UsingJBossBehindAFirewall

Configuring JBoss for use Behind a Firewall

 

JBoss comes with many socket based services that open listening ports. In this section we list the services

that open ports that might need to be configured to work when accessing JBoss behind a firewall. The following table, shows the ports, socket type, associated service and link to the service configuration for the services in the default configuration file set.

 

Port

Type

Service Descriptor

Service Name

Attribute Name

1098

TCP

conf/jboss-service.xml

jboss:service=Naming

RmiPort

1099

TCP

conf/jboss-service.xml

jboss:service=Naming

Port

3873

TCP

deploy/ejb3.deployer/META-INF/jboss-service.xml

jboss.remoting:type=Connector,name=DefaultEjb3Connector,handler=ejb3

InvokerLocator

4444

TCP

conf/jboss-service.xml

jboss:service=invoker,type=jrmp (legacy 4.0.x invoker)

RMIObjectPort

4445

TCP

conf/jboss-service.xml

jboss:service=invoker,type=pooled (legacy 4.0.x invoker)

ServerBindPort

4446

TCP

conf/jboss-service.xml

jboss.remoting:service=Connector,transport=socket (EJB2 beans in AS/EAP 4.2+)

serverBindPort on Configuration

8009

TCP

deploy/jbossweb-tomcat41.sar/META-INF/jboss-service.xml

jboss.web:service=WebServer

port on AJP Connector

8080

TCP

deploy/jbossweb-tomcat41.sar/META-INF/jboss-service.xml

jboss.web:service=WebServer

port on HTTP Connector

8083

TCP

conf/jboss-service.xml

jboss:service=WebService

Port

8090

TCP

deploy/jms/oil-service.xml

jboss.mq:service=InvocationLayer,type=OIL

ServerBindPort

8092

TCP

deploy/jms/oil2-service.xml

jboss.mq:service=InvocationLayer,type=OIL2

ServerBindPort

8093

TCP

deploy/jms/uil2-service.xml

jboss.mq:service=InvocationLayer,type=UIL2

ServerBindPort

0(a)

TCP

deploy/jms/rmi-il-service.xml

jboss.mq:service=InvocationLayer,type=RMI

NONE

0(b)

UDP

deploy/snmp-adaptor.sar/META-INF/jboss-service.xml

jboss.jmx:name=SnmpAgent,service=snmp,type=adaptor

NONE

 

(a) This service binds to an anonymous TCP port and does not support configuration of the port or bind interface. Remove the rmi-il-service.xml to disable it NOTE: this RMI invoker service is deprecated since the beginning of 2005

 

(b) This service binds to an anonymous UDP port and does not support configuration of the port or bind interface. Remove the snmp-adaptor.sar to disable it

 

JBossMessaging will use these ports:

Port

Type

Service Descriptor

Service Name

Attribute Name

4457

TCP

deploy/jboss-messaging.sar/remoting-bisocket-service.xml

jboss.messaging:service=Connector,transport=bisocket

serverBindPort

Random by default

TCP

deploy/jboss-messaging.sar/remoting-bisocket-service.xml

jboss.messaging:service=Connector,transport=bisocket

secondaryBindPort

Random by default

TCP

deploy/jboss-messaging.sar/remoting-bisocket-service.xml

jboss.messaging:service=Connector,transport=bisocket

secondaryConnectPort

 

  • Case you are using JBossMessaging in your configuration, you won't have any deploy/jms ports being used as described on the first table

 

Additional ports found in the all configuration:

Port

Type

Service Descriptor

Service Name

Attribute Name

1100

TCP

deploy/cluster-service.xml

jboss:service=HAJNDI

Port

1101

TCP

deploy/cluster-service.xml

jboss:service=HAJNDI

RmiPort

1102

UDP

deploy/cluster-service.xml

jboss:service=HAJNDI

AutoDiscoveryGroup

1161

UDP

deploy/snmp-adaptor.sar/META-INF/jboss-service.xml

jboss.jmx:name=SnmpAgent,service=snmp,type=adaptor

Port

1162

UDP

deploy/snmp-adaptor.sar/META-INF/jboss-service.xml

jboss.jmx:name=SnmpAgent,service=trapd,type=logger

Port

3528

TCP

conf/jacorb.properties

OAPort

4447

TCP

deploy/cluster-service.xml

jboss:service=invoker,type=jrmpha (legacy 4.0.x invoker)

RMIObjectPort

4448

TCP

deploy/cluster-service.xml

jboss:service=invoker,type=pooledha (legacy 4.0.x invoker)

ServerBindPort

49152

TCP

deploy/cluster-service.xml

jboss:service=${jboss.partition.name:DefaultPartition}

start_port on FD_SOCK

49153

TCP

deploy/tc5-cluster.sar/META-INF/jboss-service.xml

jboss.cache:service=TomcatClusteringCache

start_port on FD_SOCK

 

 

One possible configuration for RMI through a firewall

 

NOTE: this was only tested in version 3.2.5 with java 1.4, but information in the forums indicate that this method has worked for several years.  Search for NAT to find related information.

 

Open three ports through your firewall, one for the naming service, a second for the naming service RmiPort, and a third for the jrmp RMIObjectPort.  These ports must be "fixed" on the system behind the firewall so that communications always happen on ports opened through the firewall.  This is done in the jboss-service.xml file.

