Advice on Thin Client Through Proxy like WinGate

For questions and postings not covered by the other forums
ConvertFromOldNGs
Posts: 5321
Joined: Wed Aug 05, 2009 5:19 pm

Advice on Thin Client Through Proxy like WinGate

Postby ConvertFromOldNGs » Fri Aug 07, 2009 12:01 pm

by bizpoint >> Tue, 3 Apr 2001 6:36:01 GMT

Hi Jade Developers,
Need some advice on Thin Client setup.

Scenario
Local area network that connects to Internet using Wingate as proxy server. Need to run thin clients on PCs to access a Jade application on a RAPserver through the web.

Any ideas on whether Wingate needs to be set up specifically to allow Thin Client to go through and how is it done.
If not possible, is it because of Wingate or does Jade's smart thin client need to have direct connection to the web to allow thin client to work.

Advice appreciated.
L.C. Lim

ConvertFromOldNGs
Posts: 5321
Joined: Wed Aug 05, 2009 5:19 pm

Re: Advice on Thin Client Through Proxy like WinGate

Postby ConvertFromOldNGs » Fri Aug 07, 2009 12:01 pm

by Martyn Leadley >> Thu, 5 Apr 2001 20:44:04 GMT

Hi,

Jade's smart thin client can support proxies, but this is only available when SSL encryption has been turned on.

For details on enabling SSL start by checking out the documentation (see Install and Admin, Ch 2. JADE Initialization File, JadeAppServer and JadeThinClient sections, and Ch 9, Enabling JADE Thin Client Security Encryption).

But as a brief intro to enabling SSL,

Update the Application Server's ini file

[JadeAppServer]
RPCEncryptionEnabled=true
RPCEncryptionHookDLL=SSL_TLS
SSLCertificateFile=C:\Jade\bin\server.pem SSLPrivateKeyFile=C:\Jade\bin\server.pem

Update the Thin Client's ini file

[JadeThinClient]
RPCEncryptionEnabled=true
RPCEncryptionHookDLL=SSL_TLS

This will get the thin client to connect to the app server via SSL on port 443.

The proxy code in the thin client will now be also enabled. By default it will check the windows registry to see if Internet Explorer proxy settings have been configured and use the common proxy or specifically the secure proxy setting (if no common proxy is defined). You can set the following ini entries if you want explicit control for each thin client (again see doc. for more details)

[JadeThinClient]
SSLProxyHost=proxyhost
SSLProxyPort=8080


A couple of other points.

The SSL certificates supplied (server.pem and client.pem) are supplied as samples for testing. You did not mention about encryption, so these certificates are fine. But if you do care about encryption and security of the connection, then it is recommended that you create or obtain your own certificates.

The proxy must support the HTTP/1.0 CONNECT command. Socks based proxies are not supported.


Hope this helps
Martyn

ConvertFromOldNGs
Posts: 5321
Joined: Wed Aug 05, 2009 5:19 pm

Re: Advice on Thin Client Through Proxy like WinGate

Postby ConvertFromOldNGs » Fri Aug 07, 2009 12:01 pm

by Stephen Persson >> Sun, 8 Apr 2001 22:16:16 GMT

I presume when you say it supports proxies, you are assuming that the proxy server has port 443 unblocked, which I agree is a perfectly valid assumption.
However what if you can't use port 443? - then your app is back at the mercy of the proxy as to whether or not is has your particular port unblocked, and chances are it would be blocked.

We host our own Jade apps for clients and we currently have 3 thin client enabled seperate systems running on the one web server. Straight away this means we have to have 3 different port numbers for the 3 app servers. One lucky client gets to have port 443 for their appServer, and therefore have no issues with proxies, but the other clients have to have a different port number, and therefore proxy servers are a big issue to them.

Which then begs the obvious question - why can't all appServers work on port 443?
The web can handle numerous web requests on the one machine all using port 443, so why can't Jade? The web uses host headers (Eg www.mydomain1.com, or www.mydomain2.com) to know which site the traffic is for, can Jade not do something similar?
Could we give the appServer a name, then set up the thin clients appServer setting to point at the particular named system of interest?
Eg.
Thin Client 1 >> appServer=210.54.249.19:MyFinanceSystem appServerPort=443
Thin Client 2 >> appServer=210.54.249.19:MyCallCentreSystem appServerPort=443
Thin Client 3 >> appServer=210.54.249.19:MyFarmersSystem appServerPort=443

This would then allow 3 appServers to all be hosted on the one Server (210.54.249.19), but all systems can use port 443 as their appServerPort, instead of the current setup where each of those systems would have to have their own port.

