Re: Penetrating an outbound firewall

[Sid . Young]

Title: Message

 

 

Doug,

 

Outbound restriction is becoming a real pain in the arse for us, it seams every site we install our client software on thinks they will stop virus's if the block ALL outbound ports on a firewall!

 

You need the network guys to open up the port and host combination so you can connect to your server, you also need to make sure it does NATing correctly and allows the host to return packets.

 

Sid

-----Original Message-----
From: Pierson, Doug (ITD) [mailto:[EMAIL PROTECTED]
Sent: Saturday, 6 September 2003 12:30 AM
To: [EMAIL PROTECTED]
Subject: Penetrating an outbound firewall

Hi MQers,

Does anyone have any experience with sending MQ messages outbound through a firewall that restricts outbound traffic?  The traffic needs to be delivered to numerous destination servers.  Are you using MQ-IPT?  If so, are you using multiple ports to define multiple routes and sending the traffic to IPT instances deployed at each of the target servers?  Or, is all of your traffic sent to a single IPT instance outside of the firewall using a single route?  From there, queue name resolution can be used to direct it to the true destination server with the messages in MQ protocol. 

The goal of the firewall administrator is to restrict us to minimal port usage.  We see the restriction to a single port using IPT to be to costly in terms of performance.  The traffic volume is significant.  I'm also aware of MQ5.3's introduction of the LOCLADDR channel attribute to restrict outbound traffic to a single port or range of ports. 

Any comments or feedback would be much appreciated.

Thanks,
Doug Pierson