![]() ![]() |
|
Help for Process Engine Reference | |
Search | Index | |
![]() |
|
![]() |
![]() |
![]() |
Network Address Translator (NAT) and firewall issuesBecause the Process Engine uses TCP/IP network connections, the use of a firewall and/or Network Address Translator (NAT) can prevent the necessary communication between the Process Engine, Application Engine or web server, and client by hiding the fully qualified name of the web server host. The following sections explain the problem in more detail. Background informationA firewall is a dedicated gateway device with special security precautions on it, used to service outside network, especially Internet, connections and dial-in lines. The idea is to protect a cluster of more loosely administered machines hidden behind it from hackers or other unauthorized users. A Network Address Translator (NAT) is an Internet standard that enables a local-area network (LAN) to use one set of IP addresses for internal traffic and a second set of addresses for external traffic. When the Process Engine or Application Engine or web server is communicating with a client through Network Address Translators, the fully qualified address of the web server must be passed to the client. The problemThe Process Engine and Application Engine or web server are configured to operate in a secure intranet environment out-of-the-box. The different system components can communicate with each other using the standard network protocols and ports. No restrictions are placed on the selection of ports for communication between devices within the secure area. However, in some more complex environments where the Process Engine and Application Engine or web servers may be installed as part of a larger domain containing many objects and devices, or where clients and servers may be distributed over several domains, each with varying methods of securing access, the out-of-the-box approach may not work. Typical security measures may include restriction of ports to those essential for system components. Communication between the Application Engine or web servers and the Process Engine or between the client and server components utilizes the Java RMI, which allows an object running in one Java Virtual Machine (VM) to invoke methods on an object running in another Java VM. An inherent feature of RMI is that it uses arbitrary port numbers to return messages to originating devices. This can pose a problem in networks where port assignments are tightly controlled. SymptomsDepending on the server's platform and network environment, the fully qualified name of the Application Engine or web server host may or may not be available to the Java virtual machine running on the Process Engine. If it is not available, you may receive the error Failed to find Service Router when starting the Process Router. SolutionYou must specify the host's fully qualified name when starting the Process Router. For details, see the online help for Process Task Manager or Process Service Administrator.
|
![]() |
|
![]() |
|