[AG-TECH] AG behind firewall

Andrew Shewmaker` shewa at inel.gov
Mon Dec 23 13:07:51 CST 2002 

On Mon, 23 Dec 2002 12:06:55 -0600 (CST)
Bob Olson <olson at mcs.anl.gov> wrote:

> > I am behind a restrictive firewall and the company policy is to not 
> > allow any inbound ports to be fully open.  They won't even open 
> > ports temporarily.  They have told me that if I initiate a connection 
> > from the inside, then the firewall will allow packets responding to 
> > mine through.  Of course the AG software sends data back on additional 
> > ports so it doesn't work (we've got a heartbeat).  We are going to start 
> > the paperwork to get our machines outside of the company firewall, but I 
> > had a couple questions?
> 
> Are they firewalling multicast traffic as well? The internal AG software
> should be fine - the machines in the node aren't firewalled from each
> other.

Yes they are.  I looked at my beacon statistics and all of the statistics 
for my beacon are NA.  http://beaconserver.accessgrid.org:9999/host.html 
says that I have an unresolvable IP.  Mitch Kutzko <mitch at ncsa.uiuc.edu> 
told me, "You'll need to tell your network folks that they'll need to
allow multicast through the firewall (at least to/from group 233.2.171.1),
and that unicast UDP be allowed to 233.2.171.1 (beaconserver.accessgrid.org), 
port 9999."


> 
> > Does anybody else have a network policy as restrictive as ours?  Moreso?
> 
> Argonne's default policy will be something like yours, though we will have
> the capability to have conduits burned through the firewall for incoming
> traffic. The default will be to turn away incoming connections.
> 
> > Would it be reasonable to modify the software to initiate the new 
> > connections from within the firewall?  Maybe just a modification of the 
> > QuickBridge?
> 
> I'm not sure which connections you mean. The communication between the
> components of the node should not be affected by your firewall, and the
> node->VV server communications are originated from inside, so the firewall
> will let them pass.
> 
> Hm, just read the forwarded part of this post, and suspect you might be
> talking about the multicast traffic? If your site is stopping multicast at
> the firewall, things get a bit harder. With the unicast tunnels, there
> will be outgoing traffic even for a non-transmitting vic or rat (the RTCP
> traffic); I don't know if that's enough to let the firewall open up the
> incoming side, or if it even would do that for UDP traffic - you'd need to
> talk to your firewall admins on that.

I'll talk to them some more...but that will have to wait until after a trip.
I'm leaving today...Thanks for your response though.

Andrew

-- 
Andrew Shewmaker
Associate Engineer
Phone:  208.526.1415
Fax:  208.526.4017

Idaho National Engineering and Environmental Laboratory
2525 Fremont Ave.
Idaho Falls, ID 83415-3605

More information about the ag-tech mailing list