| Re: IDL on the Net (ION) [message #42087 is a reply to message #42016] |
Wed, 15 December 2004 08:53   |
p.sommer
Messages: 20
Registered: April 2004
|
Junior Member |
|
|
> Thanks for responding.
>
> I believed as you, that Tunnel Broker would work through port 80. In
fact,
> it just uses a different port (9085) and http code through that port.
I set
> up a test computer to simulate the problem seen by others. I blocked
out
> bound connections to port 7085 and 9085 on the server running ION and
Tunnel
> Broker. I also logged what was occurring and found that the client
still
> tries to reach port 7085 and/or 9085. One of the people having
trouble with
> the site was also able to open up port 7085 on their firewall and
everything
> worked.
I have to confess, I'm a bit embarrassed. I should have known that
routing to port 80 would ultimately cause a collision with whatever web
service happened to be listening there. I have worked with ION quite a
bit over the years and in all honesty, never needed the Tunnel Broker,
so I just plain misspoke. My apologies for not fully understanding the
technology either!
Most of the serious ION Java projects I have worked on have been fairly
large, but built for deployment over LANs (intranets). For example, the
state of Alaska's Department of Natural Resources and several National
Labs. Historically, there hasn't been a problem for general internet
use either, but as organizations become more secure about routing
traffic, I guess I'm not surprised this detail is now beginning to
become an issue.
>
> There seems to be a lot of confusion at RSI with this. They do not
even have
> the means to simulate the problem. I find it hard to believe that
this
> problem has not been reported before. The reason we never saw it
before is
> that our firewall doesn't block this port, so all the tests we ran
were
> fine. Ours does not seem to be the standard. Most corporate firewalls
block
> non-standard ports including both 9085 and 7085. It is not very
practical or
> security conscious to expect these locations to open up these ports.
Sorry you got the run around. I hope you can understand that for
someone in Tech Support to simulate, they would have had to spend
possibly days securing appropriate hardware, setting up web services,
RSI software, a firewall, etc, etc. It just goes beyond what they are
typically equipped to manage, especially given the volume of calls they
are responsible for. I suspect they deferred to the developer since he
has the entire infrastructure in place to test. Regardless, my
suggestion would be to speak with your sales rep who can make sure you
get the kind of support you need when you feel your blood pressure
rising, or if it's a time critical issue.
> A simple test to tell whether or not your site is blocking these
ports is to
> go to the RSI site and test the examples pages. Of course, they do
not have
> Tunnel Broker running on their site, but either way it won't work if
you
> have, what I would consider, a reasonable firewall security set up.
I'm actually wondering just how common this problem is with other
vendors. I mean, I'm fairly sure other 'common' services run on ports
up in the 7000 range like ION Java. For example, doesn't QuickTime
Streaming Server run up in the 7000s?
> I am working with a techie, but they do not seem to know their own
product
> very well at all. One e-mail said they will pass it on to the
developers as
> a feature request. I responded that this is a necessity and they are
not
> dealing with the real world if they think everyone should have those
ports
> open by default. I am still waiting.
I don't know how many opportunities they have had to get down to this
level in the product. Again, I suspect it was passed to the developer
since he's got all the pieces of the puzzle at his disposal to use for
testing. I am confident they will ultimately provide you with a
thoughtful response...it just might take a little time.
> Here is the link to the examples. I would be curious to know if
others are
> getting the "Unable to establish connection with ION Java server"
message.
>
> http://ion.researchsystems.com/IONJava/examples/basic.html
>
That console message you mention above is obviously bad news. I'm left
thinking about other options we might be able to come up with if your
clients are locked down tightly for good. Before I mention any
options, can you tell me a little bit about what you need in general
terms as it relates to both IDL processing and client-side
interactivity? Also, are you running Apache, or? Lastly, are there
other web services (enterprise software) worked into your architecture?
> Thanks,
>
> Randy
Sure. Hang in there and thanks in advance for the additional
information. We'll figure something out...
Best regards,
-Paul
|
|
|
|
comp.lang.idl-pvwave archive
Members
Search
Help
Login
Home
