<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7232.11">
<TITLE>Re: [AG-TECH] Access Grid 3.0 beta1 available !</TITLE>
</HEAD>
<BODY>
<DIV id=idOWAReplyText45721 dir=ltr>
<DIV dir=ltr><FONT face=Arial color=#000000 size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2>> <FONT face="Times New Roman">We
received a patch from Chris Willing to make VIC first try to match the source
port to the destination port...</FONT></FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2>><FONT face="Times New Roman">Details
(and the patch) can be found in Bug 1228:<BR></FONT>> <A
href="http://bugzilla.mcs.anl.gov/accessgrid/show_bug.cgi?id=1228"><FONT
face="Times New Roman">http://bugzilla.mcs.anl.gov/accessgrid/show_bug.cgi?id=1228</FONT></A><BR><FONT
face="Times New Roman">> Tom</FONT></FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2>It sounds great, but anybody has
information on how to actually implement this "patch"? I do not think I
will learn python (as well) just to implement a patch. As I said, the
port/firewall issue is life or death for many of us and I think it should be #1
priority for the AG community. And for God's sake, when we post information that
can be so useful for others, let us not assume that everybody is an expert
programmer in those environments. The "lay" demand for the Toolkit is huge
and it is not just an academic venture any more. We have a 235+ member
physician network ready to jump on the wagon and connect to our University node.
But few of them are advanced PC users and very few are programmers.
</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2>Sorry, I had to vent.</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2>Zsolt</FONT></DIV>
<DIV dir=ltr><FONT face=Arial color=#000000 size=2></FONT> </DIV></DIV>
<DIV id=idSignature97158 dir=ltr>
<DIV><FONT face=Arial color=#000000 size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial color=#000000 size=2>_ _ _</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial color=#000000 size=2>Zsolt Nagykaldi, PhD</FONT></DIV>
<DIV><FONT face=Arial size=2>Research Associate, Clinical IT
Specialist</FONT></DIV>
<DIV><FONT face=Arial size=2>University Of Oklahoma Health Sciences
Center</FONT></DIV>
<DIV><FONT face=Arial size=2>Department Of Family And Preventive
Medicine</FONT></DIV>
<DIV><FONT face=Arial size=2>Oklahoma Center For Family Medicine
Research</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>900 NE 10th Street</FONT></DIV>
<DIV><FONT face=Arial size=2>Oklahoma City, OK 73104</FONT></DIV>
<DIV><FONT face=Arial size=2>Phone: (405) 271-8000 Ext.:1-32212</FONT></DIV>
<DIV><FONT face=Arial size=2>Fax: (405)
271-1682</FONT></DIV></DIV>
<DIV dir=ltr><BR>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> Thomas D. Uram
[mailto:turam@mcs.anl.gov]<BR><B>Sent:</B> Mon 1/30/2006 4:08 PM<BR><B>To:</B>
Nagykaldi, Zsolt F. (HSC)<BR><B>Cc:</B> ag-tech@mcs.anl.gov<BR><B>Subject:</B>
Re: [AG-TECH] Access Grid 3.0 beta1 available !<BR></FONT><BR></DIV>
<DIV>
<P><FONT size=2>The problem is that, while RAT uses the same source port as
destination port<BR>which allows<BR>it to work through reflexive firewalls
(those that open the source port based<BR>on the outgoing<BR>connection), VIC
does not. VIC instead uses an ephemeral port as the source<BR>port, which
will<BR>not be opened according to a reflexive rule.<BR><BR>We received a patch
from Chris Willing to make VIC first try to match the<BR>source port to the
destination port,<BR>then use an ephemeral port if that fails. The first
part of the patch worked,<BR>but a second<BR>instance of this vic never started
(on Windows, at least). If someone would<BR>like to take<BR>up looking at
that patch, I'd be happy to work with them to test it and get it<BR>into
the<BR>core toolkit for the next release. Details (and the patch) can be
found in Bug<BR>1228:<BR><BR><A
href="http://bugzilla.mcs.anl.gov/accessgrid/show_bug.cgi?id=1228">http://bugzilla.mcs.anl.gov/accessgrid/show_bug.cgi?id=1228</A><BR><BR>Tom<BR><BR><BR><BR>On
1/30/06 3:17 PM, Nagykaldi, Zsolt F. (HSC) wrote:<BR>> <BR>> 2
comments:<BR>> <BR>> 1) Win XP SP2 indeed self-configures the client
machine firewall for the<BR>> AG Toolkit. The problem is that most
Universities have a group policy to<BR>> overtake individual firewall control
(usually they turn it off) when the<BR>> PC is connected to the local
network. This renders local settings void<BR>> and only central settings
count.<BR>> 2) Interestingly, RAT almost always works (apart when clients
have<BR>> "local " IPs assigned by PIX, where port forwarding or dedicated
IP<BR>> address assignment help only), but VIC almost never works just
by<BR>> installing the Toolkit behind regular firewalls. This tells me that
in<BR>> the case of VIC, the connection is actually initiated by the
server<BR>> (???) and since many networks specifically block INBOUND
connections,<BR>> VIC can not receive incoming video, while RAT is fine
(client initiates<BR>> connection??). This would explain why in many cases
parties can talk and<BR>> may be visible on one side, but can not receive
video on the other<BR>> (ominous "waiting for video..." message). I wonder
whether something<BR>> could be done regarding this specific problem (i.e.
