[AG-TECH] AG behind firewall
Andrew Shewmaker`
shewa at inel.gov
Mon Dec 23 13:07:51 CST 2002
On Mon, 23 Dec 2002 12:06:55 -0600 (CST)
Bob Olson <olson at mcs.anl.gov> wrote:
> > I am behind a restrictive firewall and the company policy is to not
> > allow any inbound ports to be fully open. They won't even open
> > ports temporarily. They have told me that if I initiate a connection
> > from the inside, then the firewall will allow packets responding to
> > mine through. Of course the AG software sends data back on additional
> > ports so it doesn't work (we've got a heartbeat). We are going to start
> > the paperwork to get our machines outside of the company firewall, but I
> > had a couple questions?
>
> Are they firewalling multicast traffic as well? The internal AG software
> should be fine - the machines in the node aren't firewalled from each
> other.
Yes they are. I looked at my beacon statistics and all of the statistics
for my beacon are NA. http://beaconserver.accessgrid.org:9999/host.html
says that I have an unresolvable IP. Mitch Kutzko <mitch at ncsa.uiuc.edu>
told me, "You'll need to tell your network folks that they'll need to
allow multicast through the firewall (at least to/from group 233.2.171.1),
and that unicast UDP be allowed to 233.2.171.1 (beaconserver.accessgrid.org),
port 9999."
>
> > Does anybody else have a network policy as restrictive as ours? Moreso?
>
> Argonne's default policy will be something like yours, though we will have
> the capability to have conduits burned through the firewall for incoming
> traffic. The default will be to turn away incoming connections.
>
> > Would it be reasonable to modify the software to initiate the new
> > connections from within the firewall? Maybe just a modification of the
> > QuickBridge?
>
> I'm not sure which connections you mean. The communication between the
> components of the node should not be affected by your firewall, and the
> node->VV server communications are originated from inside, so the firewall
> will let them pass.
>
> Hm, just read the forwarded part of this post, and suspect you might be
> talking about the multicast traffic? If your site is stopping multicast at
> the firewall, things get a bit harder. With the unicast tunnels, there
> will be outgoing traffic even for a non-transmitting vic or rat (the RTCP
> traffic); I don't know if that's enough to let the firewall open up the
> incoming side, or if it even would do that for UDP traffic - you'd need to
> talk to your firewall admins on that.
I'll talk to them some more...but that will have to wait until after a trip.
I'm leaving today...Thanks for your response though.
Andrew
--
Andrew Shewmaker
Associate Engineer
Phone: 208.526.1415
Fax: 208.526.4017
Idaho National Engineering and Environmental Laboratory
2525 Fremont Ave.
Idaho Falls, ID 83415-3605
More information about the ag-tech
mailing list