We're in the process of trying to layout a new net topography for our system. We currently host our WCF as a windows service which exposes HTTP, HTTPS, NET TCP, and now AJAX Service endpoints...
Does anyone know if it would be possible to move our WCF into IIS while still having those same exposed end points AND take advantage of IIS Clustering and NLB? Can those exposed end points be part of the NLB? Not sure how it works, I've been doing some research but can't find anything that addresses those concerns.
I'm a little new to WCF and IIS and we're currently in the research phase of this project so any opinions or suggestions would be welcomed and greatly appreciated.
You can move your service hosting from Windows services to IIS as long as you have WAS turned which will be required for tcp bound requests.
You will have to reconfigure your services to support load balancing so take a look at the articles below as a helpful starting point about load balancing.
Things to Consider When Implementing a Load Balancer with WCF
Load Balancing with the Basic HTTP Binding
Questions to consider:
Do you use session enabled contract? Does the service behavior use PerSession? Do you have reliable messaging turned on? Session and reliable session are local to a particular server so failover requires a new session be created. The client has to initiate this by creating a new channel (proxy).
Other helpful articles:
Unable to connect to Windows Server 2008 NLB Virtual IP Address from hosts in different subnets when NLB is in Multicast Mode
Related
Enviroment
Consider the following production environment setup for a web application:
End user --Internet--> web server in DMZ --Firewall--> WCF hosted on app server --> DB Server
Constraint:
Also consider that we cannot change anything from the infrastructure point of view. For example, open ports, change any firewall setting etc.
Problem:
We want to expose the WCF, which is hosted on the app server, to external clients. We are trying to solve this as follows:
End user --Internet--> Router WCF in DMZ --Firewall--> WCF hosted on app server --> DB Server
Please note that we cannot establish a db connection from the DMZ environment where the WCF needs to be hosted so that the external clients can consume it. We have developed a "Router WCF" which passes through all messages to the internal WCF and vice-versa.
This solution adds an unnecessary overhead of serializing and de-serializing data. There must a better and proper way of doing this. We are looking forward to the community for guidance. Thank you.
In DMZ the bibliography tells you: always create an intermediate layer. This means another machine on the internet will be the point of connection and it will proxy the connection back to WCF.
The machine is the web server you seem to mention, that is stupid, has no data, and (to be a proper DMZ) has a firewall between it and all the machines (WCF and the others) it serves that permits only IP:PORTS used on such machines.
In this scenario, usually Apache on the public web server with a URL-rewrite rule (i.e if it is /x/y send it to servera.internal.com:9900 - if it is /x/z send it to serverb.internal.com:9901 etc...) is enough, but there are plenty of solutions of course.
It seems you are doing exactly this, why do you say it is not the proper solution?
DMZs could seem a bit dated as protection mechanism (I agree) but you have to think when servers like your WCF machine had dozens of ports opened, and you wanted to lower the risk of random ports on web-facing machines, a giant attack surface. Nowadays everything can work with couple of ports opened, so it can seem "silly" to do all of this just to forward a TCP port. But it is still valuable as (for example) if servers behind the web server in DMZ do not have internet access, even when WCF is compromised, the attacker cannot use its own reverse shell to deploy what it is nowadays called an APT (yesterday backdoor). The attacker "won't see" his own machine from WCF as the DMZ provides the connection to the external world.
We are planning to develop a big set of WCF-services with net.tcp binding (about 50 services). They will be hosted on IIS.
As I understand, there are two way to realize it:
Create one site on IIS. Services will be deployed as a IIS application. So, all service will use the same port according to net.tcp binding for site (net.tcp port sharing feature).
Create 50 sites on IIS, one site for one service. Every site will have different port in net.tcp binding - so, every service will work by using different ports.
What kind of way is better according to performance issues? I couldn't find any information about performance of solutions with net.tcp port sharing.
NetTcpPortSharing is the WCF TCP port sharing service. It implements a centralized TCP listener so that multiple processes can listen on the same TCP port.
For more information you can refer this link.
http://msdn.microsoft.com/hi-in/magazine/cc163357(en-us).aspx
Port sharing should not only be only one consideration to deploy your service.
You have to design your deployment based on.
Application Pool.
Crash and recovery.
