connect to appserver over internet

Posted by bart.syryn on 06-Mar-2014 11:08

Hi, I'm pretty new in these things, but we're looking for deploying a SAAS application to our customers over the internet. So rent a server in a datacenter and use webclient and appserver technology to getting everything work. Now the question is, do you need AIA to accomplish this ? I've read that with AIA you communicate with the appserver over port 80 and the communication is HTTP. It seems that TCP/IP communication is faster, so is it possible to connect directly to the appserver. Is it correct that the port of the appserver should be open on the firewall (3090, 3091,...) ? How would the connection string be if we connect directly ? Why should we use AIA and not directly to the appserver ? Are there any perfomance issues ? Any hints would be helpfull. Kind regards, Bart Syryn

Posted by bart.syryn on 07-Mar-2014 00:58

Hi,

Thanks to all for replying.

I think we'll use the AIA with Tomcat. As this will be a SAAS application and we not exactly know who we'll be connecting in the furture, it will be a better security options. I just hope that this won't have a big performance impact.

Kind regards,

Bart Syryn

Posted by Jeff Ledbetter on 06-Mar-2014 11:18

Yes, you can connect direct or use the nameserver (both secure and non-secure for both).
 
Direct to AppServer:
 
{ AppServerDC: | AppServerDCS: }  [ //AppServer-host ]  [ :AppServer-port ] / [ AppService-name ]
 
Connecting through a NameServer:
{ AppServer: | AppServerS: }  [ //name-server-host ]  [ :name-server-port ] / [ AppService-name ]
 
 

Posted by Brian K. Maher on 06-Mar-2014 11:18

Hi Bart,
 
I can answer a couple of these...
 
>> do you need AIA to accomplish this ?
 
Not necessarily.
 
>> is it possible to connect directly to the appserver
 
Yes, but the machine running the AppServer (and most likely the NameServer) would need to have all appropriate ports open and most customers feel that leaving lots of ports open is a problem (I agree with them).
 
>> Is it correct that the port of the appserver should be open on the firewall (3090, 3091,...) ?
 
Yes. 
 
>> How would the connection string be if we connect directly ?
 
If you would be bypassing the NameServer completely then it would be something like this ... AppServer://myHost:myAppServerPort/ServiceName.
 
Brian

Posted by Brian K. Maher on 06-Mar-2014 11:23

Couple of typos...
 
I can answer a couple of these...
 
>> do you need AIA to accomplish this ?
 
Not necessarily.
 
>> is it possible to connect directly to the appserver
 
Yes, but the machine running the AppServer (and most likely the NameServer) would need to have all appropriate ports open and most customers feel that leaving lots of ports open is a problem (I agree with them).
 
>> Is it correct that the port of the appserver should be open on the firewall (3090, 3091,...) ?
 
Yes, if you are going to do a direct connect to the AppServer (i.e. not use the NamServer).  You would also need to open the ports corresponding to the AppServer agents.
 
>> How would the connection string be if we connect directly ?
 
If you would be bypassing the NameServer completely then it would be something like this ... AppServerDC://myHost:myAppServerPort/ServiceName.
 
Brian

Posted by bart.syryn on 06-Mar-2014 11:29

And what about performance ? Is it faster then through the AIA ? If you connect directly to the nameserver then you don't need TomCat (or other) ?

If I understand it correct, if we would connect through the nameserver, then the only open port on the appserver should be the one of the nameserver (5162) ?

Is it necessary that at the client-side the same port should be open on their firewall/router ?

Posted by Jeff Ledbetter on 06-Mar-2014 11:33

Performance is better than going through AIA.
 
If you use AppServer, you need UDP 5162 and TCP 3090 open.
 
If you use AppServerDC, you just need TCP 3090 open.
 
 
[collapse]
From: bart.syryn [mailto:bounce-bartsyryn@community.progress.com]
Sent: Thursday, March 06, 2014 9:30 AM
To: TU.OE.Development@community.progress.com
Subject: RE: connect to appserver over internet
 
Reply by bart.syryn

And what about performance ? Is it faster then through the AIA ? If you connect directly to the nameserver then you don't need TomCat (or other) ?

