We have a cluster where to WCF services are running as a resource each in a separated resource group. These groups have a dns alias named to there cap name e.g. APPQA en APPPROD each with an IP's 10.110.250.1 and 10.110.250.2.
Actually it's the same WCF service but running on another baseadresss, like this example of our baseAdress:
<add baseAdress="net.tcp://appqa.domain.com:4504/....
and
<add baseAdress="net.tcp://appprod.domain.com:4504/....
But when running these services on the same node we noticed that we were getting errors like there is Address is in use.
We found that weird because we added our alias in the base address section a nslookup of both our aliases and that gave us both the right IP address.
When running only the PROD service, I did a telnet command to the IP address of the QA and the 4504 port. I was able to make a connection this means that we are actually running on both IP adresses (or all addresses and port like 0:0:0:0:4504).
As an extra test we changed our baseadresses to
<add baseAdress="net.tcp://10.110.250.1:4504/....
<add baseAdress="net.tcp://10.110.250.2:4504/....
And then we can run both services next to each other on the same node, so we prove that our services work only the dns resolution does not work.
It all works in when we enable port sharing but we don't want do that because of a different SLA.
Has someone a idea how we can force WCF to use the IP address of his dns alias?
Related
I need to access company's internal network without using their OPENVPN server directly (My ISP blocks it). So I used an instance with a public IP, where my company is located, and have configured a OPENVPN client then used it to connect to the company's OPENVPN server.
(public IP instance) ===OPENVPN===> (Company)
Now, I need to achieve a further thing, which is working from my local machine by using VPN over SSH tunnel using sshuttle, such that the topology becomes:
(local) ===SSHUTTLE===> (public IP instance) ===OPENVPN===> (Company)
Note that public IP instance has two network adapters; eth0 (it has public IP) and tun0 (which belongs to OPENVPN)
I installed sshuttle, and tested the next command:
sshuttle --dns -r <user>#<public IP instance address> 0.0.0.0/0
It says connected after then but I still cant access anything. I tested dig and it returned results showing addresses of company's internal services. However, I still can't ping them. I tested using traceroute and it stops at some point after displaying some hops.
One important point is that I can't ping the tun0 address (on public ip instance) from my local machine.
I suspect that I need to add some routes on the intermediate public IP instance, but I am not sure.
I would appreciate any help
Thanks in advance
your setup is right but your assumptions are wrong.
Initially, check that your vpn is working fine on the jump box , if linux just check
route -n
Wrong assumptions:
sshuttle will route your dig commands , sshutle only route TCP and DNS queries are UDP
using --dns in your sshuttle meanless as you wont gain dns of vpn but of the jump box and that wont work
you should add the DNS of local vpn in your /etc/resolv.conf with target domain for local discovery
like : < call tech support to provide you with right DNS , you can find it in vpn log on jump box
search companydomain.internal
nameserver 10.x.y.z
its better to split the traffic and only target your company CIDR over sshuttle , most of them use parts of 10.0.0.0/8 instead of all traffic 0.0.0.0/0
important note: that may be your company block egress traffic to the internet over VPN access
I am trying to set up a STUN/TURN server on my local computer for a webrtc application of me. I decided to use coturn. Note that my server is running behind a NAT.
So i fired up my Ubuntu VM and installed it. After reading through the wiki I got it working, atleast on my local network. For testing purposes, i use this site. Therefore, when i try it there with 192.168.178.25:3478, it works. When i try it with "public-ip":3478, it doesnt.
This told me, it is working locally and it should be a port/NAT issue. What i did:
1) I set the VM to Bridging
2) I opened the port 3478 on my router. To test if this is really working, i used telnet on a remote machine and it worked. Another test was that i set up a quick apache server on my local machine on port 3478 and it could be accessed from the outside. This told me that there is, or should be, not port/NAT issue and my turn server should be working.
Any ideas?
