Using GateKeeper to Traverse NAT Firewall
In this blog entry, we will be describing how customers can leverage on Gatekeeper to traverse NAT Firewall.
A typical scenario would be a customer's VisiBroker 8.5 application being deployed in an environment without firewall protection, which may be deemed vulnerable and security would be compromised.
The following is the initial deployment diagram of the application without any NAT Firewall protection:
The Servers are implemented with VisiBroker for Java (VBJ) and VisiBroker for C++ (VBC++).
The GUI Client is implemented with VBJ. Smart Agent and VisiNaming Services are used to manage the CORBA Object References. The GUI Client need to contact the Smart Agent to locate the Server Object Reference before it can communicate with the Server. The Smart Agent feature makes use of the UDP protocol to locate the Object Reference.
Bi-Directional IIOP communication is enabled at the Client and Server side. All these processes need to communicate with each other.
To improve network security, customer may opt to have the Servers deployed behind a NAT Firewall. The following is the new deployment diagram of the application with NAT Firewall protection:
With the introduction of the NAT Firewall, customer will have to tweak their VisiBroker application by adding the VisiBroker GateKeeper Service.
The GateKeeper serves as a gateway or proxy for Clients and Servers when firewall and security restrictions prevent the Client from communicating with the Servers directly. GateKeeper, along with the VisiBroker ORB, provides mechanisms to work with these restrictions based on the OMG CORBA Firewall specification by acting as a gateway or proxy between the Client and the Server. When certain restrictions prevent the Client from connecting directly to the Server, the Client can choose to connect to GateKeeper. The Client can send messages to GateKeeper which will forward the messages to the Server. When certain restrictions prevent the Server from connecting back to the Client to do callbacks, the Server can choose to connect to GateKeeper. The Server can send callback messages to GateKeeper which will forward the messages to the Client.
To know more about VisiBroker GateKeeper Service, you may refer to our GateKeeper Guide.
For the purpose of this illustration, before making the necessary GateKeeper configurations, we need to find out from the customer the internal IP address the Server host (i.e. 10.16.11.11). Next, we need the NAT Firewall public IP address (i.e. 10.17.33.33). Usually, the customer’s Network Administrator should have mapped the NAT Firewall’s public IP address to the internal IP address of the Server host.
The following properties are to be set at the Gatekeeper:
The “vbroker.se.exterior.host” is set to the internal IP address of the host running the GateKeeper.
The “vbroker.se.exterior.proxyHost” is set to the public IP address of the NAT Firewall.
The “vbroker.se.exterior.scm.ex-iiop.listener.port” is set to listener port number responsible for the IIOP communication with the Client.
The “vbroker.se.exterior.scm.ex-hiop.listener.port” is set to listener port number responsible for the HTTP communication with the Client.
The “vbroker.orb.enableBiDir=both” is set to enable Bi-Directional communication via the GateKeeper.
One of the challenges caused by the NAT is that the UDP protocol used by Smart Agent feature is not supported in an NAT Firewall environment. As a result, the GUI Client cannot locate the Smart Agent and Servers.
To overcome this issue, we can configure the Client to ask the GateKeeper to help locate the Smart Agent and Servers. The Client communicates with the GateKeeper using the IIOP protocol. Since IIOP is based on TCP protocol, it can easily traverse the NAT. The GateKeeper can still use UDP protocol to communicate with the Smart Agent since they reside within the firewall. To enable this feature, the following additional configurations are needed at the Client side:
The “vbroker.orb.dynamicLibs=com.inprise.vbroker.firewall.Init” property loads the firewall module to enable communication with the GateKeeper.
The “vbroker.orb.gatekeeper.ior” points to the GateKeeper's IOR. The http URL specified should contain the public IP address of the NAT Firewall.
The “vbroker.agent.enableLocator=false” is set since the Client no longer communicates directly with the Smart Agent.
After the Client has located the Server, it will communicate with the Server via the GateKeeper. The GateKeeper acts like an IIOP Proxy, forwarding the messages between the Client and Server side.
This shows that you can easily migrate your existing VisiBroker application from a non-firewall deployment to a firewall deployment scenario with minimum configuration changes. Other than the configuration changes made at the GUI Client and GateKeeper side, all other configurations at the Smart Agent, VisiNaming and VBJ and VBC++ Servers side remains unchanged. Furthermore, no application source code change is required, which can achieve a quicker turnaround.