Question

IBM RSA through firewall, blank screen in remote control

Asked by: snowdog_2112

I've read all the posts about ports required.  I have 80/tcp, 23/tcp, and 2000/tcp,udp open on the firewall.

I can telnet in and open the web interface from outside the firewall.  When I try remote control, I get a blank/black screen in the browser.  I've tried several machines, OS', and browser versions.

I get video just fine from the internal network, so I know the RSA is functional.

Tried various versions of Java - the version it installs if you don't have java also works from the internal network but not the outside world.

Are there ports other than 2000/tcp,udp for video across a firewall?

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-06-29 at 12:54:18ID24531218
Tags

IBM RSA

,

firewall

,

port forward

Topics

Computer Servers

,

File Servers

Participating Experts
2
Points
500
Comments
16

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. rsa
    i ask to program rsa encryption and decryption
  2. RSA
    Hi. I am looking for implementation of RSA or any other asymmetric encryption. I am giving 500 points, and willing to give more, if you help me to run it too with simple example like: creat keys, encode string and decode string back. Regards.
  3. RSA and Citrix
    Does anybody know how to configure Citrix Web Interface with RSA SecureID??? Can't find any docs about it and am well and truly stuck. I have so far done the following. Setup Citrix Web Interface in my DMZ, this is a DMZ created with ISA 2004. I have created the Inbound por...
  4. Getting "read only" access with AD login and IBM RSA card
    I have a bunch of servers I just installed an IBM Remote Supervisor Adapter II card in. I want to be able to log into each RSA with our Active Directory logins. I have been able to configure the RSA to allow me to login via "username@mycompany.com" syntax. But I o...
  5. Obtain RSA info or configure RSA from within Windows?
    I need to configure an RSA in one of our domain controllers. I don't want to take it off line. Is it possible? I'm hoping for some utility or something that can be run from Windows. But based on past experiences with IBM, I'm not counting on it...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: grimsruePosted on 2009-06-29 at 13:35:21ID: 24739968

This site below will give you a listing of all ports used for RSAs on diffrent IBM servers.
http://www.redbooks.ibm.com/abstracts/tips0511.html

Port 2000 is the port you need open for Remote Console Video redirect. I would trying open up that port in your firewall for two way communication if it isn't already. I would also try connecting to the RSA and open a remote console video session from another computer that is outside the firewall to see if you are getting the same issue. Check for any errors in your system log or app log on the client machine that you are using to connect to the RSA to see if you are logging errors.

One other thing you might want to try is download Microsoft NetMon 3.5 and run a cature on the client machine while you are trying to connect to Remote Console Video and see if your transmitting a request and recieving one back from the RSA on that port.

 

by: snowdog_2112Posted on 2009-06-29 at 13:54:36ID: 24740148

As mentioned, I have read those posts and articles concerning the ports.  I have both tcp and udp open on port 2000 as an added measure.

Also as mentioned, I've tried several client computers and browsers on the outside world, with no success.  I've also tried several computers and browsers from the inside network, and it *does* work.

All outbound communication is allowed through the firewall (I'm not having issues with other outbound applications).  

One article mentions the outbound is some random port over 1024 from the RSA to the client.  Could the *remote* firewall (i.e., the firewall closest to the client device) be blocking the traffic for KVM control?

I've seen other posts talking about the blank/black screen, but no good solution (several mention firmware, but I'd imagine I would have the same blank/black screen from the inside network as well).

Thanks.

 

by: grimsruePosted on 2009-06-29 at 14:15:34ID: 24740310

If you are seeing the same black/blank screen issues on multiple clients on the outside world it may very well be firmware.

Don't count out firmware as a possible fix. Being that internal computers can connect to the Remote console with no issue does not mean the firmware is NOT the culprit. THe data packets that the RSA sends out over a network can be adversly affect by switches routers, and firewalls.

If there are multiple firewalls between the RSA and the outside world there very well could be a issue with one of the other firewalls like a mis-configured rule, pr a missing rule that is not allowing traffic over port 2000. I would try updating the RSA firmware first.

Also if you have access to teh firewall logs I would look through them and see if the IP of the client that is making the request is being accepted by the firewall or rejected.

 

by: snowdog_2112Posted on 2009-06-30 at 10:45:46ID: 24747634

My laptop works on the inside network and does not work from the outside.  The firewall is a SonicWall TZ170, with limited logging (that I can find).

The firmware on the RSA and the system (x3500 type 7977) is all latest/greatest, updated within the last week.

I've tested several other RSA's I have in the field with the same result - black screen from outside network.

