Add Me!

 

 Associates - Internet email mailing list software, Java

Matthew 10:16 'I am sending you out like sheep surrounded by wolves, so be wise as serpents and innocent as doves

RMI Doves 1.0: Solution for Java RMI firewall problem

 

FAQ

What is the RMI Doves?
RMI Doves is the package which contains client and server side RMI socket factories. Those two factories allow clients to make outgoing RMI calls and receive "callbacks" through chain of firewalls. 

Why is it called "RMI Doves"
Because RMI doves socket factory allows   RMI client to get back to their servers, similar to doves, which always return back.

What is the "Custom RMI Socket Factory"? 
Look at http://java.sun.com/products/jdk/1.2/docs/guide/rmi/rmisocketfactory.doc.html

How to install the RMI Doves?
Include rmidoves.jar into your classpath. This jar contains ClientRmiDovesSocketFactory and ServerRmiDovesSocketFactory classes from  the com.rmidoves package.

In which cases you recommend to implement RMI Doves?
We recommend to to use ClientRmiDovesSocketFactory in all cases, when you need to make outgoing RMI calls through client and server side firewalls. It also allows client to receive "callbacks" from the server. The ServerRmiDovesSocketFactory should be implemented only if the server makes "callbacks" and at list one of its clients implements ClientRmiDovesSocketFactory.

What kind of firewall the RMI Doves can tunnel through?
There are two types of firewalls: IP filtering firewalls and Proxy Servers. An IP filtering firewall works at the Network layer. . It is designed to control the flow of packets based the source, destination, port and packet type information contained in each packet. You have a direct connection to the Internet, but some traffic is not allowed to pass through. In case of Proxy Server, you have no direct connection to the Internet, and must connect through a proxy server that gets the data for you. Proxies work at the Application Layer. They  are mostly used to control, or monitor, outbound traffic. Proxies can be transparent or not. If proxy is  transparent then client need not know about the proxy, otherwise it needs to be configured to use it. RMI Doves can handle both packet filtering firewalls, and Proxy Server firewalls, and if needed on top of each other.  If you want to know more about firewalls look here.

How does it compare with non-tunneling access (i.e. plain port-to-port RMI with no firewalls) performance-wise? Sun, in their description of the HTTP-based tunneling warns that this technique is considerably slower than the port-to-port RMI connection.
Yes, the http-to-port tunneling is a least 3 times slower then "no tunneling" and  http-to-cgi  is even slower. At the same time RMI Doves in the "CONNECT" tunneling mode is practically at the same speed as "no tunneling" variant.

Does it allow "Callback"?
Yes. It does! The only exception is HTTP-TO-PORT tunneling mode.

What is the CONNECT tunneling?
HTTP proxies can tunnel any application protocol, requesting connection (usually SSL connection) with HTTP CONNECT method like this:
CONNECT host: port HTTP/1.0
As long as it's solely TCP based, which is the case for RMI.  Look at the HTTP 1.1 standard: http://www.ietf.org/rfc/rfc2616.txt and here. This tunneling has been implemented in number of Internet technologies. For instance, in the VNC.

What is the HTTP-TO-PORT tunneling?
Look at http://java.sun.com/products/jdk/1.2/docs/guide/rmi/faq.html#firewall

Do you need to set the RMI Doves on the server side?
 No.

Can the RMI Doves do the http-to-cgi tunneling?
No, it cannot. Also the http-to-cgi tunneling option requires HTTP server and initialization for java-rmi.cgi script for each remote call. Therefore it is very inefficient. Also it needs HTTP server. In fact, if you employ RMI Doves you don’t need to use http-to-cgi tunneling anymore.

If RMI fails to make a normal connection to the intended server, and it notices that   HTTP proxy server is configured, it doesn't always attempt to tunnel RMI requests through that proxy server. Do you have the problem in the RMI Doves?
No. RMI Doves is making outgoing RMI without trying different modes. Tunneling mode must be set prior to RMI calls. By default it is "NO-TUNNELING" mode.

How to determine type of the firewall the client is behind?
The simplest way is to look at the web browser configured at the client machine. If Proxy Server is set in the internet options, then we definitely deal with 'not transparent proxy server".

How to make sure that local proxy allows CONNECT method to the remote host?
In the UNIX/Linux world you would do following:
1.Telnet to local proxy i.e.:
$ telnet localProxyHost localProxyPort
You should get a response like this:
Trying... Connected to localProxyHost.     Escape character is '^]'.
2.Enter command:  CONNECT remoteHost: remotePort HTTP/1.0
and press "Enter" twice!
If CONNECT method is allowed you should get response:
HTTP/ 200 Connection established

Can RMI Doves connect through SOCKS Server?
No. If the SOCKS  server is configured in the local network, then you can use the system property socksProxyHost and activate connection with the default implementation of sockets in the JDK. You don’t need to activate the RMI Doves in the case.

