Configuring JBoss for use Behind a Firewall
JBoss comes with many socket based services that open listening ports. In this section we list the services
that open ports that might need to be configured to work when accessing JBoss behind a firewall. The following table, shows the ports, socket type, associated service and link to the service configuration for the services in the default configuration file set.
Port | Type | Service Descriptor | Service Name | Attribute Name | |
|---|---|---|---|---|---|
1098 | TCP | conf/jboss-service.xml | jboss:service=Naming | RmiPort | |
1099 | TCP | conf/jboss-service.xml | jboss:service=Naming | Port | |
3873 | TCP | deploy/ejb3.deployer/META-INF/jboss-service.xml | jboss.remoting:type=Connector,name=DefaultEjb3Connector,handler=ejb3 | InvokerLocator | |
4444 | TCP | conf/jboss-service.xml | jboss:service=invoker,type=jrmp (legacy 4.0.x invoker) | RMIObjectPort | |
4445 | TCP | conf/jboss-service.xml | jboss:service=invoker,type=pooled (legacy 4.0.x invoker) | ServerBindPort | |
4446 | TCP | conf/jboss-service.xml | jboss.remoting:service=Connector,transport=socket (EJB2 beans in AS/EAP 4.2+) | serverBindPort on Configuration | |
8009 | TCP | deploy/jbossweb-tomcat41.sar/META-INF/jboss-service.xml | jboss.web:service=WebServer | port on AJP Connector | |
8080 | TCP | deploy/jbossweb-tomcat41.sar/META-INF/jboss-service.xml | jboss.web:service=WebServer | port on HTTP Connector | |
8083 | TCP | conf/jboss-service.xml | jboss:service=WebService | Port | |
8090 | TCP | deploy/jms/oil-service.xml | jboss.mq:service=InvocationLayer,type=OIL | ServerBindPort | |
8092 | TCP | deploy/jms/oil2-service.xml | jboss.mq:service=InvocationLayer,type=OIL2 | ServerBindPort | |
8093 | TCP | deploy/jms/uil2-service.xml | jboss.mq:service=InvocationLayer,type=UIL2 | ServerBindPort | |
0(a) | TCP | deploy/jms/rmi-il-service.xml | jboss.mq:service=InvocationLayer,type=RMI | NONE | |
0(b) | UDP | deploy/snmp-adaptor.sar/META-INF/jboss-service.xml | jboss.jmx:name=SnmpAgent,service=snmp,type=adaptor | NONE |
(a) This service binds to an anonymous TCP port and does not support configuration of the port or bind interface. Remove the rmi-il-service.xml to disable it NOTE: this RMI invoker service is deprecated since the beginning of 2005
(b) This service binds to an anonymous UDP port and does not support configuration of the port or bind interface. Remove the snmp-adaptor.sar to disable it
JBossMessaging will use these ports:
Port | Type | Service Descriptor | Service Name | Attribute Name | |
|---|---|---|---|---|---|
4457 | TCP | deploy/jboss-messaging.sar/remoting-bisocket-service.xml | jboss.messaging:service=Connector,transport=bisocket | serverBindPort | |
Random by default | TCP | deploy/jboss-messaging.sar/remoting-bisocket-service.xml | jboss.messaging:service=Connector,transport=bisocket | secondaryBindPort | |
Random by default | TCP | deploy/jboss-messaging.sar/remoting-bisocket-service.xml | jboss.messaging:service=Connector,transport=bisocket | secondaryConnectPort |
Case you are using JBossMessaging in your configuration, you won't have any deploy/jms ports being used as described on the first table
Additional ports found in the all configuration:
Port | Type | Service Descriptor | Service Name | Attribute Name | |
|---|---|---|---|---|---|
1100 | TCP | deploy/cluster-service.xml | jboss:service=HAJNDI | Port | |
1101 | TCP | deploy/cluster-service.xml | jboss:service=HAJNDI | RmiPort | |
1102 | UDP | deploy/cluster-service.xml | jboss:service=HAJNDI | AutoDiscoveryGroup | |
1161 | UDP | deploy/snmp-adaptor.sar/META-INF/jboss-service.xml | jboss.jmx:name=SnmpAgent,service=snmp,type=adaptor | Port | |
1162 | UDP | deploy/snmp-adaptor.sar/META-INF/jboss-service.xml | jboss.jmx:name=SnmpAgent,service=trapd,type=logger | Port | |
3528 | TCP | conf/jacorb.properties | OAPort | ||
4447 | TCP | deploy/cluster-service.xml | jboss:service=invoker,type=jrmpha (legacy 4.0.x invoker) | RMIObjectPort | |
4448 | TCP | deploy/cluster-service.xml | jboss:service=invoker,type=pooledha (legacy 4.0.x invoker) | ServerBindPort | |
49152 | TCP | deploy/cluster-service.xml | jboss:service=${jboss.partition.name:DefaultPartition} | start_port on FD_SOCK | |
49153 | TCP | deploy/tc5-cluster.sar/META-INF/jboss-service.xml | jboss.cache:service=TomcatClusteringCache | start_port on FD_SOCK |
One possible configuration for RMI through a firewall
NOTE: this was only tested in version 3.2.5 with java 1.4, but information in the forums indicate that this method has worked for several years. Search for NAT to find related information.
