Sun Microsystems, Inc.  Sun System Handbook - ISO 4.1 October 2012 Internal/Partner Edition
   Home | Current Systems | Former STK Products | EOL Systems | Components | General Info | Search | Feedback

Asset ID: 1-71-1006926.1
Update Date:2012-07-31
Keywords:

Solution Type  Technical Instruction Sure

Solution  1006926.1 :   iLOM JavaRconsole through a NAT firewall  


Related Items
  • Sun Fire X4150 Server
  •  
  • Sun Fire X4440 Server
  •  
  • Sun Fire X4540 Server
  •  
  • Sun Fire X4200 Server
  •  
  • Sun Fire X4250 Server
  •  
  • Sun Fire X4275 Server
  •  
  • Sun Fire X4200 M2 Server
  •  
  • Sun Fire X4600 M2 Server
  •  
  • Sun Server X3-2
  •  
  • Sun Fire X4240 Server
  •  
  • Sun Fire X2270 Server
  •  
  • Sun Fire X4140 Server
  •  
  • Sun Server X3-2L
  •  
  • Sun Fire X4470 Server
  •  
  • Sun Server X2-8
  •  
  • Sun Fire X4100 M2 Server
  •  
  • Sun Fire X4170 Server
  •  
  • Sun Fire X4270 M2 Server
  •  
  • Sun Fire X2250 Server
  •  
  • Sun Fire X4100 Server
  •  
  • Sun Fire X4600 Server
  •  
  • Sun Fire X4270 Server
  •  
  • Sun Fire X4640 Server
  •  
  • Sun Fire X2270 M2 Server
  •  
  • Sun Fire X4800 Server
  •  
  • Sun Fire X4170 M2 Server
  •  
  • Sun Fire X4500 Server
  •  
  • Sun Fire X4450 Server
  •  
  • Sun Server X2-4
  •  
Related Categories
  • PLA-Support>Sun Systems>x64>Server>SN-x64: SERVER 64bit
  •  

PreviouslyPublishedAs
209595


Applies to:

Sun Fire X4640 Server - Version Not Applicable and later
Sun Fire X4800 M2 - Version Not Applicable and later
Sun Fire X2250 Server - Version Not Applicable and later
Sun Fire X2270 M2 Server - Version Not Applicable and later
Sun Fire X2270 Server - Version Not Applicable and later
All Platforms

Goal

When trying to access the JavaRconsole on X86 Sun Fire[TM] Servers through NAT - Network Address Translation (commonly used in conjunction with firewalls), the Webstart applet may not be able to connect to the ILOM because it embeds its actual IP address in the javaws file, not the IP address that is visible to the client. 

This document describes how to configure your network settings so that iLOM's Java Remote Console can be accessed through a NAT router or firewall.

Fix


Steps to Follow
When one accesses the remote console on these boxes, one normally logs in via web browser pointed to:

Browse https://<ILOM IPAddress or Hostname>/
Enter "root" or appropriately setup username
Enter your password
Click on the "Remote Control" tab
Click on the "Launch Redirection" button

and then tells the browser to run (or open depending on your browser) the file it downloaded.

However, if there is a NAT firewall between the client and the ILOM, an error might pop up saying "unable to launch JavaRConsole" with two buttons, "OK" and "Details". Under "Details" the message:

 An error occurred while launching/running the application.
Title: JavaRConsole
Vendor: Sun Microsystems
Category: Download Error
 Unable to load resource: https://10.10.50.38:443/cgi-bin/jnlpgenerator-8

The problem here is that the ILOM embeds it's actual IP address in the XML file that it sends to the client, and not the IP address that the client sees. NAT is changing this address in between the ILOM and the client. Thus when the client executes the file, it attemps to connect to an address that may not actually be reachable, and is not the address that the ILOM is visible to the client as.

So for example, if the ILOM is actually configured at 10.10.50.38, but is behind a NAT firewall, the client may really see it at 205.43.63.21.

The solution is to, instead of running the jnlp file when clicking on "launch redirection", save the file jnlpgenerator-8 (or -16) to some convenient place. Then edit the file, and replace the actual ip address (10.10.50.38 in this example) with the NAT IP address (205.43.63.21 in this example). Be sure to leave the :443 in the first location.

An example jnlp file is shown here:

----------begin jnlpgenerator-16------------
<?xml version="1.0" encoding="UTF-8"?>
<jnlp spec="1.0+" codebase="https://205.43.63.21:443/"    <----- here
href="cgi-bin/jnlpgenerator-16">
<information>
<title>JavaRConsole</title>
<vendor>Sun Microsystems</vendor>
<description kind="one-line">JavaRConsole Console Redirection Application</description>
<description kind="tooltip">JavaRConsole Console Redirection Application</description>
<description kind="short">
JavaRConsole enables a user to view the video display of a
Galaxy computer equipped with a service processor.  It also enables
the user to redirect his local keyboard, mouse, CD-ROM and floppy
drives to the remote computer to give him complete control over the
remote machine.
</description>
</information>
<security>
<all-permissions/>
</security>
<resources>
<j2se version="1.5+"/>
<jar href="Java/JavaRConsole.jar"/>
<jar href="Java/RedirLib.jar"/>
</resources>
<resources os="Linux" arch="i386">
<nativelib href="Java/linuxi386.jar"/>
</resources>
<resources os="Windows" arch="x86">
<nativelib href="Java/win32.jar"/>
</resources>
<resources os="SunOS" arch="x86">
<nativelib href="Java/solarisx86.jar"/>
</resources>
<resources os="SunOS" arch="sparc">
<nativelib href="Java/solarissparc.jar"/>
</resources>
<application-desc>
<argument>205.43.63.21</argument>         <-------  and here
<argument>16</argument>
</application-desc>
</jnlp>
----------end jnlpgenerator-16------------

With that completed, simply run the file manually. On Microsfort Windows, double click it. On Solaris[TM] Operating System, in a terminal window, type "javaws jnlpgenerator-16".

This will allow javaws to connect with the correct IP address.

Now there may also be a second issue if connecting through a firewall. That is that the ports needed by the remote console may be blocked as a matter of security practice.

If the JavaRConsole window is now able to pop up and let you log in, but then it times out as unable to connect, check to be sure that the following ports listed in the ILOM documentation are open and directed to the ILOM:

http://docs.oracle.com/cd/E19203-01/819-1160-13/remote_console_app.html#pgfId-1001433 (TABLE 8-2 Remote Console Ports and Interfaces)

443  TCP  HTTPS
5120 TCP Remote CD 5121 TCP Remote keyboard and mouse 5123 TCP Remote Floppy 6577 TCP CURI (API) - TCP and SSL 7578 TCP Video Data 161 UDP SNMP V3 Access 3072 UDP Trap Out (outgoing only)

With these ports open, it is possible to not only access the JavaRConsole on a Sunfire ILOM, but it is even possible to attach a local dvd/cd drive to a system that is remotely 800 miles away, and to have the remote server "boot cdrom" off of your local DVD/CD. All the devices available on the "Devices" menu of the JavaRConsole are available.

Should you need to do this, please be patient. In this case, the server took close to an hour to boot into single user mode, but it did it on the first try as if the DVD was physically in it's drive.



@ Previously Published As 87061


Attachments
This solution has no attachment
  Copyright © 2012 Sun Microsystems, Inc.  All rights reserved.
 Feedback