[AG-TECH] Firewall and unicast questions

Todd Zimmerman toddz at sfu.ca
Fri Apr 7 12:45:22 CDT 2006

This is way we are running our nodes behind a PIX firewall; however, it is a bit of a battle keeping
up with bridge hostname / ip changes.  I started a Faq entry for known bridgeserver hostnames on
AGCentral; however I think now that may be woefully out of date.

Is there any way we can set up a central page to that can list known bridge server hostnames and can
be updated by the site administrators when/if they change?

As an aside - I'm not sure if this strategy will be as easy to implement with the dynamic bridging
on AG3; however, again, if there is a known good list, this will make approaching the firewall
administrators a bit easier.


Nagykaldi, Zsolt F. (HSC) wrote:
> For those of us who are not living in a network dreamland, a
> feasible solution is to focus on the trusted IPs of the unicast bridges
> instead of the UDP port range. This is what we did here at OU and it
> works great for us. While for a small entity it may fly to open UDP
> ports 30K - 60K (if their ISP does not get a heart attack when you ask),
> a larger entity (University) may rather want to allow incoming packets
> through by allowing the distinct IPs of the unicast bridges in the
> firewall. This is a much better solution. If you use regular PIX
> firewalls and want to use e.g. the NCSA rooms, the next statement should
> be added to your firewall protocols:
> object-group network video_allowed_inbound
> network-object host
> network-object host
> These IPs are for venuesbridge and roebridge. For new bridges you will
> have to ask your IT to add them individually.
> I hope this will help.
> Zsolt
> _ _ _
> Zsolt Nagykaldi, PhD
> Research Associate, Clinical IT Specialist
> University Of Oklahoma Health Sciences Center
> Department Of Family And Preventive Medicine
> Oklahoma Center For Family Medicine Research
> 900 NE 10th Street
> Oklahoma City, OK 73104
> Phone: (405) 271-8000 Ext.:1-32212
> Fax:     (405) 271-1682
> ------------------------------------------------------------------------
> *From:* owner-ag-tech at mcs.anl.gov on behalf of Andrew A Rowley
> *Sent:* Fri 4/7/2006 3:00 AM
> *To:* Masullo, Chris F; ag-tech at mcs.anl.gov
> *Subject:* RE: [AG-TECH] Firewall and unicast questions
> Hi,
> I know of various places that are running AG from behind a firewall
> using both multicast and unicast. 
> Using unicast means that you add strain to the bridge for the venue. 
> However, I have not seen any bridges fail under strain so far (others
> may have seen this).  The other problem with unicast and firewalls is
> the port numbers.  The bridges will be assigned random port numbers
> within a fixed range, so the only way to guarantee that you will be able
> to use the bridge is to open up the entire range.  This range will
> depend on the venue server.  Of course with dynamic multicast venues,
> you would have the same problem, however, with static venues, you could
> at least open the fixed port numbers in use.  AG Connector can also help
> with the port number problem, since it only uses a single fixed port.
> The only other problem I have seen with firewalls, is when the firewall
> cannot cope with the amount of traffic passing with large AG meetings. 
> It is worth finding out what bandwidth the firewall can cope with if you
> regularly join large meetings.
> Andrew :)
> ============================================
> Access Grid Support Centre,
> RSS Group,
> Manchester Computing,
> Kilburn Building,
> University of Manchester,
> Oxford Road,
> Manchester,
> M13 9PL,
> UK
> Tel: +44(0)161-275 0685
> Email: Andrew.Rowley at manchester.ac.uk
>> -----Original Message-----
>> From: owner-ag-tech at mcs.anl.gov [mailto:owner-ag-tech at mcs.anl.gov] On
>> Behalf Of Masullo, Chris F
>> Sent: 06 April 2006 17:04
>> To: ag-tech at mcs.anl.gov
>> Subject: [AG-TECH] Firewall and unicast questions
>> Hello All,
>> We currently have our AG nodes outside our firewall, however cyber
>> security
>> has told us that we need to move the systems inside our firewall.  The
>> last
>> time I brought up this issue a number of years ago I was told that
>> multicast
>> would not get past our firewall. I have some questions regarding this
>> issue.
>> Has anyone successfully placed an AG VTC system behind a Cisco Firewall?
>> Are there any issues using unicast mode for and AG node behind a
>> firewall?
>> If not then why not run unicast?
>> I have looked through the mailer however I do not see any answers to
>> these
>> Questions.
>> Thanks in advance
>> Chris Masullo                     Information Technology Division
>> Brookhaven National Laboratory    Network Engineering & Operations
>> 61 Brookhaven Ave.                Phone:  (631) 344-2326
>> Upton, NY 11973                   Fax:    (631) 344-7688

More information about the ag-tech mailing list