[AG-TECH] Firewall and unicast questions

Bonnett, PG (Paul) P.G.Bonnett at rl.ac.uk
Fri Apr 7 10:21:35 CDT 2006

Here at CCLRC I manage (currently) a total of 8 nodes, all of which are
behind a Firewall, on a dedicated network, outside of a domain.

Paul Bonnett
Access Grid Videoconference Support & Development
Rutherford Appleton Labs
e-Science Centre
R1 Room 2.21
Tel: 01235 778329
P.Bonnett at rl.ac.uk

-----Original Message-----
From: owner-ag-tech at mcs.anl.gov [mailto:owner-ag-tech at mcs.anl.gov] On
Behalf Of Andrew A Rowley
Sent: 07 April 2006 09:01
To: Masullo, Chris F; ag-tech at mcs.anl.gov
Subject: RE: [AG-TECH] Firewall and unicast questions


I know of various places that are running AG from behind a firewall
using both multicast and unicast.  

Using unicast means that you add strain to the bridge for the venue.
However, I have not seen any bridges fail under strain so far (others
may have seen this).  The other problem with unicast and firewalls is
the port numbers.  The bridges will be assigned random port numbers
within a fixed range, so the only way to guarantee that you will be able
to use the bridge is to open up the entire range.  This range will
depend on the venue server.  Of course with dynamic multicast venues,
you would have the same problem, however, with static venues, you could
at least open the fixed port numbers in use.  AG Connector can also help
with the port number problem, since it only uses a single fixed port.

The only other problem I have seen with firewalls, is when the firewall
cannot cope with the amount of traffic passing with large AG meetings.
It is worth finding out what bandwidth the firewall can cope with if you
regularly join large meetings.

Andrew :)

Access Grid Support Centre,
RSS Group,
Manchester Computing,
Kilburn Building,
University of Manchester,
Oxford Road,
M13 9PL,
Tel: +44(0)161-275 0685
Email: Andrew.Rowley at manchester.ac.uk 

> -----Original Message-----
> From: owner-ag-tech at mcs.anl.gov [mailto:owner-ag-tech at mcs.anl.gov] On 
> Behalf Of Masullo, Chris F
> Sent: 06 April 2006 17:04
> To: ag-tech at mcs.anl.gov
> Subject: [AG-TECH] Firewall and unicast questions
> Hello All,
> We currently have our AG nodes outside our firewall, however cyber 
> security has told us that we need to move the systems inside our 
> firewall.  The last time I brought up this issue a number of years ago

> I was told that multicast would not get past our firewall. I have some

> questions regarding this issue.
> Has anyone successfully placed an AG VTC system behind a Cisco
> Are there any issues using unicast mode for and AG node behind a 
> firewall?
> If not then why not run unicast?
> I have looked through the mailer however I do not see any answers to 
> these Questions.
> Thanks in advance
> Chris Masullo                     Information Technology Division
> Brookhaven National Laboratory    Network Engineering & Operations
> 61 Brookhaven Ave.                Phone:  (631) 344-2326
> Upton, NY 11973                   Fax:    (631) 344-7688

More information about the ag-tech mailing list