Here's the scenario: A client machine has connected to the 'Work network' via VPN (Cisco VPN Client). The work network hosts a machine that has a WCF service with nettcp binding. The client tries to connect to this service and gets an exception as follows:
Could not connect to
net.tcp://workMachine:2010/SomeService.
The connection attempt lasted for a
time span of 00:00:01.3180754. TCP
error code 10061: No connection could
be made because the target machine
actively refused it workMachine:2010.
Things I tried:
Changed the Workgroup of the client
machine to the work network
workgroup
Added domain/username/password for the Windows Networking Password vault, so that it can be used to connect
Changed the wcf service path with an IP address instead of the workMachine name
Checked client machine firewalls and added to allow the wcf client through it
All above failed and didn't work.
Has anyone encountered similar issues?
The client machine is on Windows 7
SecurityMode of the WCF service is set to NONE - so that shouldn't be an issue.
Any insights will be helpful
You may need to supply client credentials explicitly through your proxy object.
Assume that the proxy object in the code below implements one of the ClientBase interfaces.
proxy.ClientCredentials.Windows.ClientCredential.UserName = "clientaccount";
proxy.ClientCredentials.Windows.ClientCredential.Password = "S3cr3t1337Pwd";
Could you - just for testing purposes - expose the same service on the same machine using a HTTP endpoint, and try to connect to that one from your VPN client?
NetTcp is an excellent choice behind the corporate firewall - just don't know how the Cisco VPN client might cause troubles here, that might not show up when using an http-based protocol. Just a wild guess for now, but if you have nothing else to go on, give it a try!
Marc
Just another thought to assist with debugging of these kind of issues, using CMD execute "netstat -a" (you can append the -o switch and find the related process id also) and see if the port in question is currently open, if it isn't you may have an issue with the SMSvcHost.exe (this is the Windows process for managing an IIS hosted TCP Service).
I've had this issue before and rectified it by restarting the following services (obviously you'll need to carefully consider this if you are dealing with a live production system):
NetTcpActivator (Net. Tcp Listening Adapter)
NetTcpPortSharing (Net. Tcp Port Sharing Service)
and possibly if relevant:
NetMsmqActivator (Net. Pipe Listener Adapter)
NetPipeActivator (Net. Pipe Listener Adapter)
Hope this helps someone!
J.
Related
I have a wcf service (with net.tcp binding) hosted at windows service and a wpf client. when I run the service in a server outside the company's domain it works excellent, the problem is when I host the service in a server inside the company's domain, and try to run the wpf app in a client outside of the company domain.
I'm getting the same error, "The Socket connection was aborted..."
I try with Security Mode None, Transport and the same result.
My question is, what is the correct way to do that? I mean host the wcf net TCP service in a domain server and call it from a client outside of domain?
Thanks a lot!
I change the binding from net.tcp to wshttp and the service works fine!
Server with the corporate domain and client without corporate domain
The thing is I need the make this work with net.tcp
Neither a Windows Domain nor DNS have anything to do with WCF/TCP if you don't explicitly make it so.
Assuming the address you gave actually leads to the PC you host your service on (so no local IP addresses) and nothing in between (like a firewall) blocks the connection, it should work.
The correct way is to make sure client and server can talk to each other. If it's different networks, you will need NAT and if one is a corporate network I'd be very surprised to see no firewall that you need to configure.
As a first step, try to ping your target machine from your client machine.
I'm planning on using a wsDualHttpBinding for a WCF service with callbacks. The clients will be a windows form application communicating to the service over the internet. Obviously I have no control over the firewall on the client side, so I'm wondering what is the proper way to set the ClientBaseAddress on the client side?
Right now in my intiial testing I'm running the service and client on the same pc and i am setting the binding as follows
Dim binding As System.ServiceModel.WSDualHttpBinding = Struct.Endpoint.Binding
binding.ClientBaseAddress = New Uri("http://localhost:6667")
But I have a feeling this won't work when deploying over the internet because "localhost" won't translate to the machine address (much less worrying about NAT translation) and that port might be blocked by the clients firewall.
What is the proper way to handle the base address for callbacks to a remote client?
some one tell me if i do not specify ClientBaseAddress then WCF infratructure creates a default client base address at port 80 which is used for the incoming connections from the service. Since port 80 is usually open to firewalls, things should just work.
so just tell me when win form wcf client apps will run then how can i open my custom port like "6667" and also guide me what library or what approach i should use as a result response should come from client side router
to pc and firewall will not block anything. please discuss this issue with real life scenario how people handle this kind of situation in real life. thanks
The proper way is to use TCP transport instead of HTTP transport. Duplex communication over HTTP requires two HTTP connections - one opened from client to server (that's OK) and second opened from server to client. This can work only in scenarios where you have full control over both ends. There is simply too many complications which cannot be avoided just by guessing what address to use like:
Local Windows or third party firewall has to be configured
Permission for application to run - listening on HTTP is not allowed by default unless UAC is turned off or application is running as admin. You must allow listening on the port through netsh or httpcfg (windows XP and 2003) - that again requires admin permissions.
Port can be already used by another application. In case of 80 it can be used by any local web server - for example IIS.
Private networks and network devices - if your client machine is behind the NAT the port forwarding must be configured but what if you have two machines running your application on the same private network? You cannot forward from the same incoming port to two machines.
All these issues can be avoided mostly only when you have control over whole infrastructure. That is the reason why HTTP duplex communication is useful mostly for intranet scenarios and why for example Silverlight offers another implementation where the second connection is not created and Silverlight client instead polls server continuously to check if there is any callback available.
