How can we restrict http calls from client side(WSO2 esb) to open just one tcp connection with the target server?
when load increases while calling web service the esb initiate new tcp connection, but i don't want to open the new tcp connections.
Related
I am writing a proxy application that runs on IIS 7.5 (could be a WCF web service or an MVC application) which forwards some data to another process on another server which doesn't run on IIS.
This following is the situation, where S1 is the server where the proxy must forward the data to and C1 is the client:
S1 --A-- [proxy] --B-- C1
The need for the proxy application is because we want to secure the connection A with 2-way SSL. And this can easily be configured in IIS.
Because of the 2-way SSL we want to use the keep alive option of HTTP 1.1.
If connection A is closed, the proxy needs to close connection B and vice versa. Connection A can also be closed after some time out after the last response has been sent.
My question is:
How can I close connection B after connection A is closed?
So in other words let the proxy send a TCP FIN to C1.
For the proxy application I can either use an asp.net MVC web site or a WCF web service.
The problem is that the response has already been sent to the client and there is no 'current http request' between C1 and the proxy, when connection A is closed after a timeout. So a call like this: HttpContext.Current.Response.Close() does not close connection B.
Thanks.
When you read EOS from the upstream socket, shutdown the downstream socket for output, and vice versa. When you do this, if you've already shutdown the socket that you read the EOS from, you've had EOS in both directions so you can close both sockets, and exit both threads if you're using threads. Let the actual decision as to when to close connections be taken by the downstream client and the upstream server.
I'm getting start WCF soap web service. Trying to implement a flexible, hot-plug featured, interoperable web service.
A device consumes server service (predefined IP address) which means registering to server, and then service asks device returning all configuration information of a device. Service remotely control those registered devices later.
Network Architecture
Please see the diagram below. A Server-side service is listening on 80 port. We had a router (Router B) which connects to the Server, and set NAT table 220.120.20.209:80 mapping to 192.168.0.3:80. 220.120.20.209 is a public IP.
Two Clients connect to a router (Router A) and have private IP addresses relatively(170.15.40.1/ 170.15.40.2) . Clients host a service (called DeviceService) listening on 80 port. And we didn't set NAT on Router A. 68.250.250.1 is a public IP.
Operation
(Request a Registration) Client sends (request) a message to a Service.
(Response) Service response a message.
(Get Config from Devices) Service consumes client through calling like http: //clientsIP:80/DeviceService.
Operation 1, 2 is working to me. To my understanding, incoming ip address of client#1 is 68.250.250.1 (I'm using RemoteEndpointMessageProperty to get the caller's address).
My question is "operation 3 is not working". Server can't access Client's private IP because of a Router/firewall.Only did Server get is 68.250.250.1. How can I solve this kind of problem? the problem have to do with Network Architecture?
I googled all day long found nothing to do with my problem. But I found websocket thing. Websocket is capable of full-duplex communication over Tcp. Does that mean once a client built a connection with a Server, Server can do operation 3 (Get Config from Devices) anytime even under my network architecture?
Updated 2014/4/24
Thanks a lot to #vtortola. After studying those references , I am still confused that if it's possible to allow call a self-host service from client during a callback session?
Try to elaborate what I thought
Clients will have a self-host service at first. e.g. Providing Configuration Service
Let the Client drive the interaction first, and built a bi-direction channel between Client and Server.
Client requests, and Server response. At the same time, Server triggers the callback procedure.
Server requests "Providing Configuration" message to client via channel during the period callback is fired.
It won't work that way if Router A is doing NAT. RouterA has only an TCP 80 port. Even if you forward it to Client#1, then Client#2 won't work. And I assume RouterA is doing NAT because the client IP addresses are private, so it is translating them to a public IP address.
I think you are messing two concepts. NAT (Network Address Translation) is about IP addresses, it has nothing to do with ports. With NAT you allow your client private IP addresses be translated to the public IP address and therefore get into the internet. Port Forwarding is a technique that allows to map a TCP or UDP port in the public interface of the router to a particular local IP address. Router B is doing NAT to allow the Server communicate with internet through the public interface, and port forwarding to allow hosts in internet to access Server's TCP 80 port, by accessing its TCP 80 port.
Let the Client drive the interaction. In operation #3, the client should send the device configuration after getting the server response in #2.
If you need the server to lead some of the interactions, you must then use a duplex WCF service. WebSocket is one of the duplex WCF bindings. But again, the channel must be established from client to server first.
A Beginner's Guide to Duplex WCF
Duplex Service in WCF
WCF and WebSockets
Does anyone know if there is a port that absolutely has to be open on the SQL server to allow service broker traffic? We were testing what happens when you close off all ports on the SQL server except (1433, 445, 3389) and the query notification still worked. We were under the impression that 4022 has to be open for the service broker to work we a default listening port.
Is there a SQL system view that shows what port the service broker is communicating on?
Is there a command to terminate all active query notifications on a database so the database can be dropped?
