ID-provider ports shennanigans


Hi all,
I have a weird issues with the id-provider. We want to use it to create
unique numbers for the userapp. Everything works nicely in the dev
environment but in acceptation we are running into network issues
because the uapp is running in a seperate LAN. I used wireshark on both
ends to see what is happening and this is it:

1. UAPP requests on tcp 1199 from random port - Firewall OK
2. IDV replies from tcp 1199 to that port - Firewall OK
3. A new stream is opened from the IDV to Uapp on port 56995 - Firewall
Blocks
4. I get -1:(

I see nothing about this in the documentation but I did find some people
with the same problem so I thought I'd try and get to the bottom of it.

I have some questions:
1. What is the best way to solve this.
2. Is there a set range of ports for the RMI traffic?
3. Can you lock it down to a certain range?

Regards,

Albert-Jan Stevens


--
ajstevens
------------------------------------------------------------------------
ajstevens's Profile: https://forums.netiq.com/member.php?userid=3153
View this thread: https://forums.netiq.com/showthread.php?t=53205

Parents
  • The RMI stuff is documented on Java's site if you want details, but
    basically RMI, like RPC and FTP data and other protocols, arranges for an
    alternate port to be used for the real work, and that is now an option as
    well using the latest shim and packages, documented as shown below:

    https://www.netiq.com/documentation/idm45drivers/idprovider/data/b4dd0y2.html

    RMI Service port: The TCP port for the RMI ID Provider service. The server
    uses an ephemeral port if the value of this parameter is zero.

    By default you get ephemeral (high, dynamic) ports for things as you
    witnessed, so the workaround there is either to have a really smart
    firewall, or just to open those really high ports (usually 32768 to 65535
    or so) so that, when listening, things work. Thankfully NetIQ provided an
    option here, so as long as you only have the one request at a time
    (usually a safe-enough assumption considering how quickly these
    transactions happen) you're just fine.

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...
Reply
  • The RMI stuff is documented on Java's site if you want details, but
    basically RMI, like RPC and FTP data and other protocols, arranges for an
    alternate port to be used for the real work, and that is now an option as
    well using the latest shim and packages, documented as shown below:

    https://www.netiq.com/documentation/idm45drivers/idprovider/data/b4dd0y2.html

    RMI Service port: The TCP port for the RMI ID Provider service. The server
    uses an ephemeral port if the value of this parameter is zero.

    By default you get ephemeral (high, dynamic) ports for things as you
    witnessed, so the workaround there is either to have a really smart
    firewall, or just to open those really high ports (usually 32768 to 65535
    or so) so that, when listening, things work. Thankfully NetIQ provided an
    option here, so as long as you only have the one request at a time
    (usually a safe-enough assumption considering how quickly these
    transactions happen) you're just fine.

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...
Children