If I understand it correct, if we would connect through the nameserver, then the only open port on the appserver should be the one of the nameserver (5162) ?

Is it necessary that at the client-side the same port should be open on their firewall/router ?

Stop receiving emails on this subject.

Flag this post as spam/abuse.

[/collapse]

Posted by Mike Fechner on 06-Mar-2014 11:35

> Performance is better than going through AIA.

That is not my experience, when using internet connections with high latency.

Posted by Mike Fechner on 06-Mar-2014 11:38

You always need to open the Name Server Port (if used), the broker port and the ports of the agents (port range).

Name Server and broker do not stream the AppServer agents payload.

 

I have made the experience that the AIA (with http) can be faster in networks with high latency. The AIA does not cause lots of load on the Tomcat, so that does not count.

However, when using statefree and the NameServer (not AppServerDC), the client needs to call into the NS, then into the Broker, and then to the agent for every request. With AIA all that happens in a single TCP package and the NS/Broker communication is happening from the AIA in the much faster internal network.

Posted by Brian K. Maher on 06-Mar-2014 11:38

That is assuming the AppServer is running in stateless or state-free operating mode.  For state-reset or state-aware you would need to open the port range that you defined for the AppServer for the agents.

Posted by Jeff Ledbetter on 06-Mar-2014 11:58

 
My comments and observations have been from a stateless perspective.
 
However, looking back, I believe that I saw performance degradation with HTTPS vs the others (as opposed to just HTTP).
 
I prefer AppServer and AppServerDC to avoid the overhead of having to set-up Tomcat. If setting up Tomcat is no issue for you then, then I would go that route as well because less ports are open (as pointed out by others).
 

Posted by bart.syryn on 06-Mar-2014 12:17

So in a SAAS model, where multiple clients and users connect to i.e. a multitenancy DB, than using the AIA would be better ?  

Maybe a little performance issue, but no need to open any ports (using TomCat).

Otherwise, suppose you have 10 tenants, and 10 appservers, you need to open the port of the namesever and all the appservers (3090, 3091, 3092, 3093,....) ?

Kind regards,

Bart Syryn

Posted by Michael Jacobs on 06-Mar-2014 13:50

As a person who works with OpenEdge AppServers and their security I would encourage you not to follow the path of opening an internet firewall to anything other than HTTP, HTTPS, and/or VPN traffic.   While you can physically deploy an AppServer inside the internet firewall and connect a client to it through a firewall, it goes against any number of accepted best practices to do so.

I would suggest to you that your best choices are use VPN or HTTPS if the data traffic includes anything involved with a user's identity or private [tenant] data, which by definition is what you have with a multiple tenants.   If you choose the HTTPS and Tomcat route there are a number of advantages, including routing each tenant through their own AIA URI and to the appropriate AppServer and database located in a secure area of your internal network.

The details are many, but I hope this high level viewpoint will prove useful.

Mike Jacobs

All Replies

Posted by Jeff Ledbetter on 06-Mar-2014 11:18

Yes, you can connect direct or use the nameserver (both secure and non-secure for both).
 
Direct to AppServer:
 
{ AppServerDC: | AppServerDCS: }  [ //AppServer-host ]  [ :AppServer-port ] / [ AppService-name ]
 
Connecting through a NameServer:
{ AppServer: | AppServerS: }  [ //name-server-host ]  [ :name-server-port ] / [ AppService-name ]
 
 

Posted by Brian K. Maher on 06-Mar-2014 11:18

Hi Bart,
 
I can answer a couple of these...
 
>> do you need AIA to accomplish this ?
 
Not necessarily.
 
>> is it possible to connect directly to the appserver
 
Yes, but the machine running the AppServer (and most likely the NameServer) would need to have all appropriate ports open and most customers feel that leaving lots of ports open is a problem (I agree with them).
 