I am running my server with the following command:
"sudo turnserver -X "public-ip" -listening-port=3478 -v
The turnserver.conf looks something like this:
fingerprint
realm="myRealm"
lt-cred-mech
user=test:test
As telnet and apache server are both working, i am pretty sure i have a configuration issue. I basically spent the weekend trying and im really lost on what could be wrong.
Thanks for any help!
From the documentation of turnserver
-X, --external-ip <public-ip>[/private-ip] TURN Server public/private address mapping, if the server is behind NAT. In that situation, if a -X is used in form "-X " then that ip will be reported as relay IP address of all allocations. This scenario works only in a simple case when one single relay address is to be used, and no CHANGE_REQUEST STUN functionality is required. That single relay address must be mapped by NAT to the 'external' IP. The "external-ip" value, if not empty, is returned in XOR-RELAYED-ADDRESS field. For that 'external' IP, NAT must forward ports directly (relayed port 12345 must be always mapped to the same 'external' port 12345). In more complex case when more than one IP address is involved, that option must be used several times, each entry must have form "-X ", to map all involved addresses. CHANGE_REQUEST NAT discovery STUN functionality will work correctly, if the addresses are mapped properly, even when the TURN server itself is behind A NAT. By default, this value is empty, and no address mapping is used.
So, it is not enough that you expose only the listening port from the inside LAN to the public network but all ports that you are going to use to relay. Please, note what is said in the same documentation:
--min-port <port> Lower bound of the UDP port range for relay endpoints allocation. Default value is 49152, according to RFC 5766.
--max-port <port> Upper bound of the UDP port range for relay endpoints allocation. Default value is 65535, according to RFC 5766.
You should choose a range of ports in the server, configure with them the options --min-port and --max-port and create a NAT rule to expose those ports to the public side of the router without change.
I'm using this example:
http://msdn.microsoft.com/en-us/library/ms733069.aspx
How do I change the port or specify a port and open it and all the other good stuff needed to access the service?
read this manual http://msdn.microsoft.com/en-us/library/ms734786.aspx or at least finish reading of your link up to 13th point in list, where configuration file is provided
according to standard, URL consists of:
protocol :// hostname [: portnumber] [/path]
so, you need to change 8080 in your config to proper port
<add baseAddress="http://localhost:8000/ServiceModelSamples/service"/>
I am trying to set up an HTTPS site on IIS 7. I have added the certificate, set up the appropriate bindings and the site is accesible from within my company's intranet, however no one from the outside internet can access it. I have a 1:1 NAT forward set up for port 443 that should route requests to the IP address for my server. I have the same situation for port 80 and don't have any issues with http sites being accessible.
Any suggestions for what I might be missing here?
UPDATE:
As it turns out, the company that manages my company's firewall had added the exception for https and 443, and the correct routing, but hadn't added an exception for the process that handles https.
For starters, from outside, use telnet to see if you can even get to the port from outside:
telnet <host name or ip> 443
Note the space before the port.
If the telnet screen goes fully black, w cursor in top left, you can connect, so it is an iis issue.
If telnet just sits there, it is trying to connect but can't. It may finally throw "connection refused" or "could not connect." This means the problem is on the physical firewall (which needs the inbound path opened) or on the iis server itself (in its firewall or iis config)
In this case, next step:
Do the telnet operation on the IIS server itself, and from the same network as IIS (e.g. not through the firewall).
-- If this works: The problem is the network firewall config
-- If this does not work, you need to check the firewall on the IIS server itself (the windows firewall), and the IIS config itself
Note, on windows 7 and vista, telnet may not be present out of the box. Google how to enable it.
I am using https for a web service and the certificate is a temporary one I created and then imported it to a remote machine. The binding of my WCF service uses the machine name not the ip address. I want to test the service on a remote machine but the only way the service is accessible is to use the ip address by changing the client address for the service. But then the service fails because the certificate expects the machine name and not the ip address. How can I use the machine name and not the ip address to access the remote server?
Create binding for ip address in the hosts file (C:\Windows\System32\drivers\etc) and then use this binding instead of ip.