<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1">
<title></title>
</head>
<body text="#000000" bgcolor="#ffffff">
<br>
A few more comments:<br>
<br>
"When the term connection is
used it is meant to mean a GSI Secured TCP Socket"<br>
<ul>
<li>Grammar complaint: Change to "The term 'connection' refers to a
GSI Secured TCP Socket"<br>
</li>
</ul>
<br>
The port tables confuse me. <br>
<ul>
<li>I think there should be two tables: one for "minimal ports
necessary to make things work", and one for optional ports.</li>
</ul>
<br>
In the table under the text "These services make no <em>wide area</em>
network connections, but do require any firewall on the local machine
be configured appropriately"<br>
<ul>
<li>"Services" should say that they use dynamically assigned ports.</li>
</ul>
<br>
<br>
<br>
<br>
<br>
<br>
Ivan R. Judson wrote:<br>
<blockquote type="cite"
cite="mid017b01c3bdc4$9c2b9f10$6412dd8c@mcs.anl.gov">
<pre wrap="">Here's what I have; if there's nothing more to add, this should be
sufficient for the APS folks.
I'd like Bob and Tom to read it over and verify there's nothing missing. The
APS folks are waiting for this document and I'd like it out the door today.
--Ivan
</pre>
<br>
<hr size="4" width="90%"><br>
<meta content="text/html; " http-equiv="Content-Type">
<meta content="Docutils 0.3.1: http://docutils.sourceforge.net/"
name="generator">
<title>Firewall Configuration Information for AGTk 2.0</title>
<meta content="Ivan R. Judson" name="author">
<meta content="University of Chicago, 2003" name="copyright">
<meta content="04-12-2003" name="date">
<link type="text/css" href="default.css" rel="stylesheet">
<div id="firewall-configuration-information-for-agtk-2-0"
class="document">
<h1 class="title">Firewall Configuration Information for AGTk 2.0</h1>
<table rules="none" frame="void" class="docinfo">
<col class="docinfo-name">
<col class="docinfo-content"><tbody valign="top">
<tr>
<th class="docinfo-name">Author:</th>
<td>Ivan R. Judson</td>
</tr>
<tr>
<th class="docinfo-name">Status:</th>
<td>Draft</td>
</tr>
<tr>
<th class="docinfo-name">Contact:</th>
<td><a href="mailto:ag-info@mcs.anl.gov"
class="first last reference">ag-info@mcs.anl.gov</a></td>
</tr>
<tr>
<th class="docinfo-name">Copyright:</th>
<td>University of Chicago, 2003</td>
</tr>
<tr>
<th class="docinfo-name">Date:</th>
<td>04-12-2003</td>
</tr>
</tbody>
</table>
<div id="abstract" class="section">
<h1><a name="abstract">Abstract</a></h1>
<p>This document specifies what firewall configuration options need
to be considered to use the Access Grid in a firewalled network
environment. Specific firewall solutions are not addressed in this
document.</p>
</div>
<div id="copyright" class="section">
<h1><a name="copyright">Copyright</a></h1>
<p>This document falls under the AGTkPL.</p>
</div>
<div id="discussion" class="section">
<h1><a name="discussion">Discussion</a></h1>
<p>The Access Grid Toolkit provides distributed collaboration system
with
parts that communicate over both the local area and wide area
network. In order to function properly the various parts of the system
need to be able to initiate and use network connections in various
directions (both incoming and outgoing). When the term connection is
used it is meant to mean a GSI Secured TCP Socket.</p>
<p>For the streaming media, which is carried via RTP, two ports are
required. The first (even numbered) port is the data port, the next
odd port (first port + 1) is used for RTP Control data.</p>
<p>In the current version of the toolkit, the network interfaces are
served via SOAP. These interfaces are exposed on:</p>
<table class="table" border="1">
<colgroup><col width="22%"><col width="78%"></colgroup>
<thead valign="bottom"><tr>
<th>Service</th>
<th>Default Port(s)</th>
</tr>
</thead>
<tbody valign="top">
<tr>
<td>Services</td>
<td>dynamically assigned</td>
</tr>
<tr>
<td>Service Manager</td>
<td>11000</td>
</tr>
<tr>
<td>Node Service</td>
<td>12000 and 1 dynamically assigned</td>
</tr>
<tr>
<td>Venue Client <a name="id1" id="id1" href="#id3"
class="footnote-reference"><sup>*</sup></a></td>
<td><em>optional</em> 1 dynamically assigned</td>
</tr>
<tr>
<td>Venue Server</td>
<td>8000, 8002, 8004, 8006</td>
</tr>
<tr>
<td>Bridge Server</td>
<td>Each stream is statically configured or dynamically assigned</td>
</tr>
<tr>
<td>Beacon Server</td>
<td>(233.4.200.21, 10002/10004), beacon.dast.nlanr.net:10004</td>