>> Is it correct that the port of the appserver should be open on the firewall (3090, 3091,...) ?
 
Yes. 
 
>> How would the connection string be if we connect directly ?
 
If you would be bypassing the NameServer completely then it would be something like this ... AppServer://myHost:myAppServerPort/ServiceName.
 
Brian

Posted by Brian K. Maher on 06-Mar-2014 11:23

Couple of typos...
 
I can answer a couple of these...
 
>> do you need AIA to accomplish this ?
 
Not necessarily.
 
>> is it possible to connect directly to the appserver
 
Yes, but the machine running the AppServer (and most likely the NameServer) would need to have all appropriate ports open and most customers feel that leaving lots of ports open is a problem (I agree with them).
 
>> Is it correct that the port of the appserver should be open on the firewall (3090, 3091,...) ?
 
Yes, if you are going to do a direct connect to the AppServer (i.e. not use the NamServer).  You would also need to open the ports corresponding to the AppServer agents.
 
>> How would the connection string be if we connect directly ?
 
If you would be bypassing the NameServer completely then it would be something like this ... AppServerDC://myHost:myAppServerPort/ServiceName.
 
Brian

Posted by bart.syryn on 06-Mar-2014 11:29

And what about performance ? Is it faster then through the AIA ? If you connect directly to the nameserver then you don't need TomCat (or other) ?

If I understand it correct, if we would connect through the nameserver, then the only open port on the appserver should be the one of the nameserver (5162) ?

Is it necessary that at the client-side the same port should be open on their firewall/router ?

Posted by Jeff Ledbetter on 06-Mar-2014 11:33

Performance is better than going through AIA.
 
If you use AppServer, you need UDP 5162 and TCP 3090 open.
 
If you use AppServerDC, you just need TCP 3090 open.
 
 
[collapse]
From: bart.syryn [mailto:bounce-bartsyryn@community.progress.com]
Sent: Thursday, March 06, 2014 9:30 AM
To: TU.OE.Development@community.progress.com
Subject: RE: connect to appserver over internet
 
Reply by bart.syryn

And what about performance ? Is it faster then through the AIA ? If you connect directly to the nameserver then you don't need TomCat (or other) ?

If I understand it correct, if we would connect through the nameserver, then the only open port on the appserver should be the one of the nameserver (5162) ?

Is it necessary that at the client-side the same port should be open on their firewall/router ?

Stop receiving emails on this subject.

Flag this post as spam/abuse.

[/collapse]

Posted by Mike Fechner on 06-Mar-2014 11:35

> Performance is better than going through AIA.

That is not my experience, when using internet connections with high latency.

Posted by Mike Fechner on 06-Mar-2014 11:38

You always need to open the Name Server Port (if used), the broker port and the ports of the agents (port range).

Name Server and broker do not stream the AppServer agents payload.

 

I have made the experience that the AIA (with http) can be faster in networks with high latency. The AIA does not cause lots of load on the Tomcat, so that does not count.

However, when using statefree and the NameServer (not AppServerDC), the client needs to call into the NS, then into the Broker, and then to the agent for every request. With AIA all that happens in a single TCP package and the NS/Broker communication is happening from the AIA in the much faster internal network.

Posted by Brian K. Maher on 06-Mar-2014 11:38

That is assuming the AppServer is running in stateless or state-free operating mode.  For state-reset or state-aware you would need to open the port range that you defined for the AppServer for the agents.

Posted by Jeff Ledbetter on 06-Mar-2014 11:58

 
My comments and observations have been from a stateless perspective.
 
However, looking back, I believe that I saw performance degradation with HTTPS vs the others (as opposed to just HTTP).
 
I prefer AppServer and AppServerDC to avoid the overhead of having to set-up Tomcat. If setting up Tomcat is no issue for you then, then I would go that route as well because less ports are open (as pointed out by others).
 

Posted by bart.syryn on 06-Mar-2014 12:17

So in a SAAS model, where multiple clients and users connect to i.e. a multitenancy DB, than using the AIA would be better ?  

