Signiant Support

Running UDP transfers over a privileged port Print


Background  

In a typical installation, Signiant agents use 'high ports' for communication.  By default these are TCP/49221 and UDP/49221.  In some circumstances it may be required to run the agent using ports below 1024.

This presents a challenge due to how the agent executes when participating in a UDP transfer.  For each transfer, the agent will spawn a dds_file_agnt process.  This process will bind to the first available port available above the agent's Process Control port (49222, for example, if using a standard agent install).  Each transfer will create a new dds_file_agnt process using a unique port number.  Furthermore, these processes are spawned as the transfer user account.

If the transfer user is not a root or administrator level account, it may be prohibited by the operating system from binding to a low port.  Thus, if your Process Control port is lower than 1024, UDP transfers involving this host are likely to fail with the following message:

Unable to define a UDP data socket: Permission denied

Working around this problem is possible with some custom configuration of your agents.

Discussion  

Signiant agents have the ability to use multiple ports for the Process Controller.  Also, the dds_file_agnt processes will bind to a port based on the first port listed as a Process Control port in the Signiant agent's configuration file.  We can take advantage of both of these features to achieve our goal.

We will also need to use the Signiant agent's relay functionality to not only direct traffic to the proper port, but to force all inter-agent UDP traffic over a single port.  

For this document, we will use 49221 as the 'high port' and 340 as the 'low port'.

Here is a grahical representation of what we need to accomplish:



The source agent will connect to the UDP relay agent on the target over UDP/340.  The UDP relay will then use an internal TCP connection on TCP/49222 to direct the traffic to the file agent prodess.  Note that this TCP/49222 communication never leaves the target host -- it is for inter-process communication only.

Implementation

For your agents, you will need to do the following:

1.Stop the Signiant agent services.

2.Edit the Signiant config file (dds.conf for Unix, Linux or Macintosh, dds.cfg for Windows).

3.Change the following line:

      Process control port is 49221

to this:

      Process control port is 49221 340

Note:  Make a backup of the Signiant configuration file before editing it.  Also, do not edit the Signiant configuration file while the agent processes are running, as your changes may be overwritten by the normal maintenance activity of the agent.

4.Start the Signiant agent services.

5.For each agent that needs to connect to another host via the 'low port', add a relay in the form of:

      Relay for remote.agent.name is remote.angent.IP.address port 340

6.If all your hosts will be connecting over the low port, you can use the special '0.0.0.0' relay to force all outgoing traffic through the relay, as follows:

      Relay for * is 0.0.0.0 port 340

7.You can then use a personal firewall on the agent to block TCP and UDP 49221.  All traffic to the Signiant agent will then be required to run over TCP and UDP 340.

Verification

You can use any of the following methods to verify that inter-agent traffic is running over the low port, but inter-process traffic is running over the high port:

1.Implement a personal firewall to restrict incoming traffic on the high port range.  Remember to allow the loopback interface to connect to the high port range for interprocess communication.  Attempt to connect from the source agent to TCP 49221 (eg, telnet agentname 49221).  This will be refused.

2.While a job is running, run netstat -a to list active connections.  You will see a connection on UDP/49222 but no connection for UDP/341.

3.While a job is running, obtain the process ID for the dds_file_agnt process and run lsof -p ProcessId -a -i4.  You will see that the processes is using UDP/49222.

The above assumes that a single job is running.  If multiple jobs are running to this agent, the internal UDP ports will increment based on the first Process Control port (eg, 49222, 49223, etc) until a free port is found.

Copyright © 2014 Signiant Inc, all rights reserved.