can VIC work like<BR>> RAT in this regard).<BR>> <BR>>
Zsolt<BR>> <BR>> <BR>> _ _ _<BR>> <BR>> Zsolt
Nagykaldi, PhD<BR>> Research Associate, Clinical IT Specialist<BR>>
University Of Oklahoma Health Sciences Center<BR>> Department Of Family And
Preventive Medicine<BR>> Oklahoma Center For Family Medicine
Research<BR>> <BR>> 900 NE 10th Street<BR>> Oklahoma City, OK
73104<BR>> Phone: (405) 271-8000 Ext.:1-32212<BR>>
Fax: (405) 271-1682<BR>><BR>>
------------------------------------------------------------------------<BR>>
*From:* Piers O'Hanlon [<A
href="mailto:p.ohanlon@cs.ucl.ac.uk">mailto:p.ohanlon@cs.ucl.ac.uk</A>]<BR>>
*Sent:* Mon 1/30/2006 12:21 PM<BR>> *To:*
michael.daw@manchester.ac.uk<BR>> *Cc:* Nagykaldi, Zsolt F. (HSC); ag-tech;
Socrates Varakliotis<BR>> *Subject:* Re: [AG-TECH] Access Grid 3.0 beta1
available !<BR>><BR>> Hi Mike (and others),<BR>><BR>> > We
discussed doing this as part of the SUMOVER project workshop in<BR>>
> November. This project is updating vic and rat at UCL, mainly for
the<BR>> > AG community. I can't remember where it was on the
priority list,<BR>> > though...<BR>><BR>> I guess there's a
couple of issues here - There's port selection, and<BR>> there's firewall
config.<BR>> - As mentioned by others the media port ranges are controlled by
the AG<BR>> server's config - these can be taken down to narrower ranges.
There's<BR>> shouldn't be too much of an issue with multicast venue address
clashing<BR>> if the 233/8 GLOP addressing is used by the
servers.<BR>><BR>> - Secondly the firewall interaction then depends on
which platform AG<BR>> client is running on - For those lucky folk running
WinXP-SP2 I<BR>> understand that AG will automatically configure the windows
firewall to<BR>> let AG traffic pass (could possibly explain lack
connectivity in one<BR>> previous email if things go wrong?). If you're not
running Windows<BR>> Firewall then you're probably back to manual FW config.
If you're<BR>> running Linux then you'll need to open some holes in your
firewall<BR>> (iptables/ipchains etc) manually.<BR>><BR>> I should
mention that most of this is out of scope of the media tools<BR>> themselves
as UDP port selection isn't generally done by the tools<BR>> themselves. The
one caveat is that vic does normally allow the OS to<BR>> choose the source
port when it sends video packets, though this doesn't<BR>> usually matter if
the firewall is appropriately configured. If needs be<BR>> we could add an
option to enable source port selection, or 'symmetric'<BR>> ports
usage.<BR>><BR>> Piers.<BR>><BR>> ><BR>> > More
information (though sparse!):<BR>> > <A
href="http://www.cs.ucl.ac.uk/research/sumover/">http://www.cs.ucl.ac.uk/research/sumover/</A><BR>><BR>>
It has been updated today with more info.<BR>><BR>>
Piers.<BR>><BR>> ><BR>> > Perhaps one of the team
could enlighten us...?!<BR>> ><BR>>
> <BR>>
------------------------------------------------------------------------<BR>>
> *From:* owner-ag-tech@mcs.anl.gov<BR>>
> [<A
href="mailto:owner-ag-tech@mcs.anl.gov">mailto:owner-ag-tech@mcs.anl.gov</A>]
*On Behalf Of *Nagykaldi, Zsolt<BR>> > F.
(HSC)<BR>> > *Sent:* 30 January 2006
15:19<BR>> > *To:* ag-tech<BR>>
> *Subject:* RE: [AG-TECH] Access Grid 3.0 beta1
available !<BR>> ><BR>>
> <BR>> > It seems
that most practical problems during implementation come<BR>>
> from firewall issues. Are you guys planning to (at
least) narrow<BR>> > the UDP port range for
VIC and RAT, or maybe (in my dreams) tunnel<BR>>
> all audio/video traffic through a few number of
ports that are<BR>> > usually open? I have
been networking with a lot of people who are<BR>>
> desperate to set up their nodes and they hit a
brick wall every<BR>> > time it comes to
push changes through their IT departments, who<BR>>
> are freaking out about the idea of opening ports in
such a wide<BR>> > range. More and more
people would like to use the system via PIGs<BR>>
> and not necessarily big institutional nodes that
require weeks, if<BR>> > not months of
negotiations and arm-twisting each time a new client<BR>>
> is added at a new location. (The AG Connector would
be really<BR>> > helpful, except it causes
an ominous looping drop of all<BR>> >
audio-video connections, as it has been reported before, and it is<BR>>
> very unreliable). Extra features in v3.0 are nice,
but I truly<BR>> > believe that the
firewall/ports issue is the most significant<BR>>
> barrier to wider adoption of the
Toolkit.<BR>> > <BR>>
> <BR>> >
Zsolt<BR>> > <BR>>
> _ _ _<BR>>
> <BR>> > Zsolt
Nagykaldi, PhD<BR>> > Research Associate,
Clinical IT Specialist<BR>> > University Of
Oklahoma Health Sciences Center<BR>> >
Department Of Family And Preventive Medicine<BR>>
> Oklahoma Center For Family Medicine
Research<BR>> > <BR>>
> 900 NE 10th Street<BR>>
> Oklahoma City, OK 73104<BR>>
> Phone: (405) 271-8000 Ext.:1-32212<BR>>
> Fax: (405)
271-1682<BR>> ><BR>><BR>><BR></FONT></P></DIV>
</BODY>
</HTML>