Maybe a little performance issue, but no need to open any ports (using TomCat).

Otherwise, suppose you have 10 tenants, and 10 appservers, you need to open the port of the namesever and all the appservers (3090, 3091, 3092, 3093,....) ?

Kind regards,

Bart Syryn

Posted by Michael Jacobs on 06-Mar-2014 13:50

As a person who works with OpenEdge AppServers and their security I would encourage you not to follow the path of opening an internet firewall to anything other than HTTP, HTTPS, and/or VPN traffic.   While you can physically deploy an AppServer inside the internet firewall and connect a client to it through a firewall, it goes against any number of accepted best practices to do so.

I would suggest to you that your best choices are use VPN or HTTPS if the data traffic includes anything involved with a user's identity or private [tenant] data, which by definition is what you have with a multiple tenants.   If you choose the HTTPS and Tomcat route there are a number of advantages, including routing each tenant through their own AIA URI and to the appropriate AppServer and database located in a secure area of your internal network.

The details are many, but I hope this high level viewpoint will prove useful.

Mike Jacobs

Posted by bart.syryn on 07-Mar-2014 00:58

Hi,

Thanks to all for replying.

I think we'll use the AIA with Tomcat. As this will be a SAAS application and we not exactly know who we'll be connecting in the furture, it will be a better security options. I just hope that this won't have a big performance impact.

Kind regards,

Bart Syryn

Posted by Tai Li on 07-Mar-2014 01:30

Hi [mention:3c69aa5c22b143d4b98bd6dc1663ee3c:e9ed411860ed4f2ba0265705b8793d05],

Do note that Tomcat connector (JK Mod) is not officially certified to work with newer Windows OS and IIS, and you will likely to have a very bad connection performance issues (refer to my recent post https://community.progress.com/technicalusers/f/19/p/1727/34685.aspx#34685). Currently my setup is to replace JK Mod with IIS native module "Application Request Routing" (ARR). The performance is great, but I have yet to make it work with HTTPS.

Posted by bart.syryn on 07-Mar-2014 01:41

Hi Tai Li,

Thanks for the very important information.

It will run on a Windows 2012R2 server (OE 11.3.2). But can you help me with this ? I don't understand it completely (I'm a newbie on these subjects). So you say don't use TomCat ? What exactly means 'JK Mode with IIS native module "Application Request Routing"'. Is this a functionality in IIS ? I've read your post on the community but I don't understand it. Can you point me to some information on how to set up 'JK Mode with ISS' and AIA / Appserver ?

Kind regards,

Bart Syryn

Posted by Irfan on 07-Mar-2014 01:55

Your request will be passed to IIS Server instead of Tomcat and it will route the request to the Tomcat Server. You need to set a JK connector to achieve this functionality. I am attaching a detailed document on the setup which might be of some use.
 
 
Regards,
Irfan
 
[collapse]
From: bart.syryn [mailto:bounce-bartsyryn@community.progress.com]
Sent: Friday, March 07, 2014 1:12 PM
To: TU.OE.Development@community.progress.com
Subject: RE: connect to appserver over internet
 
Reply by bart.syryn

Hi Tai Li,

Thanks for the very important information.

It will run on a Windows 2012R2 server (OE 11.3.2). But can you help me with this ? I don't understand it completely (I'm a newbie on these subjects). So you say don't use TomCat ? What exactly means 'JK Mode with IIS native module "Application Request Routing"'. Is this a functionality in IIS ? I've read your post on the community but I don't understand it. Can you point me to some information on how to set up 'JK Mode with ISS' and AIA / Appserver ?

Kind regards,

Bart Syryn

Stop receiving emails on this subject.

Flag this post as spam/abuse.

[/collapse]

Posted by Tai Li on 07-Mar-2014 03:23

[quote user="bart.syryn"]

Hi Tai Li,

Thanks for the very important information.