Server Hardware.
Nature of services (heavy data transaction)
One of our teams here has just completed a project using both WCF and
NServiceBus. When I reviewed the project I found that they had chosen to host
the WCF services and NServiceBus in IIS instead of NServiceBus host.
When I queried as to why this was I was told that when they hosted WCF services
(on TCP binding) in the NServiceBus Host that the WCF would regularly 'get
stuck'. What this meant in practice that usually around once a day the WCF
service would start actively refusing connections.
It is my understanding that IIS has custom code inside it to monitor the health
of the WCF endpoints and restart them when they 'get stuck'. I would like to
avoid hosting in IIS though as you don't get all the convention based goodness
of using NServiceBus host.
Can anyone shed any more light on this issue or suggest ways we might be able to
avoid the issue while using the NServicebusHost?
PS I Realise the description of the problem is a little vague I'm also hoping someone might be able to help me improve the question.
I can't understand the need to host everything in one container. Can't you host your WCF endpoints in IIS and your NSB endpoints via the generic host in a windows service. Then they can be managed as separate concerns.
This is more of an architectural and security question than anything else. I'm trying to determine if a suggested architecture is necessary. Let me explain my configuration.
We have a standard DMZ established that essentially has two firewalls. One that's external facing and the other that connects to the internal LAN. The following describes where each application tier is currently running.
Outside the firewall:
Silverlight Application
In the DMZ:
WCF Service (Business Logic & Data Access Layer)
Inside the LAN:
Database
I'm receiving input that the architecture is not correct. Specifically, it has been suggested that because "a web server is easily hacked" that we should place a relay server inside the DMZ that communicates with another WCF service inside the LAN which will then communicate with the database. The external firewall is currently configured to only allow port 443 (https) to the WCF service. The internal firewall is configured to allow SQL connections from the WCF service in the DMZ.
Ignoring the obvious performance implications, I don't see the security benefit either. I'm going to reserve my judgement of this suggestion to avoid polluting the answers with my bias. Any input is appreciated.
Thanks,
Matt
I do think the remarks made are valid, and in such a case I would probably also try and use as many "defense-in-depth" layers I could possibly come up with.
Plus, the amount of work to achieve this might be less than you're afraid of - if you're on .NET 4 (or can move to it).
You could use the new .NET 4 / WCF 4 routing service to do this quite easily. As an added benefit: you could expose a HTTPS endpoint to the outside world, but on the inside, you could use netTcpBinding (which is a lot faster) to handle internal communications.
Check out how easy it is to set up a .NET 4 routing service:
What's new in WCF4 Routing Service - or: "Look ma: Just one service to talk to!"
Creating Routing Service using WCF 4.0, .NET Framework 4.0 and Visual Studio 2010 RC
I've got a WCF service on a server on one side of a firewall. I need to access the service from many workstations on the other side of the firewall. The network guys insist that all holes through the firewall are one-to-one so at the mo, I'll have to set up every workstation one by one. There could be loads and it'll get tedious and be prone to errors.
Is it possible to set up a WCF server on this side of the firewall that can in some clever way just act as a proxy to the 'real' WCF service on the other side of the firewall? If so, could you point me to some reference material?
There is a new concept of a WCF Relay service being developed for the Windows Azure "cloud" computing space. That would allow you to create your scenario fairly easily - just host some bits of your service out in the cloud.
See these links for more information:
WCF services hosted on Windows Azure
Software in the cloud: the Relay service
.NET ServiceBus: Hands-On with Relays
or search Google for "WCF Relay Service". There are also a number of new bindings specifically for these WCF scenarios.
Hope this helps.
Marc
UPDATE:
WCF v4 - to be released with .NET 4.0 later this year (2009) will include a RoutingService class which can be used in scenarios like this.
See more info about the WCF4 routing service here:
Content based routing in WCF 4
Routing messages in WCF 4.0
A developer's introduction to WCF .NET 4 Beta 1
I have a few suggestions, maybe one would work in your case:
Place the WCF service outside the firewall. If the WCF service needs to talk to the database, open the database port for the IP address of the machine running the WCF service.
Program or use code generation to create a WCF service that is simply a pass through layer
There may be some functionality in your firewall that allows you to publish an end point