1

We have a Geode locator and server running on a machine that is behind a NAT firewall. I have replaced the firewall’s IP address with A.B.C.D and the internal IP address of the machine running the Geode locator with W.X.Y.Z.

Previously the machine running Geode had only Windows Defender Firewall enabled and an inbound rule set to allow traffic to ports 10334, 1099 and 40404 from remote IP addresses which we whitelisted. This setup allowed us to connect to the Geode locator from those remote IP addresses that were whitelisted.

However, once we placed the same machine behind the NAT firewall and configured the same rule we set up under Windows Firewall, we can no longer connect to the locator from the remote IP addresses whitelisted. The IP addresses we whitelisted are for machines outside of the firewall.

For example, when we tried connecting to the locator through gfsh, it gave us a java connection exception as shown below in Figure 1. It appears it was able to connect to the locator running on 10334 but failed to do so for the JMX manager on port 1099 using the internal IP address of the machine running the Geode locator.

On the second try, we tried specifying the firewall’s IP address for the JMX manager tag but got a slightly different connection exception shown in Figure 1.

We also ran two Wireshark captures from the whitelisted IP address on port 1099 for one Geode locator that was behind the Window’s Firewall only in Figure 2 and the other one behind the NAT firewall (A.B.C.D) in Figure 3. We noticed on the capture for the NAT firewall, it wasn’t able to establish a RMI stream which we think is the cause of the exception given on gfsh.

Do we need to start the locator with specific settings to get this to work or is this related to allowing RMI traffic/stream on the NAT firewall? Please find the settings that the Geode locator was started with in Figure 4. In the Gemfire properties file we have the server-bind-address and jmx-manager-bind-address tags set to the internal IP address of the machine (W.X.Y.Z).

Figure 1 enter image description here

Figure 2 - Wireshark capture from remote machine to Geode locator behind Windows Defender Firewall enter image description here

Figure 3 - Wireshark capture from remote machine to Geode locator behind NAT firewall enter image description here

Figure 4 enter image description here

Improve this question
1

1 Answer 1

Reset to default
0

You might need to set the jmx-manager-hostname-for-clients property to point to the firewall's IP address as well. I think what happens when gfsh connects is that it actually connects to the locator port first (10334) and then discovers the JMX manager address and port and connects to that.

There is also another way to get gfsh to connect over http - https://geode.apache.org/docs/guide/114/configuring/cluster_config/gfsh_remote.html. You could try this if you can't get JMX to work. It does require starting a management http service however.

Improve this answer

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.