This is way we are running our nodes behind a PIX firewall; however, it is a bit of a battle keeping up with bridge hostname / ip changes. I started a Faq entry for known bridgeserver hostnames on AGCentral; however I think now that may be woefully out of date.
Is there any way we can set up a central page to that can list known bridge server hostnames and can be updated by the site administrators when/if they change? As an aside - I'm not sure if this strategy will be as easy to implement with the dynamic bridging on AG3; however, again, if there is a known good list, this will make approaching the firewall administrators a bit easier. Todd Nagykaldi, Zsolt F. (HSC) wrote: > > For those of us who are not living in a network dreamland, a > feasible solution is to focus on the trusted IPs of the unicast bridges > instead of the UDP port range. This is what we did here at OU and it > works great for us. While for a small entity it may fly to open UDP > ports 30K - 60K (if their ISP does not get a heart attack when you ask), > a larger entity (University) may rather want to allow incoming packets > through by allowing the distinct IPs of the unicast bridges in the > firewall. This is a much better solution. If you use regular PIX > firewalls and want to use e.g. the NCSA rooms, the next statement should > be added to your firewall protocols: > > object-group network video_allowed_inbound > network-object host 141.142.222.31 > network-object host 141.142.6.17 > > These IPs are for venuesbridge and roebridge. For new bridges you will > have to ask your IT to add them individually. > > I hope this will help. > > > Zsolt > > > _ _ _ > > Zsolt Nagykaldi, PhD > Research Associate, Clinical IT Specialist > University Of Oklahoma Health Sciences Center > Department Of Family And Preventive Medicine > Oklahoma Center For Family Medicine Research > > 900 NE 10th Street > Oklahoma City, OK 73104 > Phone: (405) 271-8000 Ext.:1-32212 > Fax: (405) 271-1682 > > ------------------------------------------------------------------------ > *From:* [email protected] on behalf of Andrew A Rowley > *Sent:* Fri 4/7/2006 3:00 AM > *To:* Masullo, Chris F; [email protected] > *Subject:* RE: [AG-TECH] Firewall and unicast questions > > Hi, > > I know of various places that are running AG from behind a firewall > using both multicast and unicast. > > Using unicast means that you add strain to the bridge for the venue. > However, I have not seen any bridges fail under strain so far (others > may have seen this). The other problem with unicast and firewalls is > the port numbers. The bridges will be assigned random port numbers > within a fixed range, so the only way to guarantee that you will be able > to use the bridge is to open up the entire range. This range will > depend on the venue server. Of course with dynamic multicast venues, > you would have the same problem, however, with static venues, you could > at least open the fixed port numbers in use. AG Connector can also help > with the port number problem, since it only uses a single fixed port. > > The only other problem I have seen with firewalls, is when the firewall > cannot cope with the amount of traffic passing with large AG meetings. > It is worth finding out what bandwidth the firewall can cope with if you > regularly join large meetings. > > Andrew :) > > ============================================ > Access Grid Support Centre, > RSS Group, > Manchester Computing, > Kilburn Building, > University of Manchester, > Oxford Road, > Manchester, > M13 9PL, > UK > Tel: +44(0)161-275 0685 > Email: [email protected] > >> -----Original Message----- >> From: [email protected] [mailto:[email protected]] On >> Behalf Of Masullo, Chris F >> Sent: 06 April 2006 17:04 >> To: [email protected] >> Subject: [AG-TECH] Firewall and unicast questions >> >> Hello All, >> >> We currently have our AG nodes outside our firewall, however cyber >> security >> has told us that we need to move the systems inside our firewall. The >> last >> time I brought up this issue a number of years ago I was told that >> multicast >> would not get past our firewall. I have some questions regarding this >> issue. >> >> Has anyone successfully placed an AG VTC system behind a Cisco Firewall? >> Are there any issues using unicast mode for and AG node behind a >> firewall? >> If not then why not run unicast? >> >> I have looked through the mailer however I do not see any answers to >> these >> Questions. >> >> Thanks in advance >> >> >> >> Chris Masullo Information Technology Division >> Brookhaven National Laboratory Network Engineering & Operations >> 61 Brookhaven Ave. Phone: (631) 344-2326 >> Upton, NY 11973 Fax: (631) 344-7688 >> >
