Solved

IBM RSA through firewall, blank screen in remote control

Posted on 2009-06-29
16
5,548 Views
Last Modified: 2013-12-02
I've read all the posts about ports required.  I have 80/tcp, 23/tcp, and 2000/tcp,udp open on the firewall.

I can telnet in and open the web interface from outside the firewall.  When I try remote control, I get a blank/black screen in the browser.  I've tried several machines, OS', and browser versions.

I get video just fine from the internal network, so I know the RSA is functional.

Tried various versions of Java - the version it installs if you don't have java also works from the internal network but not the outside world.

Are there ports other than 2000/tcp,udp for video across a firewall?
0
Comment
Question by:snowdog_2112
  • 8
  • 5
  • 3
16 Comments
 
LVL 1

Expert Comment

by:grimsrue
ID: 24739968
This site below will give you a listing of all ports used for RSAs on diffrent IBM servers.
http://www.redbooks.ibm.com/abstracts/tips0511.html

Port 2000 is the port you need open for Remote Console Video redirect. I would trying open up that port in your firewall for two way communication if it isn't already. I would also try connecting to the RSA and open a remote console video session from another computer that is outside the firewall to see if you are getting the same issue. Check for any errors in your system log or app log on the client machine that you are using to connect to the RSA to see if you are logging errors.

One other thing you might want to try is download Microsoft NetMon 3.5 and run a cature on the client machine while you are trying to connect to Remote Console Video and see if your transmitting a request and recieving one back from the RSA on that port.
0
 

Author Comment

by:snowdog_2112
ID: 24740148
As mentioned, I have read those posts and articles concerning the ports.  I have both tcp and udp open on port 2000 as an added measure.

Also as mentioned, I've tried several client computers and browsers on the outside world, with no success.  I've also tried several computers and browsers from the inside network, and it *does* work.

All outbound communication is allowed through the firewall (I'm not having issues with other outbound applications).  

One article mentions the outbound is some random port over 1024 from the RSA to the client.  Could the *remote* firewall (i.e., the firewall closest to the client device) be blocking the traffic for KVM control?

I've seen other posts talking about the blank/black screen, but no good solution (several mention firmware, but I'd imagine I would have the same blank/black screen from the inside network as well).

Thanks.
0
 
LVL 1

Expert Comment

by:grimsrue
ID: 24740310
If you are seeing the same black/blank screen issues on multiple clients on the outside world it may very well be firmware.

Don't count out firmware as a possible fix. Being that internal computers can connect to the Remote console with no issue does not mean the firmware is NOT the culprit. THe data packets that the RSA sends out over a network can be adversly affect by switches routers, and firewalls.

If there are multiple firewalls between the RSA and the outside world there very well could be a issue with one of the other firewalls like a mis-configured rule, pr a missing rule that is not allowing traffic over port 2000. I would try updating the RSA firmware first.

Also if you have access to teh firewall logs I would look through them and see if the IP of the client that is making the request is being accepted by the firewall or rejected.
0
 

Author Comment

by:snowdog_2112
ID: 24747634
My laptop works on the inside network and does not work from the outside.  The firewall is a SonicWall TZ170, with limited logging (that I can find).

The firmware on the RSA and the system (x3500 type 7977) is all latest/greatest, updated within the last week.

I've tested several other RSA's I have in the field with the same result - black screen from outside network.

I have RSA's behind a SonicWall, a Cisco 1700, and a Watchguard x750e (all at different locations) -- all give me black screens.  Each location has a different ISP and connection medium (cable, DSL, wireless) as well.

Any thoughts?

0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 24754479
Have you tried changing MTU value on the firewall; from outside network, do this simple test:
ping <public-ip> -f -n <size>

Start with 1500 as value for -n and decrease by 100 for every unsuccessful try; finally play around with the value to find the maximum optimum value.

Normally we change MTU value on client but as you are experiencing problem at multilpe locations, suggesting to look at the value on firewall.

Please check and update.

Thank you.
0
 

Author Comment

by:snowdog_2112
ID: 24865247
Checking the MTU issue out.  I know one location has an MTU of 1492 due to DSL issues.  The other locations have T1 or cable, with no changes to MTU.

