Is it not possible to specify the local client port used for server calls via NetTcpBinding?
NetPeerTcpBinding support this - I find it hard to believe there's no way to specify the local port (and IP Address for that matter) on clients.
I need to be able to use port sharing and I can't do this if I don't know what port the client is listening on. I won't be able to share the port (and IP) with another client so it can connect.
The only work-around I found is something like this:
Client A opens a connection to Server
Server logs the IP and Port of Client A
Server shares this info. with
Client B
Client B should be able to
connect to Client A on specified IP
and Port (in theory)
This is known as TCP/IP NAT hole punching I believe. Anyone with experience in this?
You probably don't understand the communication pattern with NetTcpBinding. It works this way:
The client opens connection to the server
Two-way communication: The client calls the server and gets the response over the same connection.
Duplex communication: The client calls the server. The server stores reference to the channel somewhere (you must implement this). Once the server wants to notify client about anything it takes stored channel and calls the client on the connection established by the client during its first call.
The server never opens connection to the client. The client doesn't expose any address with port for incomming communication. If you want to do that you must implement service on the client in the same way you did it on the server and you must manully send the address and port to the service exposed by the server.
The difference with NetPeerTcpBinding is that there is no real server and any client must be able to get incomming request. NetTcpBinding is for client-server scenarios where the server is the only peer able to process incomming requests. Because of that only the server needs to define an address and a port.
Related
I'm getting start WCF soap web service. Trying to implement a flexible, hot-plug featured, interoperable web service.
A device consumes server service (predefined IP address) which means registering to server, and then service asks device returning all configuration information of a device. Service remotely control those registered devices later.
Network Architecture
Please see the diagram below. A Server-side service is listening on 80 port. We had a router (Router B) which connects to the Server, and set NAT table 220.120.20.209:80 mapping to 192.168.0.3:80. 220.120.20.209 is a public IP.
Two Clients connect to a router (Router A) and have private IP addresses relatively(170.15.40.1/ 170.15.40.2) . Clients host a service (called DeviceService) listening on 80 port. And we didn't set NAT on Router A. 68.250.250.1 is a public IP.
Operation
(Request a Registration) Client sends (request) a message to a Service.
(Response) Service response a message.
(Get Config from Devices) Service consumes client through calling like http: //clientsIP:80/DeviceService.
Operation 1, 2 is working to me. To my understanding, incoming ip address of client#1 is 68.250.250.1 (I'm using RemoteEndpointMessageProperty to get the caller's address).
My question is "operation 3 is not working". Server can't access Client's private IP because of a Router/firewall.Only did Server get is 68.250.250.1. How can I solve this kind of problem? the problem have to do with Network Architecture?
I googled all day long found nothing to do with my problem. But I found websocket thing. Websocket is capable of full-duplex communication over Tcp. Does that mean once a client built a connection with a Server, Server can do operation 3 (Get Config from Devices) anytime even under my network architecture?
Updated 2014/4/24
Thanks a lot to #vtortola. After studying those references , I am still confused that if it's possible to allow call a self-host service from client during a callback session?
Try to elaborate what I thought
Clients will have a self-host service at first. e.g. Providing Configuration Service
Let the Client drive the interaction first, and built a bi-direction channel between Client and Server.
Client requests, and Server response. At the same time, Server triggers the callback procedure.
Server requests "Providing Configuration" message to client via channel during the period callback is fired.
It won't work that way if Router A is doing NAT. RouterA has only an TCP 80 port. Even if you forward it to Client#1, then Client#2 won't work. And I assume RouterA is doing NAT because the client IP addresses are private, so it is translating them to a public IP address.
I think you are messing two concepts. NAT (Network Address Translation) is about IP addresses, it has nothing to do with ports. With NAT you allow your client private IP addresses be translated to the public IP address and therefore get into the internet. Port Forwarding is a technique that allows to map a TCP or UDP port in the public interface of the router to a particular local IP address. Router B is doing NAT to allow the Server communicate with internet through the public interface, and port forwarding to allow hosts in internet to access Server's TCP 80 port, by accessing its TCP 80 port.
