X11/Motif/DecWindows IP Ports

RF Thomas · ‎12-14-2005

We need to allow users to access our server through a firewall. We will be using several different X11 servers (outside PC's trying to access OpenVMS Cluster). We are testing using eXcursion and other PC X11 servers.

Everything works well internally.

We have allowed port 512 (rexec) and port 6000 (x11). What other ports on the OpenVMS side (X11 client) need to be accessable?

VPN's are not an option at this time.

Wim Van den Wyngaert · ‎12-14-2005

None (to my knowledge).
The VMS station is doing everything and X is transporting the GUI from VMS to the PC.
On security level a secured rexec (ssh) would be better.

Wim

Wim

Arch_Muthiah · ‎12-14-2005

Thomas,

Choose any X11 server number between 10 and 999.
Create a TCP port number by adding 6000 to the server number.

For example, if the server number is 13, the TCP port number is 6013. Select port numbers starting at 6010 to avoid conflicts with DECwindows.

Add the X11-Gateway service to the list of TCP/IP services using the Server Configuration Utility (SERVER-CONFIG).

Archunan

Regards
Archie

Joseph Huber_1 · ‎12-14-2005

As Wim said, if You just want to set the display for application on a PC, then on the VMS side there is no port to open (VMS is the client in X11 parlance).

If You intend to open a DECWindows session, then You need access to port 177, the default XDM server port.

http://www.mpp.mpg.de/~huber

RF Thomas · ‎12-14-2005

Has anyone actually run X11 servers remotely through a firewall and NAT?

We ran a network trace using Ethereal and have attached a copy of the trace. Ethereal is may be obtained from http://www.ethereal.com

Ethereal is Open Source Software released under the GNU General Public License.

X11 Client system (OpenVMS - 192.48.147.9) uses ports 512 and 6000 only.

X11 server system (Windows-XP - 192.48.157.66) uses ports 1068, 51409, 51410, ...

Wim Van den Wyngaert · ‎12-14-2005

That is, if you use XDM. We use a rexec to launch decwindows with display directed to PC.

Wim

Wim

Wim Van den Wyngaert · ‎12-14-2005

NAT can be a basterd.

If you want to do a "set display xxx" where xxx is the real address of your PC it will not work. You need the fake address instead.

No experience yet.

Wim

Wim

Wim Van den Wyngaert · ‎12-14-2005

A workaround for NAT is
1) do a show proc in the rexec script and extract the bg device allocated
2) do a ucx show dev for the bg device of 1)
3) extract the IP address from the ouput

Then you can do a set display without any problem.

Wim

Wim

Andy Bustamante · ‎12-14-2005

Another option is to establish a VPN connection from the outside PC to the LAN the VMS cluster is using. I've various VPN configurations and once the session is started see very reasonable performance. This also makes the networking security folks happier since traffic is encrypted.

Andy

If you don't have time to do it right, when will you have time to do it over? Reach me at first_name + "." + last_name at sysmanager net

RF Thomas · ‎12-14-2005

"VPN is not an option at this time."

NAT is a necessary evil. We could place the VMS system in a DMZ, but the whole purpose is to allow remote access to applications on the cluster.

Both the clinet system and server systems are behind firewalls and NAT.

Arch_Muthiah · ‎12-14-2005

Tom,

Just trial...

Usually VMS side x11 client randomly selects the port to communicate with remote X11 server. The random port for x11 client would be any one between 1024 to 5000 and 30000 to 40000 in openVMS side, then start any actitivity, the window side firewall definetly blocks any communication on those ports, now find your X11 server program (relection or LPD server or any other), and add this program in the list firewall exception list.

Archunan

Regards
Archie

Arch_Muthiah · ‎12-14-2005

Tom, can we do this way, is it harfull?
that is not assigning any specific port both in window side and VMS side firewall, keep open all (*) ports. And find what are the programs firewall detects and blocks and then we can choose those necessary programs and add to the firewall exception list and next time firewall keep that specific port open for that program.

Regards
Archie

RF Thomas · ‎12-15-2005

We did provide the capture of an internal network X11 startup.

