I'm getting start WCF soap web service. Trying to implement a flexible, hot-plug featured, interoperable web service.
A device consumes server service (predefined IP address) which means registering to server, and then service asks device returning all configuration information of a device. Service remotely control those registered devices later.
Network Architecture
Please see the diagram below. A Server-side service is listening on 80 port. We had a router (Router B) which connects to the Server, and set NAT table 220.120.20.209:80 mapping to 192.168.0.3:80. 220.120.20.209 is a public IP.
Two Clients connect to a router (Router A) and have private IP addresses relatively(170.15.40.1/ 170.15.40.2) . Clients host a service (called DeviceService) listening on 80 port. And we didn't set NAT on Router A. 68.250.250.1 is a public IP.
Operation
(Request a Registration) Client sends (request) a message to a Service.
(Response) Service response a message.
(Get Config from Devices) Service consumes client through calling like http: //clientsIP:80/DeviceService.
Operation 1, 2 is working to me. To my understanding, incoming ip address of client#1 is 68.250.250.1 (I'm using RemoteEndpointMessageProperty to get the caller's address).
My question is "operation 3 is not working". Server can't access Client's private IP because of a Router/firewall.Only did Server get is 68.250.250.1. How can I solve this kind of problem? the problem have to do with Network Architecture?
I googled all day long found nothing to do with my problem. But I found websocket thing. Websocket is capable of full-duplex communication over Tcp. Does that mean once a client built a connection with a Server, Server can do operation 3 (Get Config from Devices) anytime even under my network architecture?
Updated 2014/4/24
Thanks a lot to #vtortola. After studying those references , I am still confused that if it's possible to allow call a self-host service from client during a callback session?
Try to elaborate what I thought
Clients will have a self-host service at first. e.g. Providing Configuration Service
Let the Client drive the interaction first, and built a bi-direction channel between Client and Server.
Client requests, and Server response. At the same time, Server triggers the callback procedure.
Server requests "Providing Configuration" message to client via channel during the period callback is fired.
It won't work that way if Router A is doing NAT. RouterA has only an TCP 80 port. Even if you forward it to Client#1, then Client#2 won't work. And I assume RouterA is doing NAT because the client IP addresses are private, so it is translating them to a public IP address.
I think you are messing two concepts. NAT (Network Address Translation) is about IP addresses, it has nothing to do with ports. With NAT you allow your client private IP addresses be translated to the public IP address and therefore get into the internet. Port Forwarding is a technique that allows to map a TCP or UDP port in the public interface of the router to a particular local IP address. Router B is doing NAT to allow the Server communicate with internet through the public interface, and port forwarding to allow hosts in internet to access Server's TCP 80 port, by accessing its TCP 80 port.
Let the Client drive the interaction. In operation #3, the client should send the device configuration after getting the server response in #2.
If you need the server to lead some of the interactions, you must then use a duplex WCF service. WebSocket is one of the duplex WCF bindings. But again, the channel must be established from client to server first.
A Beginner's Guide to Duplex WCF
Duplex Service in WCF
WCF and WebSockets
Related
I understand the purpose of STUN and TURN servers and their use in WebRTC, but I don't fully get:
If I as a WebRTC client have already logged in to use the WebRTC service, wouldn't this service already have my public IP address? Why does it need to be found a second time by the STUN server?
Short answer: Because Proxies and NATs.
Lots of reasons:
The web server knows your public IP address for the established TCP connection, but for the subsequent P2P communications over UDP, it doesn't know how your local NAT will map the port (or which port its using).
You could be on a network in which all HTTP/HTTPS traffic goes over a proxy. Hence, the WebRTC service only knows the address of your proxy.
The WebRTC service itself could have a front end load balancer. Hence, it only knows the IP address of the load balancer.
The two endpoints attempting to do a WebRTC session may actually be behind the same NAT. Hence, the public IP address isn't as useful.
But the primary reason is around port prediction as discussed in #1 above. Address exchange over ICE or WebRTC involves not just exchanging IP Addresses, but also, UDP ports as well. Even if the web server knows the client's actual IP address, the web server can not infer what UDP port it will use for media traffic.
I'm planning on using a wsDualHttpBinding for a WCF service with callbacks. The clients will be a windows form application communicating to the service over the internet. Obviously I have no control over the firewall on the client side, so I'm wondering what is the proper way to set the ClientBaseAddress on the client side?
Right now in my intiial testing I'm running the service and client on the same pc and i am setting the binding as follows
Dim binding As System.ServiceModel.WSDualHttpBinding = Struct.Endpoint.Binding
binding.ClientBaseAddress = New Uri("http://localhost:6667")
But I have a feeling this won't work when deploying over the internet because "localhost" won't translate to the machine address (much less worrying about NAT translation) and that port might be blocked by the clients firewall.
What is the proper way to handle the base address for callbacks to a remote client?
some one tell me if i do not specify ClientBaseAddress then WCF infratructure creates a default client base address at port 80 which is used for the incoming connections from the service. Since port 80 is usually open to firewalls, things should just work.
so just tell me when win form wcf client apps will run then how can i open my custom port like "6667" and also guide me what library or what approach i should use as a result response should come from client side router
to pc and firewall will not block anything. please discuss this issue with real life scenario how people handle this kind of situation in real life. thanks
The proper way is to use TCP transport instead of HTTP transport. Duplex communication over HTTP requires two HTTP connections - one opened from client to server (that's OK) and second opened from server to client. This can work only in scenarios where you have full control over both ends. There is simply too many complications which cannot be avoided just by guessing what address to use like:
Local Windows or third party firewall has to be configured
Permission for application to run - listening on HTTP is not allowed by default unless UAC is turned off or application is running as admin. You must allow listening on the port through netsh or httpcfg (windows XP and 2003) - that again requires admin permissions.