</tr>
</tbody>
</table>
<p>The following services need special configuration to operate
correctly.</p>
<table class="table" border="1">
<colgroup><col width="21%"><col width="79%"></colgroup>
<thead valign="bottom"><tr>
<th>Service</th>
<th>Default Port(s)</th>
</tr>
</thead>
<tbody valign="top">
<tr>
<td>Venue Client</td>
<td><em>optional</em> 1 dynamically assigned</td>
</tr>
<tr>
<td>Venue Server</td>
<td>8000, 8002, 8004, 8006</td>
</tr>
<tr>
<td>Bridge Server</td>
<td>Each stream is statically configured or dynamically assigned</td>
</tr>
<tr>
<td>Beacon Server</td>
<td>(233.4.200.21, 10002/10004), beacon.dast.nlanr.net:10004</td>
</tr>
</tbody>
</table>
<p>These services make no <em>wide area</em> network connections,
but do require any firewall on the local machine be configured
appropriately <a name="id2" id="id2" href="#id4"
class="footnote-reference"><sup>†</sup></a>.</p>
<table class="table" border="1">
<colgroup><col width="36%"><col width="64%"></colgroup>
<thead valign="bottom"><tr>
<th>Service</th>
<th>Default Port(s)</th>
</tr>
</thead>
<tbody valign="top">
<tr>
<td>Services</td>
<td>none</td>
</tr>
<tr>
<td>Service Manager</td>
<td>11000</td>
</tr>
<tr>
<td>Node Service</td>
<td>12000 and 1 dynamically assigned</td>
</tr>
</tbody>
</table>
<table rules="none" id="id3" frame="void" class="footnote">
<colgroup><col class="label"><col></colgroup>
<tbody valign="top">
<tr>
<td class="label"><a name="id3" href="#id1" class="fn-backref">[*]</a></td>
<td>Disabling incoming connections to the Venue Client is
possible and doesn't significantly hinder collaboration. Personal data
sharing is not possible if incoming connections are not allowed.</td>
</tr>
</tbody>
</table>
<table rules="none" id="id4" frame="void" class="footnote">
<colgroup><col class="label"><col></colgroup>
<tbody valign="top">
<tr>
<td class="label"><a name="id4" href="#id2" class="fn-backref">[†]</a></td>
<td>Host based firewalls like Microsofts XP Firewall will
interfere not only with local area connectivity but it will also stop
multicast from working properly. Currently, the best advice is to turn
the firewall off.</td>
</tr>
</tbody>
</table>
<div id="service-details" class="section">
<h2><a name="service-details">Service Details</a></h2>
<ul>
<li>
<p class="first">Venue Server (defaults to port 8000, 8002, 8004,
8006)</p>
<p>The venue server listens for incoming connections on four
ports, which
are configurable. These ports are for incoming connections only, there
are no outbound connections from the venue server.</p>
</li>
<li>
<p class="first">Bridge Server (multiple ports used)</p>
<p>The bridge server can use either statically assigned ports for
the
media bridges it starts, or it can dynamically assign the ports for
media bridges.</p>
</li>
<li>
<p class="first">Beacon Server (one group, one outgoing
connection)</p>
<p>The beacon server uses one multicast group and one outbound
connection to a reporting server. These are both configurable, but
the defaults are the correct configuration to be a part of the
Access Grid Multicast Beacon infrastructure.</p>
</li>
</ul>
</div>
<div id="multicast" class="section">
<h2><a name="multicast">Multicast</a></h2>
<p>In order for audio and video to flow among users multicast needs
to be able to be allowed through the firewall. There is currently no
set of static configurations that are used for multicast (although they
could be used, if needed), so ideally the firewall would allow data
from any group <em>that is subscribed to from
inside</em> the firewall to come through the firewall from the outside.</p>
<p>The media tools we use have two different behaviors for how they
send data. For audio the source port for the data is identical to the
destination port for the data. For video, the source port for the data
is selected randomly.</p>
</div>
</div>
<div id="example-of-a-secured-static-environment" class="section">
<h1><a name="example-of-a-secured-static-environment">Example of a
Secured Static Environment</a></h1>
<p>This is an example of a small installation configured for a
paranoid
network configuration. The configuration has only three venues to keep
the example simple.</p>
<p>To keep this example even more simple, the bridge, data and venue
server are all running on the same machine, <em>host.domain</em>.</p>
<div id="meeting-room-venue" class="section">
