Development of a distributed application, part of the components of which is located behind the firewall

Having got into a new project and having worked there for some time, I realized that in a distributed application, the components of which must constantly interact with each other, the emergence of such a thing as a firewall becomes a very significant fact in the development of the system. Immediately, there are problems that must be solved, that I personally can only be happy. In this topic, I will describe what needs to be kept in mind when developing such a system.

Firewall usually appears between applications outside and inside the corporate network, as well as on the borders of the DMZ, which usually take place in the infrastructure in which the system is designed for external users and the server is located on an intranet. Moreover, the message from the client can pass through several DMZs, penetrating not through one firewall.

Firewall adds the following features to keep in mind:

1. The connection does not send any data is closed after a certain period of time.
2. A connection that does not send any data can turn into a black hole (black hole), which manifests itself in such a way that you send messages, they leave successfully, but do not reach the recipient.
3. All ports on which communication will take place must be known in advance and registered in the firewall, thus technologies opening arbitrary ports do not work in such an environment.

Let us now see what, specifically, needs to be done so that the above described difficulties do not cause problems. I will give examples on java, although most of it should be similar for other platforms, with the exception of RMI.

In order for your connection to not be closed by the firewall when idle, you should not let it stand idle. Usually this is achieved by introducing special service types of messages, such as ping or heartbeat, which are sent over the network in both directions with a specified period of time. The time interval is obviously chosen so that several service messages are sent to the interval through which the firewall closes the idle connection. If we consider the database connection pool as an example, then the validation query can act as such a service message. I already wrote more about this here .
')
The second way to solve the problem of closing a idle connection is to re-create them from time to time. For example, this feature is provided in most database connection pools.

To fight black holes, to be sure that your message reached the addressee, you can use the request-response strategy, i.e. wait for a short response to each sent message and only then release control. Or again just do not let the compound idle, as described above. In more detail how to guarantee delivery of messages through firewall and not only, I described in detail here .

The most common technology that uses arbitrary ports in java is probably RMI. It can be argued that this is a rather ancient technology, not widely spread. That's just JMX, which is now used almost everywhere, as the most common communication protocol uses exactly RMI. And if you prefer to use JConsole, then most likely you will need this very protocol. However, not everything is so bad, because RMI allows you to fix the port. How to do this, I described in detail here . True, if you want not just to pull methods, but also to receive asynchronously notifications (callback) from the server to the client, here it will not work for you, at least I didn’t find how to fix the port for that. However, I never use this functionality in JMX, and if required, you can always implement it through polling.

I also want to note that if you have a firewall in production, it is very important to have a firewall with the same settings in the UAT environment. If for some reason it is impossible, then it is necessary to at least emulate it, setting all the connections between components not on a straight line, but through a special proxy that breaks your connection or turns it into a black hole at a certain interval, during which the connection does not No data was sent.