This archive contains answers to questions sent to Unidata support through mid-2025. Note that the archive is no longer being updated. We provide the archive for reference; many of the answers presented here remain technically correct, even if somewhat outdated. For the most up-to-date information on the use of NSF Unidata software and data services, please consult the Software Documentation first.
Brice, > 'Quick' question for you. Is it possible to initiate a LDM connection > from behind a firewall to an outside server and feed the external > server data? Connections are usually initiated by a downstream LDM connecting to an upstream LDM in order to request data, which is the opposite of what you described. In this usual case, the firewall must allow incoming TCP connections to the upstream LDM host on port 388. > I have a situation that I am working on where an LDM server is being > stood up in a DMZ. The server needs to be fed data from the protected > system behind the DMZ (it may also take in some data from outside and > feed it back to the protected system) for delivery to customers on the > outside of the DMZ. Mostly simple, but the hitch is that the > connection must be initiated from the protected system outbound to the > DMZ server. The LDM was deliberately designed to give downstream sites as much control over data reception as possible. There are ways to overcome this by using ldmsend(1) on the upstream host and having appropriate ACCEPT entries in the downstream LDM's configuration-file -- but this mechanism isn't as robust as the LDM system in normal usage. I strongly recommend that you find a way to allow the LDM in the DMZ to initiate a connection to port 388 on the protected system. To the best of our knowledge (and we should know) in the 17 years since its release, the LDM has never been used to break into a system. Because of its design, I firmly believe that's an impossibility. > Will a standard configuration with allows and requests work on the DMZ > server or does this scenario have more hinky configuration problems or > is this scenario doable with LDM only, i.e. do I have to transport the > data outbound to the DMZ server using some other method and then load > the DMZ server locally? > > Your assistance will be greatly appreciated... as always. > > Brice > > Brice Biggerstaff > Software Support Lead > Johnson Space Center Weather Decision Support System > 281-853-3011 (w) > 713-764-2601 (p) > address@hidden<mailto:address@hidden> (alpha pager for text and email) > > Res Confacti Erimus > "We Get Things Done!" Regards, Steve Emmerson Ticket Details =================== Ticket ID: ZYU-864541 Department: Support LDM Priority: Normal Status: Closed