Can the MTU be changed on the RSA (not in front of it to check at the moment)?
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 24867668
Not sure about the RSA server itself; normally on a windows machine you use DrTCP [http://www.dslreports.com/drtcp] and change the MTU.

Thank you.
0
 

Author Comment

by:snowdog_2112
ID: 24873172
umm...the RSA has it's own NIC...would the MTU on the Windows driver affect the RSA?  I'm guessing they have their own TCP stack and MTU?
0
Don't lose your head updating email signatures!

Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users do...so should you!

 
LVL 32

Expert Comment

by:dpk_wal
ID: 24875680
Not 100% sure; can someone more experienced with RSA please comment here.

Thank you.
0
 

Author Comment

by:snowdog_2112
ID: 25060993
Following up on this...does no one else have issues with RSA's through NAT?

Can someone at least confirm it to be an issue?  Has anyone replicated this?

IBM has been less-than-helpful on this issue.

Thanks again!
0
 
LVL 1

Expert Comment

by:grimsrue
ID: 25061469
The IBM RSA is a self contained mini-computer within the server. IT setting are completely separate from the server and the OS. This is the same for Dell DRAC, and HP iLO.

I dont think the problem is with your IBM RSA card. I think the issue lies within one of the firewalls. More than likely the firewall closes to the IBM server. From what I can make out one of the firewalls is still blocking the port needed for Console access.

I am not sure if you can do this or not, but see if you can change the port that the IBM RSA uses for Console access to a known port that you know works through the firewall.
0
 

Author Comment

by:snowdog_2112
ID: 25069852
Will try that, but for clarification, the doc says 80/tcp and 2000/tcp only.  I've done both tcp/udp.  Are there any other ports I need to open?

I've got this behind Cisco, Watchguard, and Sonic Wall firewalls.  It seems odd that they'd all exhibit the same behavior.
0
 
LVL 1

Accepted Solution

by:
grimsrue earned 500 total points
ID: 25137493
Hey snowdog_2112,

Go to this link. You might change the port in the RSA to 5090 and open the 5090 port up in the firewall instead.

http://www-947.ibm.com/systems/support/supportsite.wss/docdisplay?brandind=5000008&lndocid=MIGR-5074618

0
 

Author Comment

by:snowdog_2112
ID: 25181720
First, note that this happens on Cisco and non-Cisco products - if that changes anything.

I tried a couple of things - I changed the port to 5090 per the post, then restarted the RSA.  I got the same thing.  Then, I noticed that the popup window for Remote Control had http://<ip>:80, instead of the port specified in the RSA.  So, I tried browsing to the RSA on 5090 (i.e., http://<ip>:5090).  I get a logon and the web interface.  Remote control still doesn't work on my laptop (which works on the inside network to the same RSA).

I tried an XP machine with no version of Java installed to force it to install Java.  I browse to either port 80 or to port 5090 and choose Remote Control and I get a "Connection to host lost".

I'm going to do some more experimenting

0
 

Author Closing Comment

by:snowdog_2112
ID: 31598088
I had to rip out and redo the acket filters on a Watchguard.  With (2) RSA's on the inside mapped to a single public IP on the outside, I set RSA1 to port 81 for http and 5090 for remote control.  RSA2 is set on port 82 for http and 5091 for remote control.  I created NAT mappings for those ports on the public IP.  I still have to use java 1.4.2_19 from the outside, but it works!  Thanks for the help!!!
0
 
LVL 1

Expert Comment

by:grimsrue
ID: 25184813
I know this was a big pain in the back side. I am very happy that finally worked for you.
0

Featured Post

How does your email signature look on mobiles?

Do your employees use mobile devices to reply to emails? With mobile becoming increasingly important to the business world, it is in your best interest to make sure that your email signature looks great across all types of devices.

Join & Write a Comment

Have you ever stumbled upon a software that is so great that you just love? It happened to me. Love at first sight. Filezilla Server.   Ok its not the most advanced ftp server I've came across. But its a fairly simple piece of software to get the …
Hyper-convergence systems have taken the IT world by storm and have quickly started to change our point of view of how the data center should and could be architected. In this article, I’ll explain the benefits of employing a hyper-converged system …
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now