It will run on a Windows 2012R2 server (OE 11.3.2). But can you help me with this ? I don't understand it completely (I'm a newbie on these subjects). So you say don't use TomCat ? What exactly means 'JK Mode with IIS native module "Application Request Routing"'. Is this a functionality in IIS ? I've read your post on the community but I don't understand it. Can you point me to some information on how to set up 'JK Mode with ISS' and AIA / Appserver ?

Kind regards,

Bart Syryn

[/quote]

Hi [mention:3c69aa5c22b143d4b98bd6dc1663ee3c:e9ed411860ed4f2ba0265705b8793d05],

My development environment is running on Windows 7 with IIS 7 and OE10.2B. On my setup with JK Mod (https://community.progress.com/technicalusers/f/19/p/1727/34588.aspx#34588), the performance of my Progress client communicating to AppServer is extremely slow. Don't quote me, at least ARR is working better for me.

JK Mod and ARR function similarly as explained by Irfan:

[quote user="Irfan "]

Your request will be passed to IIS Server instead of Tomcat and it will route the request to the Tomcat Server...

[/quote]

ARR is an addon module for IIS which you need to install separately and can be found here http://www.iis.net/downloads/microsoft/application-request-routing.

Much of my posts in https://community.progress.com/technicalusers/f/19/t/1727.aspx are concerning HTTPS, and the Progress Knowledge Base solution links are provided in their respective post.

Irfan will be attaching some documentation on JK Mod setup.

Posted by bart.syryn on 07-Mar-2014 04:40

Hi Irfan and Tai Li,

Can you send me a detailed document on how to setup this (as you mentioned in your post).

In the beginning of next week, the server in the datacenter will be available. So at that point we would like to setup a proof of concept and test everything.

Kind regards

Bart Syryn

Posted by Irfan on 07-Mar-2014 05:31

I am figuring out how to send an attachment in this thread.Shall let you know once i find the way.

Sorry for the delay caused.

Posted by Irfan on 07-Mar-2014 05:49

[View:~/cfs-file.ashx/__key/communityserver-discussions-components-files/19/Fronting-Tomcat7-with-IIS--with-Tomcat-Connector-and-Basic-Authentication.docx:550:0]

Please find the attachment that has detailed steps for Fronting Tomcat using IIS7 with Tomcat Connector for AIA Adapter.

In additional to Fronting Tomcat it also has information on enabling Basic Authentication  which you can neglect it as of now.

Posted by bart.syryn on 07-Mar-2014 05:50

hi Irfan,

You can mail it to me directly if you want : bart.syryn@advani.be

Kind regards,

Bart Syryn

Posted by Irfan on 07-Mar-2014 06:41

I have already attached the document in my previous reply, please let me know if it is useful

Posted by Tai Li on 09-Mar-2014 21:34

I have yet to succeed with SSL on IIS ARR module, probably will go with BonCode AJP as suggested in [mention:54e5df2f11a046ef89f0b4acd415e0d5:e9ed411860ed4f2ba0265705b8793d05] attached documentation.

[mention:54e5df2f11a046ef89f0b4acd415e0d5:e9ed411860ed4f2ba0265705b8793d05], how is the performance with BonCode AJP connector?

Posted by Irfan on 10-Mar-2014 00:13

I have not verified the performance with BoncCode AJP Connector, so i cannot comment on it.

Posted by bart.syryn on 10-Mar-2014 02:20

Hi Irfan,

Normally we get the server today, and I hope that we get the progress licenses asap, so then I'll try to set it up. Because it's new for me, I hope that it won't take days ...

Posted by Irfan on 10-Mar-2014 02:24

The document has detailed step by step screenshots to make the setup easier. If you find any issues(other than the document), you can always post in the forum or contact TS. We should be able to help you ASAP.

Posted by bart.syryn on 14-Mar-2014 03:38

Hi Irfan,

Finaly we've got the server in the datacenter and the progress-license.

Now I'm looking into your document you posted last week. In earlier posts you mentioned that ARR was much faster, but in the document I find the explanation of the AJP Connector ? Am I missing something here ? Should I use ARR or AJPC Connector ?

Kind regards

Bart Syryn

This thread is closed