Open three ports through your firewall, one for the naming service, a second for the naming service RmiPort, and a third for the jrmp RMIObjectPort. These ports must be "fixed" on the system behind the firewall so that communications always happen on ports opened through the firewall. This is done in the jboss-service.xml file.
<mbean code="org.jboss.naming.NamingService" name="jboss:service=Naming"> <!-- The listening port for the bootstrap JNP service. Set this to -1 to run the NamingService without the JNP invoker listening port. --> <attribute name="Port">1099</attribute> <attribute name="RmiPort">1098</attribute> </mbean>
and
<!-- RMI/JRMP invoker -->
<mbean code="org.jboss.invocation.jrmp.server.JRMPInvoker"
name="jboss:service=invoker,type=jrmp">
<attribute name="RMIObjectPort">4444</attribute>
<!--
<attribute name="ServerAddress">${jboss.bind.address}</attribute>
<attribute name="RMIClientSocketFactory">custom</attribute>
<attribute name="RMIServerSocketFactory">custom</attribute>
<attribute name="SecurityDomain">ssl-domain-name</attribute>
-->
<depends>jboss:service=TransactionManager</depends>
</mbean>
Then, on the system behind the firewall, the following parameters need to be added to the java command line in the run.sh script to pass back the "correct" RMI information to the system outside of the firewall. "Correct" in this case means the hostname that the outside system refers to when addressing the system behind the firewall.
-Djava.rmi.server.hostname=<external_host_name> -Djava.rmi.server.useLocalHostname=true
NOTE: shouldn't it be -Djava.rmi.server.useLocalHostname=false since it should NOT return the local host name? Works here (4.2.2.GA) with set to false.
This solves the problem of the machine behind the firewall passing back it's local IP address that the machine outside the firewall cannot get to. NOTE: this assumes a pretty simple setup where everything outside the firewall references the machine behind the firewall with the same host name.
In more complex configurations, it may be necessicary for the system running behind the firewall to be able to resolve
:1099" when the initial context is created for the RMI access.
PooledInvoker
When using the PooledInvoker the attribute "ClientConnectAddress"(jboss-service.xml) is the host name that clients will use to connect to the server. You might need to set this to a DNS name that can be resolved by remote clients. This will default to the hostname of the server running jboss which may not be accessible by remote clients.
To invoke services behin firewall or NAT you need to modify two file
jboss/server/default/deploy/ejb3.deployer/META-INF/jboss-service.xml
<mbean code="org.jboss.remoting.transport.Connector" name="jboss.remoting:type=Connector,name=DefaultEjb3Connector,handler=ejb3">
<depends>jboss.aop:service=AspectDeployer</depends>
<attribute name="Configuration">
<config>
<invoker transport="socket">
<attribute name="numAcceptThreads">1</attribute>
<attribute name="maxPoolSize">300</attribute>
<attribute name="clientMaxPoolSize" isParam="true">50</attribute>
<attribute name="timeout" isParam="true">60000</attribute>
<attribute name="serverBindAddress">${jboss.bind.address}</attribute>
<attribute name="serverBindPort">3873</attribute>
<!-- that's the important setting -->
<attribute name="clientConnectAddress">webaddress.com</attribute>
<attribute name="clientConnectPort">3873</attribute>
<attribute name="backlog">200</attribute>
</invoker>
<handlers>
<handler subsystem="AOP">org.jboss.aspects.remoting.AOPRemotingInvocationHandler</handler>
</handlers>
</config>
</attribute>
</mbean>
and
/jboss/server/default/deploy/http-invoker.sar/META-INF/jboss-services.xml
<!-- The HTTP invoker service configration --> <mbean code="org.jboss.invocation.http.server.HttpInvoker" name="jboss:service=invoker,type=https"> <!-- Use a URL of the form http://<hostname>:8080/invoker/EJBInvokerServlet where <hostname> is InetAddress.getHostname value on which the server is running. --> <attribute name="InvokerURL">https://webaddress.com:8443/invoker/EJBInvokerServlet</attribute> <attribute name="InvokerURLPrefix">https://</attribute> <attribute name="InvokerURLSuffix">:8443/invoker/EJBInvokerServlet</attribute> <!-- important to turn it off --> <attribute name="UseHostName">false</attribute> </mbean> <!-- Expose the Naming service interface via HTTPS --> <mbean code="org.jboss.invocation.http.server.HttpProxyFactory" name="jboss:service=invoker,type=https,target=Naming"> <!-- The Naming service we are proxying --> <attribute name="InvokerName">jboss:service=Naming</attribute> <!-- Compose the invoker URL from the cluster node address --> <attribute name="InvokerURL">https://webaddress.com:8443/invoker/JMXInvokerServlet</attribute> <attribute name="InvokerURLPrefix">https://</attribute> <attribute name="InvokerURLSuffix">:8443/invoker/JMXInvokerServlet </attribute> <attribute name="UseHostName">false</attribute> <attribute name="ExportedInterface">org.jnp.interfaces.Naming </attribute> <attribute name="JndiName"></attribute> <attribute name="ClientInterceptors"> <interceptors> <interceptor>org.jboss.proxy.ClientMethodInterceptor </interceptor> <interceptor>org.jboss.proxy.SecurityInterceptor </interceptor> <interceptor>org.jboss.naming.interceptors.ExceptionInterceptor </interceptor> <interceptor>org.jboss.invocation.InvokerInterceptor </interceptor> </interceptors> </attribute> </mbean>
Referenced by:
Comments