Re: Remote mathkernel through firewall behind NAT
- To: mathgroup at smc.vnet.net
- Subject: [mg46795] Re: [mg46737] Remote mathkernel through firewall behind NAT
- From: jmt <jmt at dxdydz.net>
- Date: Tue, 9 Mar 2004 04:30:39 -0500 (EST)
- References: <200403040547.AAA14278@smc.vnet.net>
- Reply-to: jmt at dxdydz.net
- Sender: owner-wri-mathgroup at wolfram.com
Why don't you connect to the remote kernel through a ssh tunnel ? You can find a clean implementation of a ssh server for Microsoft on http://www.ssh.fi , or use free implementations as openssh ssh will definitively solve your problems : remote kernel connections, remote library connections, and so on, in a transparent and secure manner through firewalls and across networks. Using an "agent" increases ease of use. Do not hesitate to contact me privately for more information. jmt On Thursday 04 March 2004 06:47, Antti Penttilä at smc.vnet.net wrote: > Hi, > > I have quite a tricky problem with remote kernels. I have used remote > Mathematica kernel (on windows machine) with a front end on Macintosh > OS9. This used to work with Mathematica 4 and (possibly) different > network environment, but it does not work anymore after upgrading to > Mathematica 5. The problem is the following: > > Front end and kernel are in different subnets, and there is a firewall > between them. I can negociate with the network administrator that certain > IP-ports will be open in the firewall for Mathematica-traffic. I can > force Mathematica to use certain port, for example port number 30000 by > starting the kernel with these options: > > math -mathlink -linkprotocol TCPIP -linkmode listen -linkname 30000 > > and giving these options as "Arguments to MLOpen:" in the kernel > configuration menu in the front end: > > -LinkProtocol TCPIP -LinkMode Connect -LinkOptions MLDontInteract > -LinkName 30000 at server.address.here > > This configuration works fine when both the machines are in the same > subnet and there is no firewall. However, it does not work when the > firewall is between. I have used a network traffic monitor program to > analyze the problem, and I found out that Mathematica is mostly using the > port 30000, but it also sends some packets using different port. This > will happen after the front end and kernel have exchanged a > TCP/IP-packet, which includes the text "msg_port=number", where the > number changes from session to another. Because the first packet to this > port is send from the front end, it can not pass the firewall, and thus > the connection fails. > > Is there any option to define also the other port number to Mathematica? > > I could solve the firewall problem by launching the connection other way > around, and invoking the kernel by: > > math -mathlink -linkprotocol TCPIP -linkmode connect -linkname > 30000 at frontend.address.here > > and giving "Arguments to MLOpen:": > -LinkProtocol TCPIP -LinkMode Listen -LinkOptions MLDontInteract > -LinkName 30000 > > because in this configuration all the IP-tunnels are first opened from > the kernel side, and thus OK for the firewall. The problem with this is, > that the front end machine is behind an ADSL-box and has only a private > IP-address which is NAT-translated. This could be resolved with adding > some routings to ADSL-box or obtaining a public IP-address, I think? > > Any other ideas?
- References:
- Remote mathkernel through firewall behind NAT
- From: Antti Penttilä@smc.vnet.net
- Remote mathkernel through firewall behind NAT