从DMZ到Intranet的双通道WCF

Question

We are running an dual channel service inside the domain. We have a TCP binding on port 20120 and a HTTP binding on port 20121.

In the DMZ (web), we want to access this WCF service. Firewall seems to be open from the web to the service. Using telnet, i can access both ports and i am also able to browse the WSDL from a browser of web. now, when i try to do the connect to the service from the web application (it uses TcpBinding, and i cannot change it easly to HttpBinding without redeploying new binaries which is a painfull process), i get an exception.

System.ServiceModel.CommunicationException, System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089

The socket connection was aborted. This could be caused by an error processing your message or a receive timeout being exceeded by the remote host, or an underlying network resource issue. Local socket timeout was '00:00:59.9680000'.

System.ServiceModel.Channels.StreamConnection.Read(Byte[] buffer, Int32 offset, Int32 size, TimeSpan timeout)
System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.SendPreamble(IConnection connection, ArraySegment`1 preamble, TimeoutHelper& timeoutHelper)
System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.DuplexConnectionPoolHelper.AcceptPooledConnection(IConnection connection, TimeoutHelper& timeoutHelper)
System.ServiceModel.Channels.ConnectionPoolHelper.EstablishConnection(TimeSpan timeout)
System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.OnOpen(TimeSpan timeout)
System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
System.RuntimeMethodHandle._InvokeMethodFast(IRuntimeMethodInfo method, Object target, Object[] arguments, SignatureStruct& sig, MethodAttributes methodAttributes, RuntimeType typeOwner)
System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture, Boolean skipVisibilityChecks)
System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
System.ServiceModel.Channels.ServiceChannelProxy.ExecuteMessage(Object target, IMethodCallMessage methodCall)
System.ServiceModel.Channels.ServiceChannelProxy.InvokeChannel(IMethodCallMessage methodCall)
System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
System.ServiceModel.ICommunicationObject.Open(TimeSpan timeout)
System.ServiceModel.ClientBase`1.System.ServiceModel.ICommunicationObject.Open(TimeSpan timeout) ...

Our test environment was all intranet, so no DMZ. there it all works fine.

Service itself is running as a domain user, and the client service behaviour has its userPrincipal configured (like username@domain.ext). does this need access to the domain controller of domain.exe ?

I also enabled WCF logging on the service side, but nothing happens there. all is quite, like nothing happended there. Is there any other spot i missed to check why the connection drops.

EDIT1: I wrote a little test program, that establishes the wcf connection and calls 2 methods. This works fine from the same machine as the service and from the dmz web as well. binding settings are the same. (confirmed that). I run the test as a local user from a normal console on th dmz web machine. any hints?

Answer 1

well, we changed the security mode to none <security mode="None"/> and now the web has access. i think the problem was, even though i used a local user when running my test programm, the vpn/rdp session i used to access from the domain to dmz doug a hole in the security and the i was able to connect to the wcf service. the webside did not have that hole, so it failed.