The following ports were used:

X11 Server Side
512
6000

X11 Client Side:
1068
51409
51410
51411
51412
.
.
.

Does X11 use a new port for each window opened?

From what has been said, we will be forced to upgrade our routers (firewalls) to create VPN's at significant cost.

This is a major problem. It will provide another excuse to scrap VMS. :(

Wim Van den Wyngaert · ‎12-15-2005

The problem is not VMS but X. And that's coming from U..x.

Wim

Wim

Rick Dyson · ‎12-15-2005

Have you considered just using an SSH connection and use X11 forwarding? It certainly works fine for apps. It may not be as "dumb user proof" as other methods, but I have found it works fine.

I also use local home NAT routers with my X11 and as long as you port forward the 6000...60XX ports to the specific PC that will be running the X11 Server, it has worked fine for me and my remote OpenVMS boxes. You only get to choose 1 home PC or OpenVMS box to be the X11 server though. :(

One note I like to remind folks about. Default PC X11 Servers have no access control and there are X11 sniffers/keyloggers running around. I am routinely informed of attempts to connect to my PC's X11 server by clients that are not me... Be sure to enable access control and enter your specific clients (i.e., your VMS boxes where the app is running).

rick

Joseph Huber_1 · ‎12-15-2005

To clarify: port 512 is not X11, but REXEC.
unclear what port 1068 on the Windows side is, never saw it connected to X11.

And to the nomenclatur:
X11 SERVER is the PC (the one providing the display), X11 clients are the applications on VMS. (This is just opposite to the general client/server computing meaning).

The X11 clients always use port 6000+displayserver (usually 0).
The X11 server (the PC) creates a new socket per client connection, not per window opened.

And there is no difference wether the X11 client is VMS or any kind of unix.

I don't know if something like that is existing in MSWin, in my world of all Linux with a small VMS island, there is also no 6000+ port open in firewalls, only the SSH port 22, and all X11 is tunneled (and encrypted).

http://www.mpp.mpg.de/~huber

RF Thomas · ‎12-15-2005

I understand that 512 is rexec. We have been using X11 since it first became available on VMS. The nomenclature issues/confusion - like reading old DEC circuit diagrams :).

Does anyone know of an X11 Server that runs on the client box (VMS) intercepting the X11 code and passing it through Apache? There are some PC based software packages that do terminal emulation and complete surface of display handling through a browser interface.

Don Nutt · ‎12-15-2005

Yes,

Tarentella will do what you want. I have astually implemented this in testing in a lab and it is in production.

Sun purchased Tarentella, however it still works well on any (including OpenVMS) Xserver I have dealt with. It supports HTTPS. Our implementation is on a small Sun Server. We have been looking at Linux to lower the TCO.

Don

http://www.tarentella.com/

http://www.sun.com/software/products/sgd/

Wim Van den Wyngaert · ‎12-15-2005

Make that http://www.tarantella.com/

Wim

Wim

Don Nutt · ‎12-15-2005

Wim,

Thanks for the correction. I can't spell after all theses years.

Don

Wim Van den Wyngaert · ‎12-15-2005

Don,

Do I understand correctly :

1) We run X on VMS.
2) Transport the GUI from VMS to Sun (how ?)
3) Sun transforms it to something MS IE understands

Without problems ? Performance ? DEC Keyboard (mapping ?) ? Could 2) run on VMS with WASD ?

Wim
(not yet read everything but VERY interested.

Wim

RF Thomas · ‎12-15-2005

Tarantella looks like a "thin clinet" application that allows a minimally configured system to connect and interact with many systems using a variety of protocols.

It only runs on Unix variants so it does not address the port issues on VMS.

Thomas Ritter · ‎12-15-2005

Could it that the firewalls are NATing the PC's IP so that the VMS sessions IP is different from that configured on the PC NIC ?