 

   <mbean code="org.jboss.naming.NamingService"
      name="jboss:service=Naming">
      <!-- The listening port for the bootstrap JNP service. Set this to -1
        to run the NamingService without the JNP invoker listening port.
      -->
      <attribute name="Port">1099</attribute>
      <attribute name="RmiPort">1098</attribute>
   </mbean>

 

and

 

   <!-- RMI/JRMP invoker -->
   <mbean code="org.jboss.invocation.jrmp.server.JRMPInvoker"
      name="jboss:service=invoker,type=jrmp">
      <attribute name="RMIObjectPort">4444</attribute>
      <!--
      <attribute name="ServerAddress">${jboss.bind.address}</attribute>
      <attribute name="RMIClientSocketFactory">custom</attribute>
      <attribute name="RMIServerSocketFactory">custom</attribute>
      <attribute name="SecurityDomain">ssl-domain-name</attribute>
      -->

      <depends>jboss:service=TransactionManager</depends>
   </mbean>

 

Then, on the system behind the firewall, the following parameters need to be added to the java command line in the run.sh script to pass back the "correct" RMI information to the system outside of the firewall.  "Correct" in this case means the hostname that the outside system refers to when addressing the system behind the firewall.

 

    -Djava.rmi.server.hostname=<external_host_name>
    -Djava.rmi.server.useLocalHostname=true

NOTE: shouldn't it be -Djava.rmi.server.useLocalHostname=false since it should NOT return the local host name? Works here (4.2.2.GA) with set to false.

 

This solves the problem of the machine behind the firewall passing back it's local IP address that the machine outside the firewall cannot get to.  NOTE: this assumes a pretty simple setup where everything outside the firewall references the machine behind the firewall with the same host name.

 

In more complex configurations, it may be necessicary for the system running behind the firewall to be able to resolve

:1099" when the initial context is created for the RMI access.

 

 

PooledInvoker

When using the PooledInvoker the attribute "ClientConnectAddress"(jboss-service.xml) is the host name that clients will use to connect to the server. You might need to set this to a DNS name that can be resolved by remote clients. This will default to the hostname of the server running jboss which may not be accessible by remote clients.

 

 

To invoke services behin firewall or NAT you need to modify two file

 

jboss/server/default/deploy/ejb3.deployer/META-INF/jboss-service.xml

 

    <mbean code="org.jboss.remoting.transport.Connector" name="jboss.remoting:type=Connector,name=DefaultEjb3Connector,handler=ejb3">
       <depends>jboss.aop:service=AspectDeployer</depends>
      <attribute name="Configuration">
         <config>
            <invoker transport="socket">
               <attribute name="numAcceptThreads">1</attribute>
               <attribute name="maxPoolSize">300</attribute>
               <attribute name="clientMaxPoolSize" isParam="true">50</attribute>
               <attribute name="timeout" isParam="true">60000</attribute>
               <attribute name="serverBindAddress">${jboss.bind.address}</attribute>
               <attribute name="serverBindPort">3873</attribute>
                   <!-- that's the important setting -->
             <attribute name="clientConnectAddress">webaddress.com</attribute>
             <attribute name="clientConnectPort">3873</attribute>
               <attribute name="backlog">200</attribute>
            </invoker>
            <handlers>
               <handler subsystem="AOP">org.jboss.aspects.remoting.AOPRemotingInvocationHandler</handler>
            </handlers>
         </config>
      </attribute>
   </mbean>

 

and

 

/jboss/server/default/deploy/http-invoker.sar/META-INF/jboss-services.xml

 

 
<!-- The HTTP invoker service configration
  -->
  <mbean code="org.jboss.invocation.http.server.HttpInvoker"
    name="jboss:service=invoker,type=https">
     <!-- Use a URL of the form http://<hostname>:8080/invoker/EJBInvokerServlet
      where <hostname> is InetAddress.getHostname value on which the server
      is running.
      -->
     <attribute name="InvokerURL">https://webaddress.com:8443/invoker/EJBInvokerServlet</attribute>
     <attribute name="InvokerURLPrefix">https://</attribute>
     <attribute name="InvokerURLSuffix">:8443/invoker/EJBInvokerServlet</attribute>
     <!-- important to turn it off -->
     <attribute name="UseHostName">false</attribute>
  </mbean>


<!-- Expose the Naming service interface via HTTPS -->
<mbean code="org.jboss.invocation.http.server.HttpProxyFactory"
       name="jboss:service=invoker,type=https,target=Naming">
    <!-- The Naming service we are proxying -->
    <attribute name="InvokerName">jboss:service=Naming</attribute>
    <!-- Compose the invoker URL from the cluster node address -->
    <attribute name="InvokerURL">https://webaddress.com:8443/invoker/JMXInvokerServlet</attribute>
    <attribute name="InvokerURLPrefix">https://</attribute>
    <attribute name="InvokerURLSuffix">:8443/invoker/JMXInvokerServlet
</attribute>
    <attribute name="UseHostName">false</attribute>
    <attribute name="ExportedInterface">org.jnp.interfaces.Naming
</attribute>
    <attribute name="JndiName"></attribute>
    <attribute name="ClientInterceptors">
        <interceptors>
            <interceptor>org.jboss.proxy.ClientMethodInterceptor
     </interceptor>
            <interceptor>org.jboss.proxy.SecurityInterceptor
     </interceptor>
            <interceptor>org.jboss.naming.interceptors.ExceptionInterceptor
     </interceptor>
            <interceptor>org.jboss.invocation.InvokerInterceptor
     </interceptor>
        </interceptors>
    </attribute>
</mbean>

 

Referenced by: