# Copy me to /sbin/init.d/ephemports, then do
# "ln -s /sbin/init.d/ephemports /sbin/rc2.d/S341ephemports".
#
EPHEM_HI="65535"
EPHEM_LO="49152"
NDD=/usr/bin/ndd

if [ "$#" -eq 0 ] ; then arg="start" ; else arg="$1" ; fi
case "$arg" in
'start')
;; # Fall through -- rest of script is the initialization code

'stop'|'start_msg'|'stop_msg')
exit 0
;;

'status')
EPHEM_HI=`${NDD} /dev/udp udp_largest_anon_port`
EPHEM_LO=`${NDD} /dev/udp udp_smallest_anon_port`
echo "UDP ephemeral port range is ${EPHEM_LO}..${EPHEM_HI}."
EPHEM_HI=`${NDD} /dev/tcp tcp_largest_anon_port`
EPHEM_LO=`${NDD} /dev/tcp tcp_smallest_anon_port`
echo "TCP ephemeral port range is ${EPHEM_LO}..${EPHEM_HI}."
exit 0
;;

*)
echo "Usage: $0 { start | stop | status }"
exit 1
;;
esac

${NDD} -set /dev/udp udp_smallest_anon_port "${EPHEM_LO}"
${NDD} -set /dev/udp udp_largest_anon_port "${EPHEM_HI}"
${NDD} -set /dev/tcp tcp_smallest_anon_port "${EPHEM_LO}"
${NDD} -set /dev/tcp tcp_largest_anon_port "${EPHEM_HI}"

EPHEM_HI=`${NDD} /dev/udp udp_largest_anon_port`
EPHEM_LO=`${NDD} /dev/udp udp_smallest_anon_port`
echo "UDP ephemeral port range is ${EPHEM_LO}..${EPHEM_HI}."
EPHEM_HI=`${NDD} /dev/tcp tcp_largest_anon_port`
EPHEM_LO=`${NDD} /dev/tcp tcp_smallest_anon_port`
echo "TCP ephemeral port range is ${EPHEM_LO}..${EPHEM_HI}."

exit 0
For more information, see:

ndd(1M)
Hewlett-Packard Technical Documentation

[brunodg]

Linux
Linux allows viewing and changing the ephemeral port range by using the /proc/sys/net/ipv4/ip_local_port_range file. For example, the following shows the default configuration on a kernel 2.2 system:

$ cat /proc/sys/net/ipv4/ip_local_port_range
1024 4999

To change this to the preferred range, (as superuser) the following could be completed:

# echo "49152 65535" > /proc/sys/net/ipv4/ip_local_port_range

Note: This must be done each time the system boots. As such, ensure to add a line to a system startup script such as /etc/rc.local so the proper range is always used.

In addition, Linux 2.4 kernel will default the range of 32768 through 61000 if adequate kernel memory is available and as such, changing the range may not be necessary on newer Linux systems.

Also it may be possible to use the sysctl interface to change the settings rather than using the /proc filesystem. The name of the sysctl parameter is "net.ipv4.ip_local_port_range". Edit the /etc/sysctl.conf file it is available, or have a startup script run the sysctl command manually if this change is to this parameter is to be done using sysctl.

Solaris
Solaris uses the "ndd" utility program to change tunable IP stack parameters. The ephemeral ports on Solaris can be tuned individually for both TCP and UDP, so there are really two separate ephemeral port ranges. Solaris also provides options to change the privileged port range (ports only processes running with superuser privileges can use).

Solaris by default, provides a large range at the end of the port range (32768 through 65535, or the upper 50%). As such, the need to change the range from the default values is unlikely.

The example below shows how to query the existing values for the TCP ephemeral ports, and change the range to 49152 through 61000:

# /usr/sbin/ndd /dev/tcp tcp_smallest_anon_port tcp_largest_anon_port
32768

65535
# /usr/sbin/ndd -set /dev/tcp tcp_smallest_anon_port 49152
# /usr/sbin/ndd -set /dev/tcp tcp_largest_anon_port 61000
# /usr/sbin/ndd /dev/tcp tcp_smallest_anon_port tcp_largest_anon_port
49152

61000

Note: If changes are made to the range values, these changes must be done each time the system boots. Peregrine does recommend that the default range is used as this is generally sufficient. If a change is need, the following is a sample script to change the range at startup:

#!/sbin/sh
#
# Copy me to /etc/init.d/ephemports, then do
# "ln -s /etc/init.d/ephemports /etc/rc2.d/S70ephemports".
#
EPHEM_HI="65535"
EPHEM_LO="49152"

if [ "$#" -eq 0 ] ; then arg="start" ; else arg="$1" ; fi
case "$arg" in
'start')
;; # Fall through -- rest of script is the initialization code