Let the Client drive the interaction. In operation #3, the client should send the device configuration after getting the server response in #2.
If you need the server to lead some of the interactions, you must then use a duplex WCF service. WebSocket is one of the duplex WCF bindings. But again, the channel must be established from client to server first.
A Beginner's Guide to Duplex WCF
Duplex Service in WCF
WCF and WebSockets
I'm planning on using a wsDualHttpBinding for a WCF service with callbacks. The clients will be a windows form application communicating to the service over the internet. Obviously I have no control over the firewall on the client side, so I'm wondering what is the proper way to set the ClientBaseAddress on the client side?
Right now in my intiial testing I'm running the service and client on the same pc and i am setting the binding as follows
Dim binding As System.ServiceModel.WSDualHttpBinding = Struct.Endpoint.Binding
binding.ClientBaseAddress = New Uri("http://localhost:6667")
But I have a feeling this won't work when deploying over the internet because "localhost" won't translate to the machine address (much less worrying about NAT translation) and that port might be blocked by the clients firewall.
What is the proper way to handle the base address for callbacks to a remote client?
some one tell me if i do not specify ClientBaseAddress then WCF infratructure creates a default client base address at port 80 which is used for the incoming connections from the service. Since port 80 is usually open to firewalls, things should just work.
so just tell me when win form wcf client apps will run then how can i open my custom port like "6667" and also guide me what library or what approach i should use as a result response should come from client side router
to pc and firewall will not block anything. please discuss this issue with real life scenario how people handle this kind of situation in real life. thanks
The proper way is to use TCP transport instead of HTTP transport. Duplex communication over HTTP requires two HTTP connections - one opened from client to server (that's OK) and second opened from server to client. This can work only in scenarios where you have full control over both ends. There is simply too many complications which cannot be avoided just by guessing what address to use like:
Local Windows or third party firewall has to be configured
Permission for application to run - listening on HTTP is not allowed by default unless UAC is turned off or application is running as admin. You must allow listening on the port through netsh or httpcfg (windows XP and 2003) - that again requires admin permissions.
Port can be already used by another application. In case of 80 it can be used by any local web server - for example IIS.
Private networks and network devices - if your client machine is behind the NAT the port forwarding must be configured but what if you have two machines running your application on the same private network? You cannot forward from the same incoming port to two machines.
All these issues can be avoided mostly only when you have control over whole infrastructure. That is the reason why HTTP duplex communication is useful mostly for intranet scenarios and why for example Silverlight offers another implementation where the second connection is not created and Silverlight client instead polls server continuously to check if there is any callback available.
TCP transport requires only single connection from client to server because TCP protocol is natively duplex so the server can call back the client through the same connection. When you deploy a public service you usually have control over infrastructure on the server side so you can make necessary changes in configuration to make it work.
I think this also answers your previous question.
Does anyone know if there is a port that absolutely has to be open on the SQL server to allow service broker traffic? We were testing what happens when you close off all ports on the SQL server except (1433, 445, 3389) and the query notification still worked. We were under the impression that 4022 has to be open for the service broker to work we a default listening port.
Is there a SQL system view that shows what port the service broker is communicating on?
Is there a command to terminate all active query notifications on a database so the database can be dropped?
Thanks
If your service broker architecture is passing messages between servers (endpoints) then it will need ports other than the normal SQL ones.
If client code such as query notifications is accessing service broker then it uses SQL statements (with some new syntax) through the standard SQL connection and this part doesn't use any additional ports.
From How to: Activate Service Broker Networking (Transact-SQL):
Service Broker does not send or receive messages over the network by
default. To activate Service Broker networking in an instance, create
an endpoint for Service Broker.
When you create an endpoint you specifically assign a port to use:
CREATE ENDPOINT BrokerEndpoint
STATE = STARTED
AS TCP ( LISTENER_PORT = 4037 )
FOR SERVICE_BROKER ( AUTHENTICATION = WINDOWS );
Port 4022 is used when Service Broker communicates with other broker instances. How are you using Service Broker? If all the work is internal to your database then it never needs to use a TCP endpoint.
