Caliber RM Firewall
July 2005
Deploying the CaliberRM software so that I could access the CaliberRM Server/Database from both in-house and also from out on the internet became a overwhelming task for me this past week. I'm publishing this paper so that others may not go through the pains I endured.
Not all networks are setup the same, but I'm sure anyone reading this paper will pick up on some part that will enlighten them on how to achieve the desired connectivity.
Background
I have been evaluating CaliberRM for some months now and the application was beginning to grow on me. I haven't as yet proved the software usefulness through the entire SDLC (software development life cycle), but what I had achieved in Business Requirements and the User Requirements had me thinking this could be a useful tool.
I then thought I could achieve more use from the application if I could expose the CaliberRM server to the internet. I would then have the ability to access the software on and off site.
Finding documentation on how to achieve this was not easy. The documentation that came with the software had nothing to say and when I did a search on the internet I could only find one document on how to configure a firewall setup (see link below).
Trying to interpret what the instructions meant on this internet document became some what of a mission. Hoping Borland would come to my aid I put a question out on the news groups, but alas no response. My local Borland agent had to talk to me because I knew his phone number, but eventually that source dried up too. I even email the writer who published the document - Again not reply.
Anyway luckily I persisted and was intrigued in the end when I got the whole thing up and running that the original document was theoretically correct - It was just badly written.
It's all in the name
One piece of information I was able to extract from my local Borland agent was that he was accessing the CaliberRM application in-house and from the internet using the same IP address. He had exposed the public IP address to the in-house users. That way it was immaterial weather you were on or off site you used the same IP address to access the CaliberRM server
Another piece of information that deluded me for some time was the reference to "{fully qualified machine name}" and the statement "You must be able to access, or route, the fully qualified machine, from outside the firewall", which appeared on the Borland document. I spent a lot of time asking myself and other people what this meant?
The Solution
I discovered that CaliberRM wants to communicate with only one known server. The "{fully qualified machine name}" and the "Server name" you enter into the login screen have to be the same.
When the penny dropped on this the answer was easy!
CaliberRM Server Modifications
On the CaliberRM server machine you need to add the following property to the orb.properties file:
vbroker.se.iiop_tp.proxyHost={Your Domain Name}
e.g. MyDomain.com
Firewall
Open the TCP ports as described in the document allowing traffic to come both in and out. Refer to your firewall instruction on how you do this.
Configure the NAT so that any traffic that comes in on the two ports is directed to the CaliberRM Server Machine
DNS Server
Configure your in-house DNS server machine so that any calls to your Domain Name (MyDomain.com) point to the CaliberRM Server.; Again the documentation on how to do this comes with the DNS software.
Testing
It should now be possible to execute the CaliberRM Client from both sides of the firewall. When you are off-site you enter your domain name as the server name when you login (e.g. MyDomain.com).
When you are on-site you again use your domain name (MyDomain.com), which will be interpreted by your local DNS server.
Conclusion
It was disappointing that the documentation was not up to scratch, but I hope this paper will enlighten those who encounter the same problems as I did.