Discussions
Categories
Groups
Community Home
Categories
INTERNAL ENABLEMENT
POPULAR
THRUST SERVICES & TOOLS
CLOUD EDITIONS
Quick Links
MY LINKS
HELPFUL TIPS
Back to website
Home
Web CMS (TeamSite)
deploy through two firewalls
gsumers22texas
has anybody deployed through two hardware firewalls (between two organizations) where the OD base sits inside one hardware firewall and the OD receiver sits inside another? would the OD configuration be any different than deploying through just one? I know the ports will have to match and will have to be opened within each, but am curious if there are any other "gotchas" to consider and plan for
is the first firewall (protecting the OD base server) even relevant to the configurations since OD will be "transmitting" from it?
IW support stated it should work the same as deploying through one, but then couldn't provide a real-life experience / confirmation of doing this- this is what we're seeking here-
many thanks for any replies
Find more posts tagged with
Comments
Migrateduser
Right, the first firewall doesn't come into play with respect to the OD config files.
In the deployment config on the sending system, specify the firewall closest to the target as the "localNode". On the target system, specify the same firewall (closest to the target) as an allowed host.
Todd Scallan
Senior Product Manager
Interwoven
t: 408-530-7167
e:
tscallan@interwoven.com
Migrateduser
Hi - I've just opened a support case on the same issue.. what do we have to consider to make both the port 20014 communication and the rmi port 9173 communication work correctly so that the GUI admin tool can work with the remote receiver, as well as the communication for the sender/receiver content movement?
Migrateduser
Making the Admin UI work through the firewall is a different issue. You need OD 5.5.1 SP2 to make this work.
Please read the SP2 release notes carefully. You have install SP2 on the Base Servers and Receivers you wish to administer. There are also a few manual steps to apply the SP2 updates to the Admin UI server. After that, you can configure OD to use a specific range of RMI ports for administration, as described in the release notes.
Todd Scallan
Senior Product Manager
Interwoven
t: 408-530-7167
e:
tscallan@interwoven.com
Migrateduser
I've been pointed at this documentation (551 SP2 release notes) previously and have asked for a more understandable explanation of why and how this is to be done....
Adam Stoller
(
emphasis added
)
I've been pointed at this documentation (551 SP2 release notes) previously and have asked for a more understandable explanation of why and how
this
is to be done....
Which "this"? The installation of SP2, the manual steps for upgrading the Admin Server, or the configuring of the specific ports?
I'll assume it's the last topic only - and the answer is that the initial implementation using Java RMI to communicate between the Admin Server and the other servers specified a single port for the main connection, and then when Java spawned off 7 sub-processes to perform all the real communications work, by default it chose port numbers at random - and this doesn't generally work very well through firewalls where folks like to limit the number (and specific) ports that are open for communication.
The fix in SP2 is to allow you to specifically list the ports to use for those sub-processes so that your firewall administrator at least has a finite list which they can open to allow you to use the Admin GUI interface to communicate with your OpenDeploy servers.
I believe there are plans to eventually have this reduced to a single port number specification that can be used for
tunnelling
all the communications through - but at this time I am not sure when this functionality/feature may be available.
Note:
The above is
my
layman's
interpretation of what is involved - it probably contains some technical inaccuracies but I believe the gist is correct.
Does that help explain the "Why"?
As to the "How" - the description on page 20 of the Release Notes seems pretty clear to me - perhaps you can expand on what it is that you don't understand so that someone can help clarify it for you?
--fish
(Interwoven, Curriculum Development)
Migrateduser
Hey, that's what I was looking for as to the why - thanks. As for the how, that became clearer when the why was explained.
What would complete the picture would be an explanation of how the firewall configuration relates to the default 9173 rmi port.
In other words, given an OpenDeploy receiver installed with default configuration in a location behind a remote firewall, do I open ports on the remote firewall:
20014 for data transfer,
9137 for the base rmi commmunication,
24071 - 24077 for additional rmi communication ?
Edited by walib on 10/23/02 09:02 AM (server time).
Adam Stoller
Yes, you would need to open those ports on the remote firewall.
--fish
(Interwoven, Curriculum Development)
