cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

We are happy to announce the new Windchill Customization board! Learn more.

Split DNS-reverse proxy setup with Windchill 11 M020 clustered solution

rkumar-10-11-128
5-Regular Member
5-Regular Member
‎Jul 17, 2017 05:54 PM
‎Jul 17, 2017 05:54 PM

Split DNS-reverse proxy setup with Windchill 11 M020 clustered solution

Hi,

 

We are trying to implement split DNS-reverse proxy setup with Windchill 11 M020 clustered solution but it's not working for external users through DMZ, receiving "service unvailable" error for Windchill page. This works perfectly fine from inside our network.

 

Seems like there are some changes implemeted with new Apache/Tomcat that comes with Windchill 11 that could be case but not sure exactly what.

 

The exact setup worked with Windchill 10.1 M050. 

 

Please share If anyone has implemented this with Windchill 11 OR any thoughts/suggestions on this will be really helpful.

 

Regards,

Rajiv

Labels:
0 Kudos
Notify Moderator
5 REPLIES 5
rkumar-10-11-128
5-Regular Member
5-Regular Member
(To:rkumar-10-11-128)
‎Jul 18, 2017 05:38 PM
‎Jul 18, 2017 05:38 PM

This is resolved. We had to run below command after navigating to Windchill_11.0\Windchill\tomcat

ant -f config.xml configureConnectors -DajpAddress=""

 

The issue was due to the address="127.0.0.1" in the tomcat for port 8010 is hard coded in the server.xml file of tomcat embedded with windchill which doesn't allow remote Apache (DMZ) connection to happen through AJP.

 

0 Kudos
Notify Moderator
jessh
5-Regular Member
5-Regular Member
(To:rkumar-10-11-128)
‎Jul 19, 2017 08:29 AM
‎Jul 19, 2017 08:29 AM

Be aware that changing the AJP address to something other than 127.0.0.1 means that anything that can access the given address and port can send AJP messages to Tomcat, complete wiith an asserted user name, and have them accepted by Windchill.

 

That means it is important to lock down what has access to that address and port.  Using 127.0.0.1 does just that, of course, locking it down to the server in question, but that clearly doesn't work for configurations where you require AJP access by another host.

0 Kudos
Notify Moderator
rkumar-10-11-128
5-Regular Member
5-Regular Member
(To:jessh)
‎Jul 27, 2017 02:40 PM
‎Jul 27, 2017 02:40 PM

Thanks for your feedback.  Any request from outside our network cannot send AJP mesages directly as it has to go through our DMZ server where remote Apache is configured.

 

Regards,

Rajiv

0 Kudos
Notify Moderator
jessh
5-Regular Member
5-Regular Member
(To:rkumar-10-11-128)
‎Jul 27, 2017 03:09 PM
‎Jul 27, 2017 03:09 PM

 

You'll also want to be sure that AJP requests cannot originate from other machines within your network -- apart from those you specifically have locked down and intend such traffic to arise from.

0 Kudos
Notify Moderator
rkumar-10-11-128
5-Regular Member
5-Regular Member
(To:jessh)
‎Jul 27, 2017 06:10 PM
‎Jul 27, 2017 06:10 PM

The application URL will always direct request to Windchill host or DMZ (in case of external users). I do not see AJP request coming from other machines. Can you please explain this case?

 

Regards,

Rajiv

0 Kudos
Notify Moderator
Top Tags