<h2><a name="meeting-room-venue">Meeting Room Venue</a></h2>
<table class="table" border="1">
<colgroup><col width="27%"><col width="47%"><col width="27%"></colgroup>
<thead valign="bottom"><tr>
<th>Media</th>
<th>Multicast Groups</th>
<th>Bridge Ports</th>
</tr>
</thead>
<tbody valign="top">
<tr>
<td>static video</td>
<td>224.1.2.3/[1234/1235]</td>
<td>9000/9001</td>
</tr>
<tr>
<td>static audio</td>
<td>224.1.2.3/[1236/1237]</td>
<td>9002/9003</td>
</tr>
</tbody>
</table>
</div>
<div id="laboratory-1-venue" class="section">
<h2><a name="laboratory-1-venue">Laboratory #1 Venue</a></h2>
<table class="table" border="1">
<colgroup><col width="27%"><col width="47%"><col width="27%"></colgroup>
<thead valign="bottom"><tr>
<th>Media</th>
<th>Multicast Groups</th>
<th>Bridge Ports</th>
</tr>
</thead>
<tbody valign="top">
<tr>
<td>static video</td>
<td>224.1.2.4/[1234/1235]</td>
<td>9004/9005</td>
</tr>
<tr>
<td>static audio</td>
<td>224.1.2.4/[1236/1237]</td>
<td>9006/9007</td>
</tr>
</tbody>
</table>
</div>
<div id="laboratory-2-venue" class="section">
<h2><a name="laboratory-2-venue">Laboratory #2 Venue</a></h2>
<table class="table" border="1">
<colgroup><col width="27%"><col width="47%"><col width="27%"></colgroup>
<thead valign="bottom"><tr>
<th>Media</th>
<th>Multicast Groups</th>
<th>Bridge Ports</th>
</tr>
</thead>
<tbody valign="top">
<tr>
<td>static video</td>
<td>224.1.2.5/[1234/1235]</td>
<td>9008/9009</td>
</tr>
<tr>
<td>static audio</td>
<td>224.1.2.5/[1236/1237]</td>
<td>9010/9011</td>
</tr>
</tbody>
</table>
</div>
<div id="venue-server" class="section">
<h2><a name="venue-server">Venue Server</a></h2>
<ul class="simple">
<li>running on host.domain</li>
<li>ports: 8000, 8002, 8004, 8006</li>
</ul>
<p><strong>If the firewall is configured to allow multicast through</strong>,
then</p>
</div>
<div id="bridge-server" class="section">
<h2><a name="bridge-server">Bridge Server</a></h2>
<ul class="simple">
<li>running on host.domain</li>
<li>ports: 9000-9011</li>
</ul>
<p><strong>otherwise</strong>,</p>
</div>
<div id="id5" class="section">
<h2><a name="id5">Bridge Server</a></h2>
<ul class="simple">
<li>running on some host with working multicast</li>
<li>ports: 9000-9011</li>
</ul>
</div>
<div id="beacon-service" class="section">
<h2><a name="beacon-service">Beacon Service</a></h2>
<ul class="simple">
<li>running on host.domain</li>
<li>Multicast Group: (233.4.200.21, 10002/10004)</li>
<li>Outbound TCP: beacon.dast.nlanr.net:10004</li>
</ul>
</div>
</div>
<div id="summary-configuration" class="section">
<h1><a name="summary-configuration">Summary Configuration</a></h1>
<p>Incoming <strong>to host.domain</strong> from the rest of the
world:</p>
<ul class="simple">
<li><em>Ports:</em> 8000, 8002, 8004, 8006</li>
<li>If Bridge Server is <strong>inside the firewall</strong>:
9000-9011</li>
</ul>
<p>Outgoing Conduits <strong>from host.domain</strong> to the rest
of the world:</p>
<ul class="simple">
<li>beacon.dast.nlanr.net:10004</li>
<li>If Bridge Server is <strong>outside the firewall</strong>:
bridgehost.domain:9000-9011</li>
</ul>
<p>Multicast Group Conduits:</p>
<p>All hosts on the local network should be able to send and receive
traffic via these multicast groups.</p>
<ul class="simple">
<li>(224.1.2.3,1234)</li>
<li>(224.1.2.3,1235)</li>
<li>(224.1.2.3,1236)</li>
<li>(224.1.2.3,1237)</li>
<li>(224.1.2.4,1234)</li>
<li>(224.1.2.4,1235)</li>
<li>(224.1.2.4,1236)</li>
<li>(224.1.2.4,1237)</li>
<li>(224.1.2.5,1234)</li>
<li>(224.1.2.5,1235)</li>
<li>(224.1.2.5,1236)</li>
<li>(224.1.2.5,1237)</li>
<li>(233.4.200.21, 10002)</li>
<li>(233.4.200.21, 10004)</li>
</ul>
</div>
<div id="conclusion" class="section">
<h1><a name="conclusion">Conclusion</a></h1>
<p>This document describes the firewall requirements for the AGTk 2.0
software,
for both clients and services. For more information please see:</p>
<ul class="simple">
<li><a href="http://www.mcs.anl.gov/fl/research/accessgrid"
class="reference">The AGTk Home Page</a></li>
<li><a href="http://www.accessgrid.org/" class="reference">The
Access Grid Project Home Page</a></li>
<li><a href="http://www.accessgrid.org/agdp" class="reference">The
Access Grid Documentation Project Home Page</a></li>
</ul>
<!-- Local Variables:
mode: indented-text
indent-tabs-mode: nil
sentence-end-double-space: t
fill-column: 70
End: -->
</div>
</div>
</blockquote>
</body>
</html>