Home / Resources / How To: Expose a FactoryPMI Gateway Behind a Private Network

How To: Expose a FactoryPMI Gateway Behind a Private Network

This month's article covers some basic networking principals and settings to expose a local FactoryPMI gateway to a wider network.

Background

We're going to learn about TCP/IP and networking with FactoryPMI by example. Our setup uses the address range 192.168.0.1-254. This is an example of a non-routable Class C IP network. Class C means that we have 255 addresses to deal with and a 24 bit subnet mask (255.255.255.0). Non-routable means that we're using addresses have been reserved for private (non-Internet) use. This means that Internet routers will ignore requests that use these addresses. Make sure that you use non-routable addresses when setting up private control networks! We have a router set up that has a single legal IP address and provides Internet access to our network with Network Address Translation (NAT). This article is relevant to any setup where you use NAT, port forwarding, or a DMZ (Demilitarized zone, a subnetwork that sits between the internal and external network).
  • The FactoryPMI gateway uses the static (non-DHCP) address 192.168.0.2 and currently runs over port 8080
  • The router uses the LAN address 192.168.0.1
  • The router uses the WAN (Internet) address 69.19.188.26
  • Clients' addresses are assigned via DHCP in the range 192.168.0.100-150. They need to access the FactoryPMI project
  • We want to be able to access our application over the Internet
Getting Started

Our first step to allow access to the FactoryPMI gateway is by setting up a port forward rule in the router. It should specify that TCP traffic directed to 69.19.188.26 over port 8080 be forwarded to 192.168.0.2. You may also need to add an incoming firewall rule to support this with the same settings.

To test, open http://69.19.188.26:8080 in a web browser. If you see the default FactoryPMI Gateway web site it worked! If not, try loosening up your firewall policy and using 192.168.0.2 as the DMZ host. Keep in mind that a home router DMZ host is not a true DMZ in terms of network segmenting - it is a feature that will pass all traffic to our Gateway, with the exception of certain attacks. This is much more wide open than a single port forward - more geared toward Internet games that require numerous ports to be open. Incrementally tighten back security as you determine what works.

Next make sure that your firewall doesn't block outbound TCP traffic from your local network over port 8080. In most cases it shouldn't, but our network is very secure so we'll set up an outbound firewall rule to allow TCP traffic from 192.168.0.x to 69.19.188.26 over port 8080. Without this rule, Internet users won't have a problem, but your local clients won't be able to access the system. Your clients should address 69.19.188.26 instead of 192.168.0.2 when using the FactoryPMI runtime. I would then restrict gateway configuration access to either 127.0.0.1 (localhost) or 192.168.0.*.

Launching Projects

Now launch one of your applications via Java Web Start by clicking on a project link. The application will seem to download properly, but fail to launch. What gives? The FactoryPMI Gateway web server can listen over all IP addresses, but the client application needs to know the address of its Gateway - this setting is true for each Gateway in the Cluster. Normally this is automatically detected properly, but our Network Address Translation fools the client. Another error that you may see will say Error Loading Plugins, indicating the same problem.



We need to statically tell clients that their gateway address will be the valid Internet IP address. Go to the Gateway Configuration Page -> Network and uncheck Autodetect HTTP Address. We then type 69.19.188.26 under HTTP Address.

I'm also going to uncheck Autodetect Bind Interface since I have multiple network adapters. I'll then specify 192.168.0.2 as the address for Bind Interface. This wasn't necessary, but is good to disambiguate our IP addresses.



Summary

Here's how we setup a FactoryPMI Gateway to work with NAT
  • Set up a port forward rule in our router
  • Under the Network tab of the FactoryPMI Gateway Configuration page, uncheck Autodetect HTTP address and specify
  • Ensure that outbound TCP client traffic is allowed from our network to the WAN address of our router over the FactoryPMI port
  • Clients now reference the FactoryPMI project from the WAN address. So do computers over the Internet.
published: 04/30/14