On Fri, 21 May 1999, Magowan, Richard M. (ITS) wrote:
> One of my user departments is developing an application that uses facilities
> at a site www.claimcard.com <http://www.claimcard.com> . The application
> apparently uses DCOM. The application will not work through my Gauntlet
> firewall (which I can't play with, it's managed). Claimcard tells me I have
> to implement DCOM on gauntlet. I realize Gauntlet is a proxy style firewall
> and that DCOM may have to be proxied. Is DCOM related to Active X? Is there
> a DCOM proxy for Gauntlet?
You have a problem. DCOM is one of the most firewall unfriendly protocols
I've ever seen. First of all it uses dynamically assigned ports. It uses
callbacks. And, worst of all, it stores the IP address of the endpoints in
the content, not only in the header. This makes NAT or proxies unusable.
(It is possible to write a proxy with NAT "repairing" the modified IP
addresses, if both endpoints use officially assigned addresses, but it's a
nasty hack.)
So the best solution is dropping DCOM at all. Use CORBA.
Some sites use simple packet filters to support DCOM, but that's not very
secure.
If you really need to use DCOM drop me a mail. I have an IIOP proxy I
could modify to support DCOM.
Rudi
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
