Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Re: Connection manager

Re: Connection manager

From: Don Jerman <djerman_at_dot.state.nc.us>
Date: Wed, 28 Feb 2001 09:09:22 -0800
Message-ID: <F001.002BF984.20010228075744@fatcity.com>


Been there -- I don't know about availability, but this is what we have to do for people working at home through their ISP. I'm assuming NAT produces similar problems. You can use CMAN for firewall tunnelling with or without MTS, don't know about connection concentration, though, as we don't need it yet.

Background: on NT and some other OS's, Oracle listeners use a different port for reply (like FTP does), so the NAT server doesn't equate the incoming reply packets with the outgoing connection. Most NAT servers recognize and compensate for FTP connections, but not for Oracle. CMAN will not redirect its clients to another port, so the server-side redirect is hidden and the client remains connected.

Fix: On the server subnet, establish a CMAN server with a fixed address and (if necesary) make the firewall server route all incoming connections to 1620 (or whatever port you're using) to it. You'll need to use a different port than the Oracle listener if you're running CMAN on the oracle server. See the docs to configure CMAN appropriately for your network security needs. By default it's fairly promiscuous so you'll probably want to make sure it only connects to Oracle servers inside your subnets, and you may want to restrict the outside addresses it will serve. Once I copied the sample config files into the ADMIN directory I was able to get it running with no complications, but I did revisit the routing issue for our site.

In the TNSNAMES file of the client (or in the naming service, whatever you're using) add (SOURCE_ROUTE=ON) and add an address line for each CMAN server needed to reach the oracle server (if, for instance, you have multiple DMZ layers you may need multiple CMAN servers to make connections visible.). The CMAN servers will be sent the description information and will establish the connection to the next leg of the route (another CMAN server or the data server). Naturally, each CMAN server needs to be able to resolve the address of the server that comes after it in the route.

Since you didn't list the errors, I assume this will work. It's possible the client needs a CMAN server on the back side of their NAT server, too, but probably not, unless you're doing server-to-server connections. If they do, just add it to the address list in the appropriate order.

Here's a sample TNSNAMES entry (this is what gave me the most trouble): MYSERVER.MY.ORG =
  (DESCRIPTION =
    (SOURCE_ROUTE = ON)
    (ADDRESS_LIST =

      (ADDRESS = (PROTOCOL = TCP)(HOST = FIREWALL.MY.ORG )(PORT = 1620))
      (ADDRESS = (PROTOCOL = TCP)(HOST = MYSERVER.MY.ORG)(PORT = 1521))
    )
    (CONNECT_DATA =
      (SERVICE_NAME = MY_SERVICE.MY.ORG)     )
  )

Hope that helps!

Dan.Hubler_at_Metavante.com wrote:

> Looking for some help with Connection Manager.
> Suddenly got hit with a NAT issue from a customer site.
>
> Any suggestions on the use of Connection manager to alleviate this
> situation would be appreciated.
>
> Also:
>
> a) Does Connection manager require the use of MTS?
>
> b) Is Connection manager available with both Standard edition and
> Enterprise edition?
>
> --
> Please see the official ORACLE-L FAQ: http://www.orafaq.com
> --
> Author:
> INET: Dan.Hubler_at_Metavante.com
>
> Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
> San Diego, California -- Public Internet access / Mailing Lists
> --------------------------------------------------------------------
> To REMOVE yourself from this mailing list, send an E-Mail message
> to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
> the message BODY, include a line containing: UNSUB ORACLE-L
> (or the name of mailing list you want to be removed from). You may
> also send the HELP command for other information (like subscribing).
Received on Wed Feb 28 2001 - 11:09:22 CST

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US