I have RSA's behind a SonicWall, a Cisco 1700, and a Watchguard x750e (all at different locations) -- all give me black screens.  Each location has a different ISP and connection medium (cable, DSL, wireless) as well.

Any thoughts?

 

by: dpk_walPosted on 2009-07-01 at 07:10:20ID: 24754479

Have you tried changing MTU value on the firewall; from outside network, do this simple test:
ping <public-ip> -f -n <size>

Start with 1500 as value for -n and decrease by 100 for every unsuccessful try; finally play around with the value to find the maximum optimum value.

Normally we change MTU value on client but as you are experiencing problem at multilpe locations, suggesting to look at the value on firewall.

Please check and update.

Thank you.

 

by: snowdog_2112Posted on 2009-07-15 at 16:44:59ID: 24865247

Checking the MTU issue out.  I know one location has an MTU of 1492 due to DSL issues.  The other locations have T1 or cable, with no changes to MTU.

Can the MTU be changed on the RSA (not in front of it to check at the moment)?

 

by: dpk_walPosted on 2009-07-16 at 02:26:25ID: 24867668

Not sure about the RSA server itself; normally on a windows machine you use DrTCP [http://www.dslreports.com/drtcp] and change the MTU.

Thank you.

 

by: snowdog_2112Posted on 2009-07-16 at 12:56:59ID: 24873172

umm...the RSA has it's own NIC...would the MTU on the Windows driver affect the RSA?  I'm guessing they have their own TCP stack and MTU?

 

by: dpk_walPosted on 2009-07-16 at 20:19:19ID: 24875680

Not 100% sure; can someone more experienced with RSA please comment here.

Thank you.

 

by: snowdog_2112Posted on 2009-08-10 at 08:44:23ID: 25060993

Following up on this...does no one else have issues with RSA's through NAT?

Can someone at least confirm it to be an issue?  Has anyone replicated this?

IBM has been less-than-helpful on this issue.

Thanks again!

 

by: grimsruePosted on 2009-08-10 at 09:32:37ID: 25061469

The IBM RSA is a self contained mini-computer within the server. IT setting are completely separate from the server and the OS. This is the same for Dell DRAC, and HP iLO.

I dont think the problem is with your IBM RSA card. I think the issue lies within one of the firewalls. More than likely the firewall closes to the IBM server. From what I can make out one of the firewalls is still blocking the port needed for Console access.

I am not sure if you can do this or not, but see if you can change the port that the IBM RSA uses for Console access to a known port that you know works through the firewall.

 

by: snowdog_2112Posted on 2009-08-11 at 08:02:15ID: 25069852

Will try that, but for clarification, the doc says 80/tcp and 2000/tcp only.  I've done both tcp/udp.  Are there any other ports I need to open?

I've got this behind Cisco, Watchguard, and Sonic Wall firewalls.  It seems odd that they'd all exhibit the same behavior.

 

by: grimsruePosted on 2009-08-19 at 14:18:53ID: 25137493

Hey snowdog_2112,

Go to this link. You might change the port in the RSA to 5090 and open the 5090 port up in the firewall instead.

http://www-947.ibm.com/systems/support/supportsite.wss/docdisplay?brandind=5000008&lndocid=MIGR-5074618

 

by: snowdog_2112Posted on 2009-08-25 at 13:11:00ID: 25181720

First, note that this happens on Cisco and non-Cisco products - if that changes anything.

I tried a couple of things - I changed the port to 5090 per the post, then restarted the RSA.  I got the same thing.  Then, I noticed that the popup window for Remote Control had http://<ip>:80, instead of the port specified in the RSA.  So, I tried browsing to the RSA on 5090 (i.e., http://<ip>:5090).  I get a logon and the web interface.  Remote control still doesn't work on my laptop (which works on the inside network to the same RSA).

I tried an XP machine with no version of Java installed to force it to install Java.  I browse to either port 80 or to port 5090 and choose Remote Control and I get a "Connection to host lost".

I'm going to do some more experimenting

 

by: snowdog_2112Posted on 2009-08-25 at 14:38:21ID: 31598088

I had to rip out and redo the acket filters on a Watchguard.  With (2) RSA's on the inside mapped to a single public IP on the outside, I set RSA1 to port 81 for http and 5090 for remote control.  RSA2 is set on port 82 for http and 5091 for remote control.  I created NAT mappings for those ports on the public IP.  I still have to use java 1.4.2_19 from the outside, but it works!  Thanks for the help!!!

 

by: grimsruePosted on 2009-08-25 at 23:17:02ID: 25184813

I know this was a big pain in the back side. I am very happy that finally worked for you.

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...