Port can be already used by another application. In case of 80 it can be used by any local web server - for example IIS.
Private networks and network devices - if your client machine is behind the NAT the port forwarding must be configured but what if you have two machines running your application on the same private network? You cannot forward from the same incoming port to two machines.
All these issues can be avoided mostly only when you have control over whole infrastructure. That is the reason why HTTP duplex communication is useful mostly for intranet scenarios and why for example Silverlight offers another implementation where the second connection is not created and Silverlight client instead polls server continuously to check if there is any callback available.
TCP transport requires only single connection from client to server because TCP protocol is natively duplex so the server can call back the client through the same connection. When you deploy a public service you usually have control over infrastructure on the server side so you can make necessary changes in configuration to make it work.
I think this also answers your previous question.
I have a self host service in a WPF application and a client. It works fine if the client and the service are in the same LAN, so I can send messages from client to the service.
However, I would like to know how I can consume the service from internet.
I open the TCP ports for the listing port and the mex in my router in the NAT section and I have disabled my firewall of windows (I am working in a virtual windows xp).
I am trying to use net.tcp binding, is my first option, but also I am trying with wsHttpBinding and the problem is the same, I can send message in the LAN but I can't from internet.
Perhaps it's because I don't know how to configure the address in the service or in the client, or something like that.
Thanks you very much.
Daimroc.
EDIT1: if I use the www.canyouseeme.org the can access to my service. If I stop my service then i get an error. So it looks like that the service is visible. Then why can't send messages from the client?
Since you're on a LAN, it is very likely that the machine that is hosting the WCF service is not assigned an IP address accessible from the Internet. For example, if the machine has an IP address starting with 10... or 172... or 192... then that is an internally assigned IP address.
Your machine must be set up to use an IP address assigned by a registrar and optionally, assigned a domain name (e.g. canyouseeme.org) so the Internet DNS servers can translate it to the assigned IP address.
Is it not possible to specify the local client port used for server calls via NetTcpBinding?
NetPeerTcpBinding support this - I find it hard to believe there's no way to specify the local port (and IP Address for that matter) on clients.
I need to be able to use port sharing and I can't do this if I don't know what port the client is listening on. I won't be able to share the port (and IP) with another client so it can connect.
The only work-around I found is something like this:
Client A opens a connection to Server
Server logs the IP and Port of Client A
Server shares this info. with
Client B
Client B should be able to
connect to Client A on specified IP
and Port (in theory)
This is known as TCP/IP NAT hole punching I believe. Anyone with experience in this?
You probably don't understand the communication pattern with NetTcpBinding. It works this way:
The client opens connection to the server
Two-way communication: The client calls the server and gets the response over the same connection.
Duplex communication: The client calls the server. The server stores reference to the channel somewhere (you must implement this). Once the server wants to notify client about anything it takes stored channel and calls the client on the connection established by the client during its first call.
The server never opens connection to the client. The client doesn't expose any address with port for incomming communication. If you want to do that you must implement service on the client in the same way you did it on the server and you must manully send the address and port to the service exposed by the server.
The difference with NetPeerTcpBinding is that there is no real server and any client must be able to get incomming request. NetTcpBinding is for client-server scenarios where the server is the only peer able to process incomming requests. Because of that only the server needs to define an address and a port.
I need to create a self-hosted WCF service.
I need secure duplex connection between client and server through Internet.
I read some documents of WCF and found that the netTcpBinding is suitable for intranet application, because the SSL is only point 2 point. If it is an internet application, the connection must not be point 2 point, am I correct? so SSL in transport security with netTcpBinding is not suitable?
so what combination should I use to create a secure duplex internet application?
thank you very much.
I have tried http://www.codeproject.com/KB/WCF/WCFWPFChat.aspx
this tutorial use netTcpBinding and endpoint localhost
I change the endpoint localhost to a name based url, forward a port in my router to my development PC, open the same port at Windows firewall.
The client program can chat with each cients program in different machines, BUT the callback connection will lost after one minute.
I also tried changing the binding to wsDualHttpBinding, the clients program can chat with each clients in the same machine and kept the callback connection in the reliableSession inactivityTimeout setting. However another client program in another machine cannot join the server, if I turn off Windows firewall on that machine, the client program can connect.
It seems that tcp binding can let the client program connecting to the server with Windows firewall turn on. but callback connection lost.
and the wsDualHttpBinding can keep the callback connections. but cannot connect to server if Windows firewall on.
Is there a way to kept the netTcpBinding callback connection as in the wsDualHttpBinding?
It sounds like you have two issues- duplex connection and security.
If you truly need a duplex connection (eg, server-initiated callbacks), neither of these will work very well over the internet unless you have very fine control over the firewalls on both ends (the client still has to expose a publicly accessible HTTP endpoint for the server to call back). The best way would be to use the new relay services with .NET 4.0- this allows for a mimic'd server-initiated connection through firewalls.
EDIT: this is now called AppFabric, and is part of the Windows Azure infrastructure
On the security front, you can always use message security over the service bus, but I don't see a reason why transport security would be a problem either.
To answer user248724,
The client program can chat with each
cients program in different machines,
BUT the callback connection will lost
after one minute.after one minute.
You need either have the client or the server to ping each other at least every minute to keep the connection socket alive.