Hi Dojo,
We are trying to set up a DMA in a DMZ which will replicate several elements from the main cluster. For security reasons, it is undesirable to allow communication over well known ports, especially TCP port 80. However, it seems that DataMiner needs port 80 for some transactions when a replicated element is starting up. If I block port 80 and restart the element, it goes into timeout with the following in SLReplication.txt log:
Connection failed: Could not auto-detect URI for 10.5.1.18: timeout
I tried enabling HTTPS on both DMAs, but this seemed to have no effect, DataMiner still tries to use port 80 for replication, according to Wireshark traces.
Here is the Wireshark statistics for conversations between agents running replication:
Is this the intended behavior? Is there a way to avoid using TCP80 for replication?
Thank you.
Update:
We also confirmed is possible to use a custom port instead of TCP 80 by configuring a proxy between the hosting and the replication DMA.
The proxy needs to do the following:
– Listen to the custom port and forward it to [hosting_dma_ip]:80;
– Listen to port 8004 and forward it to [hosting_dma_ip]:8004.
We used Linux based NGINX as a proxy in our test.
Hi Alexander,
Port 80 and/or 443 are indeed used while setting up the connection between the DataMiner Agent replicating the element and the DataMiner Agent hosting the source element. Main purpose is to find out the port DataMiner is listening on (typically 8004).
That said, you can provide this probing port in the replication settings by e.g. specifying "ipaddress:443" to do the probing via HTTPS only.
I'm not aware of a way to fully eliminate the use of port 80/443 and have the connection go immediately through port 8004. (No way directly configurable through Cube at least)
Update:
In a test setup we were able to run replication using only TCP 443 and 8004. To achieve that, HTTPS had to be configured on the hosting DMA and polling address of the replicated element had to be in the form [domain_name]:443.