'stop')
exit 0
;;

'status')
EPHEM_HI=`/usr/sbin/ndd /dev/udp udp_largest_anon_port`
EPHEM_LO=`/usr/sbin/ndd /dev/udp udp_smallest_anon_port`
echo "UDP ephemeral port range is ${EPHEM_LO}..${EPHEM_HI}."
EPHEM_HI=`/usr/sbin/ndd /dev/tcp tcp_largest_anon_port`
EPHEM_LO=`/usr/sbin/ndd /dev/tcp tcp_smallest_anon_port`
echo "TCP ephemeral port range is ${EPHEM_LO}..${EPHEM_HI}."
exit 0
;;

*)
echo "Usage: $0 { start | stop | status }"
exit 1
;;
esac

/usr/sbin/ndd -set /dev/udp udp_smallest_anon_port "${EPHEM_LO}"
/usr/sbin/ndd -set /dev/udp udp_largest_anon_port "${EPHEM_HI}"
/usr/sbin/ndd -set /dev/tcp tcp_smallest_anon_port "${EPHEM_LO}"
/usr/sbin/ndd -set /dev/tcp tcp_largest_anon_port "${EPHEM_HI}"

EPHEM_HI=`/usr/sbin/ndd /dev/udp udp_largest_anon_port`
EPHEM_LO=`/usr/sbin/ndd /dev/udp udp_smallest_anon_port`
echo "UDP ephemeral port range is ${EPHEM_LO}..${EPHEM_HI}."
EPHEM_HI=`/usr/sbin/ndd /dev/tcp tcp_largest_anon_port`
EPHEM_LO=`/usr/sbin/ndd /dev/tcp tcp_smallest_anon_port`
echo "TCP ephemeral port range is ${EPHEM_LO}..${EPHEM_HI}."

exit 0

For more information about tuning Solaris, refer to the following sources:

Cockroft, Adrian and Pettit, Richard. Sun Performance and Tuning, 2nd Edition. Palo Alto, California, USA: Prentice Hall, 1998. ISBN 0-13-095249-4.
Vöckler, Jens-S.. Solaris 2.x - Tuning Your TCP/IP Stack and More.
Solaris Tunable Parameters Reference Manual.

Microsoft Windows
Windows uses the traditional BSD range of 1024 through 4999 for its ephemeral port range. Unfortunately it appears only the upper bound of the ephemeral port range can be set. The following is information excerpted from Microsoft Knowledgebase Article 196271:

Start Registry Editor (Regedt32.exe).
Locate the following key in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\Parameters
On the Edit menu, click Add Value, and then add the following registry value:

Value Name: MaxUserPort Data Type: REG_DWORD Value: 65534 <for example>

Valid Range: 5000-65534 (decimal) Default: 0x1388 (5000 decimal)

Description: This parameter controls the maximum port number used when an application requests any available user port from the system. Normally, ephemeral (that is, short-lived) ports are allocated between the values of 1024 and 5000 inclusive.
Quit Registry Editor.

Note: There is another relevant KB article (812873) which claims to the setting of an exclusion range, which appears to indicate that ports 1024-9999 can be excluded. For example, to have the ephemeral port range be 10000-65534. However, in Peregrine testing, this has not been possible (as of October 2004).

[edmedina]

I wish we had seen this document about 3 months ago. We spent 2 months trying figure out how to get the client to work via a "VPN" connection from my company network to a customer's network. After many traces and plugging away we figured out this stupid enhancement.

Now my question: I had heard this was going to be "fixed" with either 6.1.3 or 6.2 does any one know if it is true?

[meichler]

that should be fixed in SC 6.2 (that's what HP told us in July)

[glg]

odd, I wonder what they're going to do to fix it. Would be a pretty major redo of their network code.

[edmedina]

I am listening in right now. As I understand it, from 100,000 mile view, they essentially you'll have to open 3 ports. 1 for the server 2 for the servlets. I need to get my hands on some more documentation on this to understand it better.

[kernal74]

I was the lucky one that got to figure this whole mess out with my account. But I am curious, for the advanced debugger, it looks like the server opens a connection to the client? If this is true, has anyone been successful in getting the advanced debugger to work through a firewall. Maybe no one uses it! I am intrigued, and flustered at the same time!

[brunodg]

Have a look at the Peregrine's White Paper "ServiceCenter™ 6.0 Multi-Tier Security Considerations". It explains how the sessions are working.

If you want to use an Eclipse client, you can install it on a Terminal Server. We have a working environment with this client. Otherwise, use the web client.

[lmclapp68]

For the benefit of folks that may've subscribed to this thread, but don't check the forum very often, please see http://www.sc-resources.net/showthread.php?t=2771.