Query Notification does not require a Service Broker endpoint because it always deliver the messages locally, int he same DB where you started the notifications from. Although configuring QN to deliver notifications to a remote machine is possible, ding so is basically unheard of. See The Mysterious Notification.
As for the question: Service Broker requires only the configured endpoint port to be open. You can see the listening port in sys.tcp_endpoints. If the configured authentication is Windows then the ports needed for Kerberos/NTLM (135, ?389) are also required in order to authenticate the SSB connections. Note that the SMB port (445) is not required by SSB ever. If SSB endpoint configured authentication is certificates then no additional port is required. See How does Certificate based Authentication work.
I have some small questions of which I think they're quite easy to answer for a WCF expert, but which I don't exactly know. I'm hoping they're not to obvious:
Does transport security (http with
ssl) work in conjunction with
streaming? If no, how can I transfer
large data in a secure way to the
client?
If I am not completely off the track
an IDuplexSessionChannel requires
the client to open a port too, so
that the service can contact the
client via a callback. Does this
also affect an IDuplexSessionChannel
which comunicates via http? Port 80
should be open by default, shouldn't
it?
Yes streaming works with HTTPS (basicHttpBinding).
Yes duplex session channel requires port opened on the client because duplex communication over HTTP really means one connection from the client to the server and one reverse connection from the server to the client. Port 80 doesn't have to be opened by default on the client - if it is, it is most probably already associated with some web server so it cannot be used for the communication. Duplex communication is also WCF specific (it is not interoperable) and it leads to other consequences. For example in Windows Vista \ Windows 7 \ Windows 2008 Server with UAC you must run the client with elevated privileges or allow listening on the port by using netsh command line utility.
I'm not sure how these two questions are related but wsDualHttpBinding (implementation of IDuplexSessionChannel) doesn't support streaming or transport security.
I need to create a self-hosted WCF service.
I need secure duplex connection between client and server through Internet.
I read some documents of WCF and found that the netTcpBinding is suitable for intranet application, because the SSL is only point 2 point. If it is an internet application, the connection must not be point 2 point, am I correct? so SSL in transport security with netTcpBinding is not suitable?
so what combination should I use to create a secure duplex internet application?
thank you very much.
I have tried http://www.codeproject.com/KB/WCF/WCFWPFChat.aspx
this tutorial use netTcpBinding and endpoint localhost
I change the endpoint localhost to a name based url, forward a port in my router to my development PC, open the same port at Windows firewall.
The client program can chat with each cients program in different machines, BUT the callback connection will lost after one minute.
I also tried changing the binding to wsDualHttpBinding, the clients program can chat with each clients in the same machine and kept the callback connection in the reliableSession inactivityTimeout setting. However another client program in another machine cannot join the server, if I turn off Windows firewall on that machine, the client program can connect.
It seems that tcp binding can let the client program connecting to the server with Windows firewall turn on. but callback connection lost.
and the wsDualHttpBinding can keep the callback connections. but cannot connect to server if Windows firewall on.
Is there a way to kept the netTcpBinding callback connection as in the wsDualHttpBinding?
It sounds like you have two issues- duplex connection and security.
If you truly need a duplex connection (eg, server-initiated callbacks), neither of these will work very well over the internet unless you have very fine control over the firewalls on both ends (the client still has to expose a publicly accessible HTTP endpoint for the server to call back). The best way would be to use the new relay services with .NET 4.0- this allows for a mimic'd server-initiated connection through firewalls.
EDIT: this is now called AppFabric, and is part of the Windows Azure infrastructure
On the security front, you can always use message security over the service bus, but I don't see a reason why transport security would be a problem either.
To answer user248724,
The client program can chat with each
cients program in different machines,
BUT the callback connection will lost
after one minute.after one minute.
You need either have the client or the server to ping each other at least every minute to keep the connection socket alive.