Version 34

    Configuring JBoss for use Behind a Firewall

     

    JBoss comes with many socket based services that open listening ports. In this section we list the services

    that open ports that might need to be configured to work when accessing JBoss behind a firewall. The following table, shows the ports, socket type, associated service and link to the service configuration for the services in the default configuration file set.

     

    Port

    Type

    Service Descriptor

    Service Name

    Attribute Name

    1098

    TCP

    conf/jboss-service.xml

    jboss:service=Naming

    RmiPort

    1099

    TCP

    conf/jboss-service.xml

    jboss:service=Naming

    Port

    3873

    TCP

    deploy/ejb3.deployer/META-INF/jboss-service.xml

    jboss.remoting:type=Connector,name=DefaultEjb3Connector,handler=ejb3

    InvokerLocator

    4444

    TCP

    conf/jboss-service.xml

    jboss:service=invoker,type=jrmp (legacy 4.0.x invoker)

    RMIObjectPort

    4445

    TCP

    conf/jboss-service.xml

    jboss:service=invoker,type=pooled (legacy 4.0.x invoker)

    ServerBindPort

    4446

    TCP

    conf/jboss-service.xml

    jboss.remoting:service=Connector,transport=socket (EJB2 beans in AS/EAP 4.2+)

    serverBindPort on Configuration

    8009

    TCP

    deploy/jbossweb-tomcat41.sar/META-INF/jboss-service.xml

    jboss.web:service=WebServer

    port on AJP Connector

    8080

    TCP

    deploy/jbossweb-tomcat41.sar/META-INF/jboss-service.xml

    jboss.web:service=WebServer

    port on HTTP Connector

    8083

    TCP

    conf/jboss-service.xml

    jboss:service=WebService

    Port

    8090

    TCP

    deploy/jms/oil-service.xml

    jboss.mq:service=InvocationLayer,type=OIL

    ServerBindPort

    8092

    TCP

    deploy/jms/oil2-service.xml

    jboss.mq:service=InvocationLayer,type=OIL2

    ServerBindPort

    8093

    TCP

    deploy/jms/uil2-service.xml

    jboss.mq:service=InvocationLayer,type=UIL2

    ServerBindPort

    0(a)

    TCP

    deploy/jms/rmi-il-service.xml

    jboss.mq:service=InvocationLayer,type=RMI

    NONE

    0(b)

    UDP

    deploy/snmp-adaptor.sar/META-INF/jboss-service.xml

    jboss.jmx:name=SnmpAgent,service=snmp,type=adaptor

    NONE

     

    (a) This service binds to an anonymous TCP port and does not support configuration of the port or bind interface. Remove the rmi-il-service.xml to disable it NOTE: this RMI invoker service is deprecated since the beginning of 2005

     

    (b) This service binds to an anonymous UDP port and does not support configuration of the port or bind interface. Remove the snmp-adaptor.sar to disable it

     

    JBossMessaging will use these ports:

    Port

    Type

    Service Descriptor

    Service Name

    Attribute Name

    4457

    TCP

    deploy/jboss-messaging.sar/remoting-bisocket-service.xml

    jboss.messaging:service=Connector,transport=bisocket

    serverBindPort

    Random by default

    TCP

    deploy/jboss-messaging.sar/remoting-bisocket-service.xml

    jboss.messaging:service=Connector,transport=bisocket

    secondaryBindPort

    Random by default

    TCP

    deploy/jboss-messaging.sar/remoting-bisocket-service.xml

    jboss.messaging:service=Connector,transport=bisocket

    secondaryConnectPort

     

    • Case you are using JBossMessaging in your configuration, you won't have any deploy/jms ports being used as described on the first table

     

    Additional ports found in the all configuration:

    Port

    Type

    Service Descriptor

    Service Name

    Attribute Name

    1100

    TCP

    deploy/cluster-service.xml

    jboss:service=HAJNDI

    Port

    1101

    TCP

    deploy/cluster-service.xml

    jboss:service=HAJNDI

    RmiPort

    1102

    UDP

    deploy/cluster-service.xml

    jboss:service=HAJNDI

    AutoDiscoveryGroup

    1161

    UDP

    deploy/snmp-adaptor.sar/META-INF/jboss-service.xml

    jboss.jmx:name=SnmpAgent,service=snmp,type=adaptor

    Port

    1162

    UDP

    deploy/snmp-adaptor.sar/META-INF/jboss-service.xml

    jboss.jmx:name=SnmpAgent,service=trapd,type=logger

    Port

    3528

    TCP

    conf/jacorb.properties

    OAPort

    4447

    TCP

    deploy/cluster-service.xml

    jboss:service=invoker,type=jrmpha (legacy 4.0.x invoker)

    RMIObjectPort

    4448

    TCP

    deploy/cluster-service.xml

    jboss:service=invoker,type=pooledha (legacy 4.0.x invoker)

    ServerBindPort

    49152

    TCP

    deploy/cluster-service.xml

    jboss:service=${jboss.partition.name:DefaultPartition}

    start_port on FD_SOCK

    49153

    TCP

    deploy/tc5-cluster.sar/META-INF/jboss-service.xml

    jboss.cache:service=TomcatClusteringCache

    start_port on FD_SOCK

     

     

    One possible configuration for RMI through a firewall

     

    NOTE: this was only tested in version 3.2.5 with java 1.4, but information in the forums indicate that this method has worked for several years.  Search for NAT to find related information.

     

    Open three ports through your firewall, one for the naming service, a second for the naming service RmiPort, and a third for the jrmp RMIObjectPort.  These ports must be "fixed" on the system behind the firewall so that communications always happen on ports opened through the firewall.  This is done in the jboss-service.xml file.