If so then assuming the firewall allows the access you need to set the return connection to the NATed IP. This is all DCL stuff.

for example to have a common script

$ sh log startapp
"STARTAPP" = "COMMON:[SYSMGR]STARTAPP.COM" (LNM$SYSTEM_TABLE)

Extract

$!
$! This procedure derives the IP which may be Network Address Translated.
$!
$ NatedIP = ""
$ if p1 .eqs. "GETIP"
$ then
$ NatedIP = f$element(1," ",f$getjpi("","TT_ACCPORNAM"))
$ if NatedIP .eqs. ""
$ then
$ write sys$output "Procedure failure. Refer to Technical Support"
$ exit %x2
$ else
$ set display/create/perm /node='NatedIP'/trans=TCPIP
$ endif
$ else
$ set display/create/perm /node='P1'/trans='transport'
$ endif
$!

RF Thomas · ‎12-15-2005

There is NAT translation going on, both at the VMS site and at the PC site.

We will try this suggestion.

Steven Schweda · ‎12-15-2005

I'm currently visiting an out-of-state friend
who has a Windows 98 system with Cygwin/X for
an X server, and a cheap SMC IP router behind
a truly stupid DSL modem for a network
connection.

At home, I have:

alp $ tcpip show version

HP TCP/IP Services for OpenVMS Alpha Version V5.4 - ECO 5
on a COMPAQ Professional Workstation XP1000 running OpenVMS V7.3-2

with a Cisco 678 DSL modem/router.

Both ends use NAT. Nothing important gets
blocked explicitly. My Cisco router at home
passes port 23 to the XP1000 ("alp") port 23,
and the SMC router here (now) passes port
6000 to the Windows 98 PC port 6000. (The
home router passes a lot of other stuff
through to "alp", and a few things to other
systems, but nothing important, I claim, for
this discussion.)

On the Windows system, I started the
Cygwin/X server, and said "xhost +". (It's
only an experiment.) Then I started a
TeraTerm terminal emulator, and Telnetted
into "alp", where I logged in as me, and my
LOGIN.COM did a SET DISPLAY using the
"TT_ACCPORNAM" jive mentioned above (or
similar).

I said "MCR DECW$CLOCK", and the thing
popped up on the Windows display just as if
it were a serious computer.

There's really nothing to this stuff.

I'd've offered this result sooner, but my
friend (or, perhaps, "friend") had changed
the PC's IP address while I wasn't looking,
and so it took a while to figure out why
nothing seemed to work initially, and my time
on the PC is (Praise Ford!) limited. (I had
set the NAT stuff on the SMC router for port
6000 at the IP address which I _knew_ to be
the PC, but it wasn't. Trust no one, I
always say.)

Note that only the relevant _server_ ports
need to get NAT stuff set explicitly. That's
Telnet (23-tcp) or rexec/rlogin
(512/513-tcp) (or SSH, or whatever) on the
VMS (X client) side, and X :0.0 (6000-tcp)
on the Windows (X server) side. All the
stuff going the other way is handled
automatically by the NAT stuff in the IP
routers.

Hey. What could go wrong?

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

X11/Motif/DecWindows IP Ports

X11/Motif/DecWindows IP Ports

Re: X11/Motif/DecWindows IP Ports

Re: X11/Motif/DecWindows IP Ports

Re: X11/Motif/DecWindows IP Ports

Re: X11/Motif/DecWindows IP Ports

Re: X11/Motif/DecWindows IP Ports

Re: X11/Motif/DecWindows IP Ports

Re: X11/Motif/DecWindows IP Ports

Re: X11/Motif/DecWindows IP Ports

Re: X11/Motif/DecWindows IP Ports

Re: X11/Motif/DecWindows IP Ports

Re: X11/Motif/DecWindows IP Ports

Re: X11/Motif/DecWindows IP Ports

Re: X11/Motif/DecWindows IP Ports

Re: X11/Motif/DecWindows IP Ports

Re: X11/Motif/DecWindows IP Ports

Re: X11/Motif/DecWindows IP Ports

Re: X11/Motif/DecWindows IP Ports

Re: X11/Motif/DecWindows IP Ports

Re: X11/Motif/DecWindows IP Ports

Re: X11/Motif/DecWindows IP Ports

Re: X11/Motif/DecWindows IP Ports

Re: X11/Motif/DecWindows IP Ports

Re: X11/Motif/DecWindows IP Ports

Re: X11/Motif/DecWindows IP Ports