What is SOCKS?
SOCKS is a networking proxy protocol that enables hosts on one side of a SOCKS server to gain full access to hosts on the other side of the SOCKS server without requiring direct IP-reachability. SOCKS is often used as a network firewall, redirecting connection requests from hosts on opposite sides of a SOCKS server. The SOCKS server authenticates and authorizes requests, establishes a proxy connection, and relays data between hosts.

Proxy servers can request users authentication. Does RMI Doves authenticate users?
Not at the moment. Number of authentication protocols is quite big, so we decided to provide such service only on demand from particular customers.

What JDK version  does RMI Doves support?
1.2 and up.

Can we use the RMI Doves factory for particular remote object?
Yes, RMI Doves Socket factory extends RMISocketFactory and can be used in applications as any other custom RMI socket factory

Does RMI Doves support callbacks via NAT?
Yes.

Does RMI Doves support SSL?
Not at the moment, but RMI Doves can be easily extended to provide bi-directional SSL.

Functionality Chart

 

Chain of IP filtering Firewalls

Single Proxy Server

Chain of Proxy Servers

RMI Doves Socket Factory

 

 

 

"NO-TUNNELING"
mode

B

N

N

"CONNECT-TUNNELING"
mode

B

B

B

"HTTP-TO-PORT
TUNNELING" mode

O

O

N

Standard RMISocketFactory

 

 

 

"NO-TUNNELING"
mode

O

N

N

"HTTP-TO-PORT
TUNNELING" mode

O

O

N

"HTTP-TO-CGI TUNNELING" mode

O

O

N

Notes: B - bi-directional connection (outgoing RMI calls and "callbacks");
O - outgoing RMI calls only; N - no connection allowed

RMI Doves API

You can see API online

RMI Doves Demo

Introduction

The demo intent to give you first-hand experience in resolving RMI  firewall problem. This is fully functional application with the source code, which is using ClientRmiDovesSocketFactory and ServerRmiDovesSocketFactory . It demonstrates client ability to connect through  firewall and receive "callbacks". You have choice to run your own server or  access DemoServer through Internet at 24.82.83.214, Port: 443 (subject to change). The only limitation for the demo is the fact that  it shows remainder, that it is demo version. To  download  RMI Doves Demo please click here. If after testing you decide to purchase the software, please,contact us by E-mail.

"Smart Server" Configuration

When you expect that clients would connect from behind firewall, the server configuration became major issue. As you will see later "smart configuration" can help a lot:

  • DemoServer exports all remote objects and create registry at the same port:443. Assuming no help from the client firewall administrators, to run your servers on `public' ports such as 80, 81, 8001, or 443 is the most common approach to the servers.
  • DemoServer is deployed on Linux Red Hat  machine with IP Filtering firewall which redirect  inbound TCP traffic heading to port 80 to port 443.

Client is behind IP Filtering firewall or  transparent  Proxy Server

If TCP  is allowed either on port  443 or 80, the DemoClient should work in "No Tunneling" mode. All you need to provide is RMI server hostname/IP and port.

If you press "Call Server" button, you will  see in the 'logging" text area, that client connect to the server, calls remote method and then receives 'callback" from the server. Chances that ports 443 or 80  allowed are very high, because 443  needs to be opened for SSL(Secure Sockets Layer  protocol) and 80 for HTTP, both are very popular protocols for the Internet.

Client is behind not transparent Proxy Server

If  HTTP CONNECT method on port 443 is allowed, then you should choose "CONNECT" mode.  All you need to provide is RMI  and Proxy Sever hostname/IP and port. If you press "Call Server" button, you will  see in the 'logging" text area, that client connect to the server, calls remote method and then receives 'callback" from the server. Chances are HTTP CONNECT method on port 443 is allowed are very high, because the method must be allowed in order for SSL to work through proxy. It is allowed by default in number of Proxy Servers, including Appache (AllowCONNECT directive) and Squid. This is the fastest solution, because in the case client establishes direct socket connection to the RMI server.

But what do we if CONNECT is not allowed? In this case we should use HTTP_TO_PORT tunneling mode, which is much slower then CONNECT and doesn't allow "callbacks", but it works in the case.

   Problems?  Questions?  Needs?
  Send us E-mail