Just an idea.....
Comments?!?

ConvertFromOldNGs
Posts: 5321
Joined: Wed Aug 05, 2009 5:19 pm

Re: Advice on Thin Client Through Proxy like WinGate

Postby ConvertFromOldNGs » Fri Aug 07, 2009 12:01 pm

by Martyn Leadley >> Thu, 10 May 2001 3:08:53 GMT
I presume when you say it supports proxies, you are assuming that the proxy server has port 443 unblocked, which I agree is a perfectly valid assumption.
However what if you can't use port 443? - then your app is back at the mercy of the proxy as to whether or not is has your particular port unblocked, and chances are it would be blocked.

We host our own Jade apps for clients and we currently have 3 thin client enabled seperate systems running on the one web server. Straight away this means we have to have 3 different port numbers for the 3 app servers. One lucky client gets to have port 443 for their appServer, and therefore have no issues with proxies, but the other clients have to have a different port number, and therefore proxy servers are a big issue to them.

The default port number used when SSL is enabled is 443. This can be changed
via the use of a ini file setting, for example

[JadeThinClient]
SSLSecurePort=444

and

[JadeAppServer]
SSLSecurePort=444

As always the firewall / proxy server has to allow tcp/ip traffic through the
selected port number.
Which then begs the obvious question - why can't all appServers work on port 443?
The web can handle numerous web requests on the one machine all using port 443, so why can't Jade? The web uses host headers (Eg www.mydomain1.com, or www.mydomain2.com) to know which site the traffic is for, can Jade not do something similar?
Could we give the appServer a name, then set up the thin clients appServer setting to point at the particular named system of interest?
Eg.
Thin Client 1 >> appServer=210.54.249.19:MyFinanceSystem appServerPort=443
Thin Client 2 >> appServer=210.54.249.19:MyCallCentreSystem appServerPort=443
Thin Client 3 >> appServer=210.54.249.19:MyFarmersSystem appServerPort=443

This would then allow 3 appServers to all be hosted on the one Server (210.54.249.19), but all systems can use port 443 as their appServerPort, instead of the current setup where each of those systems would have to have their own port.

To do as you suggest we would have to implement some form of routing on the web server. One program would listen on a port, 443 for example, and then read the header, and then pass it to the correct appserver. The major down side to this is that every thin client message would need extra data imbedded
in it to allow for the routing. This would increase the size of the data and slow things down.

As far as wanting multiple appserver to use the same port number on the same host, the following applies.

TCP/IP will not allow multiple programs to concurrently listen on the same ip interface and port number. The appserver by default opens the port number on all available interfaces. A netstat -an will show this as

Proto Local Address Foreign Address State
TCP 0.0.0.0:443 0.0.0.0:0 LISTENING

So if the host running the appserver has multiple network interface cards, it has effectively grabbed port 443 on all interfaces. If you wish you can force the appserver to only listen on a specific interface by adding AppServer=<ipaddress|hostname> entry to the ini file, for example

[JadeAppServer]
AppServer=210.54.249.19

Which will only grab the 210.54.249.19 interface. The reason for supporting this is to support the situation you mentioned above. If you can create multiple IP addresses on the same network card, then you can have multiple appservers all listening on the same port number. How you create IP address aliases is operating system specific.

So if the interface card has address 210.54.249.19 and you add 210.54.249.20 and 210.54.249.21 as aliases, then each appserver can be given a different IP interface address to listen on. Net result is 3 appserver on one host with
one network card all listening on port 443. The smart thin clients will need
to be told which ip address / hostname to connect to, but they will all be using the same port number.

A side benefit of this, is that if the load on the host grows to the point you need to move an appserver to another host, just move it and reassign the ip address alias to the new host. That way the clients do not need to change
their connection details.


Martyn

ConvertFromOldNGs
Posts: 5321
Joined: Wed Aug 05, 2009 5:19 pm

Re: Advice on Thin Client Through Proxy like WinGate

Postby ConvertFromOldNGs » Fri Aug 07, 2009 12:01 pm

by Torrie Moore >> Thu, 5 Apr 2001 21:51:35 GMT

I have run JadeApp server on the same machine as wingate connected to the internet through a jetstream modem and then connected to this app server via a separate dialin connection. I can't remember if we had to setup anything in Wingate but we did have to pinhole a port on the jetstream modem for our jade application to use. This port was mapped to a port on the server machine. I no longer have access to wingate so am unable to connect but I might be able to put you in touch with someone who knows the details.

Torrie Moore


Return to “General Discussion”

Who is online

Users browsing this forum: No registered users and 13 guests