Thanks
If your service broker architecture is passing messages between servers (endpoints) then it will need ports other than the normal SQL ones.
If client code such as query notifications is accessing service broker then it uses SQL statements (with some new syntax) through the standard SQL connection and this part doesn't use any additional ports.
From How to: Activate Service Broker Networking (Transact-SQL):
Service Broker does not send or receive messages over the network by
default. To activate Service Broker networking in an instance, create
an endpoint for Service Broker.
When you create an endpoint you specifically assign a port to use:
CREATE ENDPOINT BrokerEndpoint
STATE = STARTED
AS TCP ( LISTENER_PORT = 4037 )
FOR SERVICE_BROKER ( AUTHENTICATION = WINDOWS );
Port 4022 is used when Service Broker communicates with other broker instances. How are you using Service Broker? If all the work is internal to your database then it never needs to use a TCP endpoint.
Query Notification does not require a Service Broker endpoint because it always deliver the messages locally, int he same DB where you started the notifications from. Although configuring QN to deliver notifications to a remote machine is possible, ding so is basically unheard of. See The Mysterious Notification.
As for the question: Service Broker requires only the configured endpoint port to be open. You can see the listening port in sys.tcp_endpoints. If the configured authentication is Windows then the ports needed for Kerberos/NTLM (135, ?389) are also required in order to authenticate the SSB connections. Note that the SMB port (445) is not required by SSB ever. If SSB endpoint configured authentication is certificates then no additional port is required. See How does Certificate based Authentication work.
Is it not possible to specify the local client port used for server calls via NetTcpBinding?
NetPeerTcpBinding support this - I find it hard to believe there's no way to specify the local port (and IP Address for that matter) on clients.
I need to be able to use port sharing and I can't do this if I don't know what port the client is listening on. I won't be able to share the port (and IP) with another client so it can connect.
The only work-around I found is something like this:
Client A opens a connection to Server
Server logs the IP and Port of Client A
Server shares this info. with
Client B
Client B should be able to
connect to Client A on specified IP
and Port (in theory)
This is known as TCP/IP NAT hole punching I believe. Anyone with experience in this?
You probably don't understand the communication pattern with NetTcpBinding. It works this way:
The client opens connection to the server
Two-way communication: The client calls the server and gets the response over the same connection.
Duplex communication: The client calls the server. The server stores reference to the channel somewhere (you must implement this). Once the server wants to notify client about anything it takes stored channel and calls the client on the connection established by the client during its first call.
The server never opens connection to the client. The client doesn't expose any address with port for incomming communication. If you want to do that you must implement service on the client in the same way you did it on the server and you must manully send the address and port to the service exposed by the server.
The difference with NetPeerTcpBinding is that there is no real server and any client must be able to get incomming request. NetTcpBinding is for client-server scenarios where the server is the only peer able to process incomming requests. Because of that only the server needs to define an address and a port.
I need to create a self-hosted WCF service.
I need secure duplex connection between client and server through Internet.
I read some documents of WCF and found that the netTcpBinding is suitable for intranet application, because the SSL is only point 2 point. If it is an internet application, the connection must not be point 2 point, am I correct? so SSL in transport security with netTcpBinding is not suitable?
so what combination should I use to create a secure duplex internet application?
thank you very much.
I have tried http://www.codeproject.com/KB/WCF/WCFWPFChat.aspx
this tutorial use netTcpBinding and endpoint localhost
I change the endpoint localhost to a name based url, forward a port in my router to my development PC, open the same port at Windows firewall.
The client program can chat with each cients program in different machines, BUT the callback connection will lost after one minute.
I also tried changing the binding to wsDualHttpBinding, the clients program can chat with each clients in the same machine and kept the callback connection in the reliableSession inactivityTimeout setting. However another client program in another machine cannot join the server, if I turn off Windows firewall on that machine, the client program can connect.
It seems that tcp binding can let the client program connecting to the server with Windows firewall turn on. but callback connection lost.
and the wsDualHttpBinding can keep the callback connections. but cannot connect to server if Windows firewall on.
Is there a way to kept the netTcpBinding callback connection as in the wsDualHttpBinding?
It sounds like you have two issues- duplex connection and security.
If you truly need a duplex connection (eg, server-initiated callbacks), neither of these will work very well over the internet unless you have very fine control over the firewalls on both ends (the client still has to expose a publicly accessible HTTP endpoint for the server to call back). The best way would be to use the new relay services with .NET 4.0- this allows for a mimic'd server-initiated connection through firewalls.
EDIT: this is now called AppFabric, and is part of the Windows Azure infrastructure
On the security front, you can always use message security over the service bus, but I don't see a reason why transport security would be a problem either.
To answer user248724,
The client program can chat with each
cients program in different machines,
BUT the callback connection will lost
after one minute.after one minute.
You need either have the client or the server to ping each other at least every minute to keep the connection socket alive.