Access Grid networking and firewall issues

From GridInfo

A major factor in having the Access Grid working correctly on your desktop (or node) is the configuration of the firewall and routers. There are two possible approaches to joining an Access Grid Venue:

Using Multicast to send the media data to the participants in the group.

Unicasting to a bridge, which forwards the media to and from the group on your behalf.

The preferred way to join an Access Grid session is to be part of the Multicast group, but this relies on your network being Multicast enabled. Once enabled the firewall needs to be configured to allow UDP traffic, with a Multicast destination address to pass through the firewall, both in and out. Sending Multicast should be easier than receiving. The sender only needs to know the Multicast address and the port to send to the group. Receiving data relies on being part of the Multicast group by dynamically joining. To achieve this the routers on the network must have software installed to discover the existence of group members to send the data to. This may lead to a situation where you cannot see or hear other participants but they can see and hear you (be careful what you say). It is possible to use diagnosis tools, such as the Multicast Beacon, to identify whether Multicast traffic is being routed to other machines that are part of a Multicast group.

The multicast addresses and UDP ports that you need to permit through the firewall will depend on the Access Grid venue you wish to join. These values may be statically defined, so a small number of addresses and ports, or dynamically assigned and therefore a larger range of addresses and/or ports. Speak to the maintainers of your VenueServer.

If you are unable to Multicast directly you can take part in the group by bridging. This relies on a machine that is on a Multicast enabled network forwarding the media streams on your behalf. A disadvantage to this approach is that the bridge can become overloaded (having to send duplicate data to each connected participant). To allow video and audio data to be streamed to the bridge, UDP ports have to be opened in the firewall to the specific bridge machine.

The UDP ports that need to be opened to use the bridges within the eMinerals Venue are 30000-30011.

Contents 1 Firewall summary 1.1 Unicast communications for the venue client to connect to the venueserver 1.2 Multicast communications 1.3 Unicast-multicast bridge 1.4 Additional firewall holes 1.5 Holes too large? 2 Links

Firewall summary

Unicast communications for the venue client to connect to the venueserver

If the Access Grid client is to be able to join a venue (at Manchester Access Grid centre) you must allow:

for Access Grid 2

• TCP on ports 8000, 8002, 8004, and 8006 to ag2server.ag.manchester.ac.uk

and for Access Grid 3

• TCP on ports 8000, 8002, 8004, and 8006 to sam.ag.manchester.ac.uk

Multicast communications

The full IP address range reserved for multicast communication is 224.0.0.0 – 239.255.255.255.

For access to the JANET (UK Joint Academic NETwork) multicast address range, allow:

• UDP from any source address to destination address range 233.3.18/24, port range 49152 - 65535 to traverse the firewall in both directions

For access to the Argonne National Labs multicast address range, allow:

• UDP from any source address to destination address range 233.2.171/24, port range 49152 - 65535 to traverse the firewall in both directions

For access to the session announcement protocol (SAP see RFC 2974) multicast address range, allow:

• UDP from any source address to destination address range 224.2.128/17, port range 49152 - 65535 to traverse the firewall in both directions

In addition, the audio function (RAT = Robust Audio Tool) requires:

• UDP from any source address to multicast address 224.255.222.239 on port 47000 in both directions.

Note that a packet with a source address in the multicast range is invalid, and should be blocked.

Unicast-multicast bridge

You need to allow udp traffic between your desktop machine and the computer acting as a bridge, on a range of ports specified in the configuration file of the bridge software. For example, to use the NIEeS AG2 bridge, allow:

• UDP to and from bridge.escience.cam.ac.uk on ports 30000-30011

Additional firewall holes

You may need to open further holes if you want to use optional software that can be used with Access Grid, for example jabber or VNC software.

Holes too large?

You, or your firewall officer, may think the size of the firewall holes mentioned above is too great, but you should note that traffic aimed at a particular multicast address will be routed onto your network only if someone on the network is currently subscribed to that particular multicast group. If you want, you can limit further the ranges allowed through the firewall by specifying which venues are to be accessible, but it is our view that this is unnecessarily restrictive. It also makes it impractical (or at the very least, extremely frustrating) to use some add-on tools which use dynamic allocation of multicast addresses and ports.

Links

• Access Grid Support Centre (AGSC) page on port usage
• AGSC list of Virtual Venues