[AG-TECH] AG behind firewall

[Bob Olson]

> I am behind a restrictive firewall and the company policy is to not 
> allow any inbound ports to be fully open.  They won't even open 
> ports temporarily.  They have told me that if I initiate a connection 
> from the inside, then the firewall will allow packets responding to 
> mine through.  Of course the AG software sends data back on additional 
> ports so it doesn't work (we've got a heartbeat).  We are going to start 
> the paperwork to get our machines outside of the company firewall, but I 
> had a couple questions?

Are they firewalling multicast traffic as well? The internal AG software
should be fine - the machines in the node aren't firewalled from each
other.

> Does anybody else have a network policy as restrictive as ours?  Moreso?

Argonne's default policy will be something like yours, though we will have
the capability to have conduits burned through the firewall for incoming
traffic. The default will be to turn away incoming connections.

> Would it be reasonable to modify the software to initiate the new 
> connections from within the firewall?  Maybe just a modification of the 
> QuickBridge?

I'm not sure which connections you mean. The communication between the
components of the node should not be affected by your firewall, and the
node->VV server communications are originated from inside, so the firewall
will let them pass.

Hm, just read the forwarded part of this post, and suspect you might be
talking about the multicast traffic? If your site is stopping multicast at
the firewall, things get a bit harder. With the unicast tunnels, there
will be outgoing traffic even for a non-transmitting vic or rat (the RTCP
traffic); I don't know if that's enough to let the firewall open up the
incoming side, or if it even would do that for UDP traffic - you'd need to
talk to your firewall admins on that.
--bob