9 Replies Latest reply on Apr 19, 2013 9:32 AM by davidsan

    Two FileMaker servers behind proxy

    davidsan

      I have the following setup at this customer:

       

      - Proxy Squid Server running Linux CentOS 5. It is the main router.

      - Windows 2008 Server running FileMaker Server 11v3.

      - OS X Server Mountain Lion running FileMaker Server 12v4.

       

      We are in the process of migrating to FM Server 12, but not all clients can go 12 at this moment so we are having two servers working at the same time.

       

      Everything is working fine inside the office (Intranet).

       

      We can access FileMaker Server 11 from outside the intranet, but not FileMaker Server 12.

       

      Could anyone give me some directions about how to configure the Squid server in order to work with both servers? Is it possible?

       

      At this moment we have this configuration:

       

      #Recommended minimum configuration:

      acl all src 0.0.0.0/0.0.0.0

      acl manager proto cache_object

      acl localhost src 127.0.0.1/255.255.255.255

      acl to_localhost dst 127.0.0.0/8

      acl SSL_ports port 443

      acl Safe_ports port 80 # http

      acl Safe_ports port 21 # ftp

      acl Safe_ports port 443 # https

      acl Safe_ports port 70 # gopher

      acl Safe_ports port 210 # wais

      acl Safe_ports port 1025-65535 # unregistered ports

      acl Safe_ports port 280 # http-mgmt

      acl Safe_ports port 488 # gss-http

      acl Safe_ports port 591 # filemaker

      acl Safe_ports port 777 # multiling http

      acl CONNECT method CONNECT

       

      acl apache rep_header Server ^Apache

      acl our_networks src 192.168.0.0/24

      http_access allow manager localhost

      http_access deny manager

      http_access deny !Safe_ports

      http_access deny CONNECT !SSL_ports

      http_access allow localhost

      http_access allow our_networks

      http_access deny all

      broken_vary_encoding allow apache

       

       

      Thank you

        • 1. Re: Two FileMaker servers behind proxy
          wimdecorte

          Is this for FM web publishing only or for FMP traffic?

          I don't see port 5003 listed, which is what FMP uses to connect to FMS.

           

          Since you can only open port 5003 once on your firewall / router I would suggest you set up a VPN and let users connect through that.  Once they are connected through VPN they are ON the LAN and will be able to see both servers.

          • 2. Re: Two FileMaker servers behind proxy
            davidsan

            Hi! This is a normal FMP traffic, not Web traffic.

             

            This is part of the issue, because Squid uses this configuration line to open the 5003 and 16000 ports:

             

            acl Safe_ports port 591 # filemaker

             

            FileMaker Server 11 is working fine and I can access the server from outside the office. But I cannot do anything with Filemaker Server 12 from outside.

             

            Firewall in the OS X Server box is open. If it were not open we could not see them inside the office.

             

            A VPN could be a solution, however, due to small bandwith has been discarted. It is too slow.

            • 3. Re: Two FileMaker servers behind proxy
              wimdecorte

              I think you are looking at the wrong thing.  Squid is not a firewall / router as far as I know.  So port 5003 and 16000 would be open the firewall at the edge of your network (not the firewall on the OSX server itself).

               

              Since 5003 is a hard-wired port in the FM product that can not be changed, your router can only forward traffic on that port to one internal server.

              If VPN is not an option then you would need to look at something like Terminal Services so that users will have a "desktop" inside the LAN.

               

              VPN is much cheaper; so I would invest in faster internet to make that work.

              1 of 1 people found this helpful
              • 4. Re: Two FileMaker servers behind proxy
                davidsan

                I believe you are right. I am looking at the wrong place. Squid is not blocking anything.

                 

                The issue seems related to CentOS routing. This CentOS 5 machine is the main router also, Squid is just a proxy service. The proxy is not blocking FileMaker traffic, since we can see FileMaker Server 11 on Windows machine.

                 

                If the router (CentOS machine) can only route traffic to one server and since FM cannot be changed from 5003 seems the only solution is a VPN.

                 

                We are migrating to FileMaker Server 12 since it is supposedly more efficient at WAN performance with the same bandwith. I know it must be difficult to believe but this server is located outside USA, and we are paying the highest internet access available in the area. It's a 2 mbps downstream 256 kbps upstream connection. (Really, that's the fastest we can get).

                • 5. Re: Two FileMaker servers behind proxy
                  vanhondong

                  这么一个需求搞得这么复杂,验证了那句世界名言:“没有困难也要创造困难”。

                  • 6. Re: Two FileMaker servers behind proxy
                    davidsan

                    I would like to confirm you are right.

                     

                    In CentOS 5 the routing is done through the IPtables file located in etc/sysconfig/iptables

                     

                    FileMaker services are re-routed to our internal Windows machine:

                     

                    -A PREROUTING -p tcp -m tcp -s 0.0.0.0/0 -i eth0 --dport 5003 -j DNAT --to 192.168.0.2:5003

                    -A PREROUTING -p tcp -m tcp -s 0.0.0.0/0 -i eth0 --dport 16000 -j DNAT --to 192.168.0.2:16000

                    -A PREROUTING -p tcp -m tcp -s 0.0.0.0/0 -i eth0 --dport 16001 -j DNAT --to 192.168.0.2:16001

                     

                    But, it seems there is no way to expose two FileMaker Servers in the router. One with version 11 and another with version 12.

                     

                    VPN seems the only solution.

                    • 7. Re: Two FileMaker servers behind proxy
                      wimdecorte

                      keep in mind that the 256 kbps upstream is what is going to be used to SEND data to the users. That is going to be painfully slow.  Is there no synchronous option that would give you the same upload as download speed?

                      • 8. Re: Two FileMaker servers behind proxy
                        robwoof

                        Since I have two externally-accessible FileMaker Servers running at my home office, I do know that it can be done. The trick is to have a router that can forward to an internal port that's different from the external one. If the router is CentOS using IPTables as shown above, then you can do something like this for the FM12 server:

                         

                        -A PREROUTING -p tcp -m tcp -s 0.0.0.0/0 -i eth0 --dport 5004 -j DNAT --to 192.168.0.x:5003

                         

                        where 192.16.0.x is the internal address of the FM12 server.

                         

                        The final part of the puzzle is in the connections from outside: your connect files and host entries need to specify the external IP address with ":5004" on the end.

                         

                        This solution does not allow remote administration of the FM12 server, but it will get you database access.

                        • 9. Re: Two FileMaker servers behind proxy
                          davidsan

                          Thank you so much for your answer!!!