Read the instructions in this section if you intend to implement a client server architecture requiring a firewall. Using a firewall is optional. | |
ProblemIn the current client/server architecture of ENOVIA, client applications contact the servers using GIOP protocols (proprietary Orbix protocol or standard IIOP) which require a different port for each server to be contacted. Here is a schematic view of the current configuration: |
|
This architecture is well adapted to LANs (Local Area Networks) and Intranets, in which client and server hosts can connect to each other directly without going outside the corporate network. This is not the case for WANs (Wide Area Networks) and Extranets, in which client and server hosts have to cross network devices such as gateways and firewalls to connect to each other. The role of these (hardware or software) devices is to guard the borders of the corporate network from the Internet by enforcing rules controlling which client host (IP address) can connect to which server host (IP address) on which port. To continue working, the above architecture supposes that a wide range of ports (currently 200) are open both on the client-side firewall (to let go out connections to known server hosts on authorized ports) and on the server-side firewall (to let come in connections from known client hosts on authorized ports). This is problematic in terms of security and administration. |
|
Solution |
|
We currently propose a solution to
the firewall-crossing problem: HTTP tunneling. This solution comes with its specific components and processes to be started on client and server hosts, ahs has its own advantages and constraints that we detail below. However, it requires that ONLY ONE additional port be open on the firewalls standing between the client and the server networks, instead of the wide range of ports used by GIOP-based protocols. This port can be chosen arbitrarily by the administrator of the server network (a default is provided) and the clients will comply with this choice to administrate their own network security. Technically, the solution is based on port redirection performed in the TCP protocol layer: each connection to a given port is finally redirected to the tunneling port open on the firewalls. All GIOP-based communications will occur through this dedicated port. Warning: Apart from Intranet usage, you MUST use the HTTP tunneling solution. Any incidents relating to firewalls or proxies will not be taken into consideration. |
|
HTTP Tunneling |
|
Advantages
Constraints
|
|
|