TCP transport requires only single connection from client to server because TCP protocol is natively duplex so the server can call back the client through the same connection. When you deploy a public service you usually have control over infrastructure on the server side so you can make necessary changes in configuration to make it work.
I think this also answers your previous question.
I am new to wcf programming and I have been working on a small project and am having problems with net.tcp port sharing. I am using .net framework 4 and iis 7.
I have two wcf services (serviceA and serviceB) being hosted on our server in separate websites on IIS. Each website has its own .svc file, web.config and bin. If I have each of these services on different net.tcp ports then there is no problem and I can add the service reference to each of them from visual studio on my pc. The services run fine.
However we will soon be starting a project with many more services and we wish to avoid having to open a tcp port for each one so I have been trying to get serviceA and serviceB to port share. If I set them up on the same port then I can access the first service I add but when when I try to access the second service added to the same port i get the following error:
Metadata contains a reference that cannot be resolved:
'net.tcp://myserver/serviceB.svc'. The socket connection was aborted. This
could be caused by an error processing your message or a receive
timeout being exceeded by the remote host, or an underlying network
resource issue. Local socket timeout was **. An
existing connection was forcibly closed by the remote host If the
service is defined in the current solution, try building the solution
and adding the service reference again.
I can not work out what is going wrong. I have done a lot of searching on the subject and I have made sure that the following services are running:
Windows Process Activation Service
Net.Tcp Port Sharing Service
Net.Tcp Listener Adaptor
In addition net.tcp is an enabled protocol in the website's advanced settings. My current best guess is that it might have something to do with how I have defined the net.tcp bindings in IIS manager. Both of my websites running their independant services have the following: 808:*(net.tcp) is this correct?
As i said earlier the tcp services run fine if set up on two separate ports so the issue must be related to the port sharing. Very grateful for any advice
OK I found the problem I was having. In IIS I had set up each service as its own website and was trying to get those different websites to port share. This would not work.
However I found that if I set up just one website and then added my services as seaprate applications under the website then the port sharing will work. This approach lets me have multiple services as applications under one website.
Check this.
This can be helpful to you.
http://himanshudesai.wordpress.com/2011/06/03/multiple-wcf-services-on-a-single-port/
Hope this helps.
We have created a WCF using net.tcp with an anticipation that the service can work in a firewall that would accept only HTTP port. The client behind firewall can also access it.
Do we need to host the service on a static, public IP so that any client from any network can conect to it?
Ideally, we would like to host the service on a node behind a firewall (say on 192.168.0.199) so that a client on some other network could connect to it.
Please suggest.
Well, either you need to make the service publicly visible somehow - using a public IP, or by routing a publicly visible IP on your corporate firewall to your internal server. But yes - it needs to be publicly visible one way or another.
The other option would be to connect it to the Windows Azure Service Bus - in that case, you could keep it behind the firewall, and just establish a publicly visible IP "in the cloud" that will then route the traffic to your web server.
Marc
I may be off on this but WCF client should have no issues communicating with a WCF server behind a firewall. Even application - level firewalls are OK in this scenario, as long as you configure them to not inspect past layer 4. Do not authenticate or do anything with your traffic at the firewall - simply NAT it to an inside IP address and you should be ok.
Couple of notes: transport security might be a little better to this observer but both transport and message level security in WCF should work without problems through firewalls. If you need message streaming though, then you are stuck with transport level security.
If your firewall (or one of your firewalls) happens to be Microsoft ISA or TMG type device, you may find this helpful: http://www.run-corp.com/how-to-configure-wcf-application-on-microsoft-isa-tmg-firewall/.
I need to create a self-hosted WCF service.
I need secure duplex connection between client and server through Internet.
I read some documents of WCF and found that the netTcpBinding is suitable for intranet application, because the SSL is only point 2 point. If it is an internet application, the connection must not be point 2 point, am I correct? so SSL in transport security with netTcpBinding is not suitable?
so what combination should I use to create a secure duplex internet application?
thank you very much.
I have tried http://www.codeproject.com/KB/WCF/WCFWPFChat.aspx
this tutorial use netTcpBinding and endpoint localhost
I change the endpoint localhost to a name based url, forward a port in my router to my development PC, open the same port at Windows firewall.
The client program can chat with each cients program in different machines, BUT the callback connection will lost after one minute.
I also tried changing the binding to wsDualHttpBinding, the clients program can chat with each clients in the same machine and kept the callback connection in the reliableSession inactivityTimeout setting. However another client program in another machine cannot join the server, if I turn off Windows firewall on that machine, the client program can connect.
It seems that tcp binding can let the client program connecting to the server with Windows firewall turn on. but callback connection lost.
and the wsDualHttpBinding can keep the callback connections. but cannot connect to server if Windows firewall on.
Is there a way to kept the netTcpBinding callback connection as in the wsDualHttpBinding?
It sounds like you have two issues- duplex connection and security.
If you truly need a duplex connection (eg, server-initiated callbacks), neither of these will work very well over the internet unless you have very fine control over the firewalls on both ends (the client still has to expose a publicly accessible HTTP endpoint for the server to call back). The best way would be to use the new relay services with .NET 4.0- this allows for a mimic'd server-initiated connection through firewalls.
EDIT: this is now called AppFabric, and is part of the Windows Azure infrastructure
On the security front, you can always use message security over the service bus, but I don't see a reason why transport security would be a problem either.
To answer user248724,
The client program can chat with each
cients program in different machines,
BUT the callback connection will lost
after one minute.after one minute.
You need either have the client or the server to ping each other at least every minute to keep the connection socket alive.