     

       <mbean code="org.jboss.naming.NamingService"
          name="jboss:service=Naming">
          <!-- The listening port for the bootstrap JNP service. Set this to -1
            to run the NamingService without the JNP invoker listening port.
          -->
          <attribute name="Port">1099</attribute>
          <attribute name="RmiPort">1098</attribute>
       </mbean>
    

     

    and

     

       <!-- RMI/JRMP invoker -->
       <mbean code="org.jboss.invocation.jrmp.server.JRMPInvoker"
          name="jboss:service=invoker,type=jrmp">
          <attribute name="RMIObjectPort">4444</attribute>
          <!--
          <attribute name="ServerAddress">${jboss.bind.address}</attribute>
          <attribute name="RMIClientSocketFactory">custom</attribute>
          <attribute name="RMIServerSocketFactory">custom</attribute>
          <attribute name="SecurityDomain">ssl-domain-name</attribute>
          -->
    
          <depends>jboss:service=TransactionManager</depends>
       </mbean>
    

     

    Then, on the system behind the firewall, the following parameters need to be added to the java command line in the run.sh script to pass back the "correct" RMI information to the system outside of the firewall.  "Correct" in this case means the hostname that the outside system refers to when addressing the system behind the firewall.

     

        -Djava.rmi.server.hostname=<external_host_name>
        -Djava.rmi.server.useLocalHostname=true
    

    NOTE: shouldn't it be -Djava.rmi.server.useLocalHostname=false since it should NOT return the local host name? Works here (4.2.2.GA) with set to false.

     

    This solves the problem of the machine behind the firewall passing back it's local IP address that the machine outside the firewall cannot get to.  NOTE: this assumes a pretty simple setup where everything outside the firewall references the machine behind the firewall with the same host name.

     

    In more complex configurations, it may be necessicary for the system running behind the firewall to be able to resolve

    :1099" when the initial context is created for the RMI access.

     

     

    PooledInvoker

    When using the PooledInvoker the attribute "ClientConnectAddress"(jboss-service.xml) is the host name that clients will use to connect to the server. You might need to set this to a DNS name that can be resolved by remote clients. This will default to the hostname of the server running jboss which may not be accessible by remote clients.

     

     

    To invoke services behin firewall or NAT you need to modify two file

     

    jboss/server/default/deploy/ejb3.deployer/META-INF/jboss-service.xml

     

        <mbean code="org.jboss.remoting.transport.Connector" name="jboss.remoting:type=Connector,name=DefaultEjb3Connector,handler=ejb3">
           <depends>jboss.aop:service=AspectDeployer</depends>
          <attribute name="Configuration">
             <config>
                <invoker transport="socket">
                   <attribute name="numAcceptThreads">1</attribute>
                   <attribute name="maxPoolSize">300</attribute>
                   <attribute name="clientMaxPoolSize" isParam="true">50</attribute>
                   <attribute name="timeout" isParam="true">60000</attribute>
                   <attribute name="serverBindAddress">${jboss.bind.address}</attribute>
                   <attribute name="serverBindPort">3873</attribute>
                       <!-- that's the important setting -->
                 <attribute name="clientConnectAddress">webaddress.com</attribute>
                 <attribute name="clientConnectPort">3873</attribute>
                   <attribute name="backlog">200</attribute>
                </invoker>
                <handlers>
                   <handler subsystem="AOP">org.jboss.aspects.remoting.AOPRemotingInvocationHandler</handler>
                </handlers>
             </config>
          </attribute>
       </mbean>
    

     

    and

     

    /jboss/server/default/deploy/http-invoker.sar/META-INF/jboss-services.xml

     

     
    <!-- The HTTP invoker service configration
      -->
      <mbean code="org.jboss.invocation.http.server.HttpInvoker"
        name="jboss:service=invoker,type=https">
         <!-- Use a URL of the form http://<hostname>:8080/invoker/EJBInvokerServlet
          where <hostname> is InetAddress.getHostname value on which the server
          is running.
          -->
         <attribute name="InvokerURL">https://webaddress.com:8443/invoker/EJBInvokerServlet</attribute>
         <attribute name="InvokerURLPrefix">https://</attribute>
         <attribute name="InvokerURLSuffix">:8443/invoker/EJBInvokerServlet</attribute>
         <!-- important to turn it off -->
         <attribute name="UseHostName">false</attribute>
      </mbean>
    
    
    <!-- Expose the Naming service interface via HTTPS -->
    <mbean code="org.jboss.invocation.http.server.HttpProxyFactory"
           name="jboss:service=invoker,type=https,target=Naming">
        <!-- The Naming service we are proxying -->
        <attribute name="InvokerName">jboss:service=Naming</attribute>
        <!-- Compose the invoker URL from the cluster node address -->
        <attribute name="InvokerURL">https://webaddress.com:8443/invoker/JMXInvokerServlet</attribute>
        <attribute name="InvokerURLPrefix">https://</attribute>
        <attribute name="InvokerURLSuffix">:8443/invoker/JMXInvokerServlet
    </attribute>
        <attribute name="UseHostName">false</attribute>
        <attribute name="ExportedInterface">org.jnp.interfaces.Naming
    </attribute>
        <attribute name="JndiName"></attribute>
        <attribute name="ClientInterceptors">
            <interceptors>
                <interceptor>org.jboss.proxy.ClientMethodInterceptor
         </interceptor>
                <interceptor>org.jboss.proxy.SecurityInterceptor
         </interceptor>
                <interceptor>org.jboss.naming.interceptors.ExceptionInterceptor
         </interceptor>
                <interceptor>org.jboss.invocation.InvokerInterceptor
         </interceptor>
            </interceptors>
        </attribute>
    </mbean>
    

     

    Referenced by: