B4J Question B4J Websockets behind a corporate firewall

miker2069

Active Member
Licensed User
Longtime User
I had this question about using websockets behind a corporate firewall. We all know these will work on home internet connections and most cell phone networks.

This may be useful to anyone else figuring out how to best setup their B4J app and reaching corporate users.

First, I used the two following sites to test web sockets behind my test corporate network (a real client with a very robust firewall).

This will tell you right away what options are supported from the network you access the link from
https://websocketstest.com/


This allows you to configure a simple websocket based echo test using http or https
http://www.websocket.org/echo.html

In both cases I could connect to the web-sites (as you'd expect) but could not perform any websocket operations using standard http port 80.

The good news is that using https worked great in both cases.


My next test was to fire up the simple B4J Hello World App and try it myself (the app that adds two numbers). Fortunately this company doesn't block personal home cable internet connections. Connecting on port 51042 (the apps default port in the project) and port 80 connected to the web server with no issues. However hitting the "calc" button did nothing - it just stalled.

I figured I'd try using https (I opened up port 443 to my computer on my cable modem router). I tried simply using https://127.0.0.1 for kicks (I know it shouldn't work) and it didn't work. I obtained my hostname for public internet IP and tried https://myhomeip.provider.com - that didn't work either. It looks like B4J is rejecting because I haven't configured a proper SSL cert - so this is correct behaviour.

I'll get a cheap cert this weekend and configure it in my app. I suspect once properly configured SSL based web sockets should work just fine.

I'll post back to this thread so the next person looking this up may save some time.
 

miker2069

Active Member
Licensed User
Longtime User
Upvote 0

keirS

Well-Known Member
Licensed User
Longtime User
I am not clear if you are trying to connect to a server outside of the corporate firewall from inside the corporate firewall or trying to connect a client from outside the corporate firewall to sever inside the corporate firewall. If the second one then the SSL certificates may well have to be installed on the firewall itself.

If you want to play with a corporate firewall then Sophos offer a free home edition of their Sophos UTM. You will need a dedicated PC to run it on with 2 (or 3) network cards or you can run it on a VMware vSphere virtual machine. The hardware requirements are pretty low so an old PC should run it fine.

The Sophos home UTM is pretty much identical to their corporate products because the features are controlled by licensing.
 
Upvote 0

miker2069

Active Member
Licensed User
Longtime User
  1. I tried to additional options. 1) Using a self signed cert by following the Erel's instructions here and 2) Using a purchased SSL certificate and following Tchart's great tutorial here. Note, the second option builds on the first.
Using the self signed cert, I got the expected "this site appears to be unsafe" message in the browser (Chrome) however I was allowed to proceed. Outside my corporate firewall, the sample Hello World app worked, inside it still doesn't work.

I went ahead and purchased a proper SSL certificate from cheapsslshop for $3.54 (not bad, using a coupon code). Configuring the cert was very straight forward (thank you Tchart for detailing the steps in one post). I configured my DNS to point to my home cable system (i.e. https://secure.mydomain.com). That all worked well and I tested from several sources such as my phone, another cable home network, etc. However going back and testing https from my corp. firewall still doesn't work. Clicking the calc button doesn't do anything.

I decided to try the chat sample with the same results (works everywhere but inside my corp firewall using https). I'm finding this odd because the websockets test sites I referened above both worked with SSL option selected. So perhaps there's some additional configuration that I need to do and will keep digging.

If there are any thoughts, please let me know. My only other thought is that perhaps for websockets my corp firewall is blocking my homes cable IP? I figured it would have blocked it all the way around and I wouldn't even be able to bring up the start page.

Any suggestions would be appreciated
 
Upvote 0

miker2069

Active Member
Licensed User
Longtime User
I am not clear if you are trying to connect to a server outside of the corporate firewall from inside the corporate firewall or trying to connect a client from outside the corporate firewall to sever inside the corporate firewall. If the second one then the SSL certificates may well have to be installed on the firewall itself.

If you want to play with a corporate firewall then Sophos offer a free home edition of their Sophos UTM. You will need a dedicated PC to run it on with 2 (or 3) network cards or you can run it on a VMware vSphere virtual machine. The hardware requirements are pretty low so an old PC should run it fine.

The Sophos home UTM is pretty much identical to their corporate products because the features are controlled by licensing.
I am attempting to connect from within a corp. firewall to my B4J websockets based app outside that firewall hosted externally.
 
Upvote 0

udg

Expert
Licensed User
Longtime User
I am attempting to connect from within a corp. firewall to my B4J websockets based app outside that firewall hosted externally.
I would suspect current firewall rules blocking your remote server as a legitimate destination server. I would ask IT guys about what shows in their logs and eventually set a rule tailored on your needs.

udg
 
Upvote 0

keirS

Well-Known Member
Licensed User
Longtime User
What firewall does the client have? One of the easiest ways to solve this sort of problem is to look at the logs on the firewall.
 
Upvote 0

miker2069

Active Member
Licensed User
Longtime User
Actually I did some additional experimentation. Like I said, the websocket test sites said SSL would work. I wasn't buying that my home cable ISP was being accepted for serving html and blocking websockets. So I tried this simple echo test from this page:

http://jsfiddle.net/EAVvQ/24/

Actually it seems to be the websockets.org echo test. I copied the HTML there into the Chat sample App (I was going between the Helloworld and Chat app for debugging) "www" folder (I called it echo.html). I tried it. Didn't work initially but the HTML is simple. I changed:

websocket = new WebSocket("ws://echo.websocket.org/");

to

websocket = new WebSocket("wss://echo.websocket.org/");


Adding the wss for https, and boom! worked from my B4J sample chat app www directory. The echo worked from behind my corporate firewall.

So I did some digging in b4j_ws.js and looked at what it was doing. Couple things, I noticed the browser inside the corporate firewall didn't seem to be loading the b4j_ws.js at all. I proved this but just putting a simple "Alert("Loaded b4j_ws.js") in b4j_connect() function. Outside the firewall, worked, inside it didn't. So I used a "brute force" tactic and changed the entry in index.html from:


<head>
<title>B4J - Chat Example</title>

<script src="https://ajax.googleapis.com/ajax/libs/jquery/2.1.0/jquery.min.js"></script>
<link rel="stylesheet" type="text/css" href="index.css" />
<script src="/b4j_ws.js"></script>
</head>

to

<head>
<title>B4J - Chat Example</title>

<script src="https://ajax.googleapis.com/ajax/libs/jquery/2.1.0/jquery.min.js"></script>
<link rel="stylesheet" type="text/css" href="index.css" />
<script src="https://secure.mydomain.com/b4j_ws.js"></script>
</head>


After doing that, success, I got my alert pop-up inside my corp firewall browser. After that, I tried the chat functionality but still no joy. So in the same b4j_connection function I put another alert to show me the fullpath variable contents which holds the actualy websocket url:


fullpath = ((l.protocol === "https:") ? "wss://" : "ws://") + l.hostname + ":" + l.port + absolutePath;
alert(fullpath);

After doing that, I was getting wss://secure.mydomain.com:/login

I noticed based on the formula for fullpath the l.port was blank. Strange, that it was blank inside corp firewall (I actually haven't tried outside yet). Anyway, I brute force hard coded the port as:

fullpath = ((l.protocol === "https:") ? "wss://" : "wss://") + l.hostname + ":" + "443" + absolutePath;

Saved and BOOM, it works inside my corp firewall! So this of course makes me happy. I still don't know if I simply just have to tweak these things (which is no problem) or I forgot some setting (would be helpful to know) but I got it working. I am wondering if it would actually work without the SSL cert now (meaning you'll get the "this is not a safe site...message). Although that use-case really doesn't make sense in real world apps anyway.

Good stuff :)
 
Upvote 0
Top