Skip navigation FileNet logo
Glossary  |  Help Directory  
  Help for Process Engine Reference  
  Search  |  Index  
Concepts
  About attachments
  About the Component Integrator
  About launching a workflow
  About milestones
  About operations
About the RMI registry
About rosters
About routing
About rules
  About security
  About security queues
  About step processors
  About step states
  About system maps
  About transfer
  About workflow fields
  About workflow maps
  About workflow participants
  Component queue security issues
  Content Engine (CE) operations
  Coordinate information
  Custom web applications
  Eliminating port 32771 conflicts
  Java Runtime Environment (JRE)
  Maximum index key size
  Naming conventions
  System fields
  Troubleshooting
  Wildcards
  Workflow database field size limitations
  Workflow exceptions
Events & Statistics
Expressions
Procedures
   

Network Address Translator (NAT) and firewall issues

Because the Process Engine uses TCP/IP network connections, the use of a firewall and/or Network Address Translator (NAT) can prevent the necessary communication between the Process Engine, Application Engine or web server, and client by hiding the fully qualified name of the web server host. The following sections explain the problem in more detail.

Background information

A firewall is a dedicated gateway device with special security precautions on it, used to service outside network, especially Internet, connections and dial-in lines. The idea is to protect a cluster of more loosely administered machines hidden behind it from hackers or other unauthorized users.

A Network Address Translator (NAT) is an Internet standard that enables a local-area network (LAN) to use one set of IP addresses for internal traffic and a second set of addresses for external traffic. When the Process Engine or Application Engine or web server is communicating with a client through Network Address Translators, the fully qualified address of the web server must be passed to the client.

The problem

The Process Engine and Application Engine or web server are configured to operate in a secure intranet environment out-of-the-box. The different system components can communicate with each other using the standard network protocols and ports. No restrictions are placed on the selection of ports for communication between devices within the secure area.

However, in some more complex environments where the Process Engine and Application Engine or web servers may be installed as part of a larger domain containing many objects and devices, or where clients and servers may be distributed over several domains, each with varying methods of securing access, the out-of-the-box approach may not work. Typical security measures may include restriction of ports to those essential for system components.

Communication between the Application Engine or web servers and the Process Engine or between the client and server components utilizes the Java RMI, which allows an object running in one Java Virtual Machine (VM) to invoke methods on an object running in another Java VM. An inherent feature of RMI is that it uses arbitrary port numbers to return messages to originating devices. This can pose a problem in networks where port assignments are tightly controlled.

Symptoms

Depending on the server's platform and network environment, the fully qualified name of the Application Engine or web server host may or may not be available to the Java virtual machine running on the Process Engine. If it is not available, you may receive the error “Failed to find Service Router” when starting the Process Router.

Solution

You must specify the host's fully qualified name when starting the Process Router. For details, see the online help for Process Task Manager or Process Service Administrator.