[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[LDM #JGM-828686]: LDM lack of proxy compatibility

This archive contains answers to questions sent to Unidata support through mid-2025. Note that the archive is no longer being updated. We provide the archive for reference; many of the answers presented here remain technically correct, even if somewhat outdated. For the most up-to-date information on the use of NSF Unidata software and data services, please consult the Software Documentation first.

Subject: [LDM #JGM-828686]: LDM lack of proxy compatibility
Date: Thu, 03 May 2007 13:04:59 -0600

Josh,

> All of our stations access the Internet via Sidewinder G2 firewalls from
> Secure Computing.  We put Radware load balancers in front of these.  Our
> preferred mode of operation is to rely on proxies within the G2 that
> strictly replicate the protocols of the apparent end-to-end connections.
> So, for example, an http request from within the company is actually
> terminated at the firewall.  The firewall then initiates its own TCP
> connection to the user's intended destination, thereby serving as a proxy
> for the user's machine.

If the LDM connections are being initiated from within your network,
then there should be a simple solution.  An LDM initiates a connection
means when it create a TCP connection to another LDM.  Data
subsequently flows from the other LDM to the LDM that initiated the
connection.  If data is flowing into your network, then your LDM are
initiating the connection.  In this case, the intercepting proxy
server on the gateway need need only use the transparent proxy
module (assuming it has one) to forward the TCP packets to their
destination after replacing the source IP address with its own.
It shouldn't make any difference if it replaces the source IP
address of incoming packets on a connection before forwarding them
to the LDM that initiated the connection.

Does the Sidewinder G2 have a transparent proxy capability?

If, on the other hand, the LDM connections are being initiated
from outside your network (so that data flows from within
your network to without) then it is unlikely that your system
can be configured so that your LDM-s will work with the firewall.

> In order to make this work, the firewall must have
> a proxy (i.e., a protocol implementation) for the protocol in use), and the
> destination must be tolerant of getting a request from an IP address that is
> not the actual IP address of the source.  It must also be tolerant of
> getting a subsequent request from the same actual source but this time
> coming from a different IP address, because of the load balancing, i.e., a
> different firewall may be involved the next time.

> We'll take a look at the spec for ONC RPC, and I'm checking into whether
> Secure has a proxy for this in their firewalls.  Meanwhile, can you tell me
> if you think LDM would work this way?

Regards,
Steve Emmerson

Ticket Details
===================
Ticket ID: JGM-828686
Department: Support LDM
Priority: Normal
Status: On Hold

Prev by Date: [LDM #JGM-828686]: LDM lack of proxy compatibility
Next by Date: [Support #RZI-325369]: Re: New LDM server for EMWIN-only feed
Previous by thread: [LDM #JGM-828686]: LDM lack of proxy compatibility
Next by thread: [LDM #YZT-839453]: Problem installing ldm software
Index(es):
- Date
- Thread