The problem is that, while RAT uses the same source port as
destination port
which allows
it to work through reflexive firewalls
(those that open the source port based
on the outgoing
connection), VIC
does not. VIC instead uses an ephemeral port as the source
port, which
will
not be opened according to a reflexive rule.
We received a patch
from Chris Willing to make VIC first try to match the
source port to the
destination port,
then use an ephemeral port if that fails. The first
part of the patch worked,
but a second
instance of this vic never started
(on Windows, at least). If someone would
like to take
up looking at
that patch, I'd be happy to work with them to test it and get it
into
the
core toolkit for the next release. Details (and the patch) can be
found in Bug
1228:
http://bugzilla.mcs.anl.gov/accessgrid/show_bug.cgi?id=1228
Tom
On
1/30/06 3:17 PM, Nagykaldi, Zsolt F. (HSC) wrote:
>
> 2
comments:
>
> 1) Win XP SP2 indeed self-configures the client
machine firewall for the
> AG Toolkit. The problem is that most
Universities have a group policy to
> overtake individual firewall control
(usually they turn it off) when the
> PC is connected to the local
network. This renders local settings void
> and only central settings
count.
> 2) Interestingly, RAT almost always works (apart when clients
have
> "local " IPs assigned by PIX, where port forwarding or dedicated
IP
> address assignment help only), but VIC almost never works just
by
> installing the Toolkit behind regular firewalls. This tells me that
in
> the case of VIC, the connection is actually initiated by the
server
> (???) and since many networks specifically block INBOUND
connections,
> VIC can not receive incoming video, while RAT is fine
(client initiates
> connection??). This would explain why in many cases
parties can talk and
> may be visible on one side, but can not receive
video on the other
> (ominous "waiting for video..." message). I wonder
whether something
> could be done regarding this specific problem (i.e.
can VIC work like
> RAT in this regard).
>
>
Zsolt
>
>
> _ _ _
>
> Zsolt
Nagykaldi, PhD
> Research Associate, Clinical IT Specialist
>
University Of Oklahoma Health Sciences Center
> Department Of Family And
Preventive Medicine
> Oklahoma Center For Family Medicine
Research
>
> 900 NE 10th Street
> Oklahoma City, OK
73104
> Phone: (405) 271-8000 Ext.:1-32212
>
Fax: (405) 271-1682
>
>
------------------------------------------------------------------------
>
*From:* Piers O'Hanlon [mailto:p.ohanlon@cs.ucl.ac.uk]
>
*Sent:* Mon 1/30/2006 12:21 PM
> *To:*
michael.daw@manchester.ac.uk
> *Cc:* Nagykaldi, Zsolt F. (HSC); ag-tech;
Socrates Varakliotis
> *Subject:* Re: [AG-TECH] Access Grid 3.0 beta1
available !
>
> Hi Mike (and others),
>
> > We
discussed doing this as part of the SUMOVER project workshop in
>
> November. This project is updating vic and rat at UCL, mainly for
the
> > AG community. I can't remember where it was on the
priority list,
> > though...
>
> I guess there's a
couple of issues here - There's port selection, and
> there's firewall
config.
> - As mentioned by others the media port ranges are controlled by
the AG
> server's config - these can be taken down to narrower ranges.
There's
> shouldn't be too much of an issue with multicast venue address
clashing
> if the 233/8 GLOP addressing is used by the
servers.
>
> - Secondly the firewall interaction then depends on
which platform AG
> client is running on - For those lucky folk running
WinXP-SP2 I
> understand that AG will automatically configure the windows
firewall to
> let AG traffic pass (could possibly explain lack
connectivity in one
> previous email if things go wrong?). If you're not
running Windows
> Firewall then you're probably back to manual FW config.
If you're
> running Linux then you'll need to open some holes in your
firewall
> (iptables/ipchains etc) manually.
>
> I should
mention that most of this is out of scope of the media tools
> themselves
as UDP port selection isn't generally done by the tools
> themselves. The
one caveat is that vic does normally allow the OS to
> choose the source
port when it sends video packets, though this doesn't
> usually matter if
the firewall is appropriately configured. If needs be
> we could add an
option to enable source port selection, or 'symmetric'
> ports
usage.
>
> Piers.
>
> >
> > More
information (though sparse!):
> > http://www.cs.ucl.ac.uk/research/sumover/
>
>
It has been updated today with more info.
>
>
Piers.
>
> >
> > Perhaps one of the team
could enlighten us...?!
> >
>
>
>
------------------------------------------------------------------------
>
> *From:* owner-ag-tech@mcs.anl.gov
>
> [mailto:owner-ag-tech@mcs.anl.gov]
*On Behalf Of *Nagykaldi, Zsolt
> > F.
(HSC)
> > *Sent:* 30 January 2006
15:19
> > *To:* ag-tech
>
> *Subject:* RE: [AG-TECH] Access Grid 3.0 beta1
available !
> >
>
>
> > It seems
that most practical problems during implementation come
>
> from firewall issues. Are you guys planning to (at
least) narrow
> > the UDP port range for
VIC and RAT, or maybe (in my dreams) tunnel
>
> all audio/video traffic through a few number of
ports that are
> > usually open? I have
been networking with a lot of people who are
>
> desperate to set up their nodes and they hit a
brick wall every
> > time it comes to
push changes through their IT departments, who
>
> are freaking out about the idea of opening ports in
such a wide
> > range. More and more
people would like to use the system via PIGs
>
> and not necessarily big institutional nodes that
require weeks, if
> > not months of
negotiations and arm-twisting each time a new client
>
> is added at a new location. (The AG Connector would
be really
> > helpful, except it causes
an ominous looping drop of all
> >
audio-video connections, as it has been reported before, and it is
>
> very unreliable). Extra features in v3.0 are nice,
but I truly
> > believe that the
firewall/ports issue is the most significant
>
> barrier to wider adoption of the
Toolkit.
> >
>
>
> >
Zsolt
> >
>
> _ _ _
>
>
> > Zsolt
Nagykaldi, PhD
> > Research Associate,
Clinical IT Specialist
> > University Of
Oklahoma Health Sciences Center
> >
Department Of Family And Preventive Medicine
>
> Oklahoma Center For Family Medicine
Research
> >
>
> 900 NE 10th Street
>
> Oklahoma City, OK 73104
>
> Phone: (405) 271-8000 Ext.:1-32212
>
> Fax: (405)
271-1682
> >
>
>