Return-Path: 
 <users-return-220427-apmail-tomcat-users-archive=tomcat.apache.org@tomcat.apache.org>
Delivered-To: apmail-tomcat-users-archive@www.apache.org
Received: (qmail 54641 invoked from network); 28 Dec 2010 18:55:19 -0000
Received: from unknown (HELO mail.apache.org) (140.211.11.3)
  by 140.211.11.9 with SMTP; 28 Dec 2010 18:55:19 -0000
Received: (qmail 61348 invoked by uid 500); 28 Dec 2010 18:55:15 -0000
Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org
Received: (qmail 61302 invoked by uid 500); 28 Dec 2010 18:55:15 -0000
Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@tomcat.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@tomcat.apache.org>
List-Post: <mailto:users@tomcat.apache.org>
List-Id: <users.tomcat.apache.org>
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Delivered-To: mailing list users@tomcat.apache.org
Received: (qmail 61291 invoked by uid 99); 28 Dec 2010 18:55:14 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 28 Dec 2010 18:55:14 +0000
X-ASF-Spam-Status: No, hits=0.0 required=10.0
	tests=FREEMAIL_FROM,SPF_PASS,T_TO_NO_BRKTS_FREEMAIL
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: domain of lists@nabble.com designates
 216.139.236.26 as permitted sender)
Received: from [216.139.236.26] (HELO sam.nabble.com) (216.139.236.26)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 28 Dec 2010 18:55:10 +0000
Received: from isper.nabble.com ([192.168.236.156])
	by sam.nabble.com with esmtp (Exim 4.69)
	(envelope-from <lists@nabble.com>)
	id 1PXeh7-0004sM-J8
	for users@tomcat.apache.org; Tue, 28 Dec 2010 10:54:49 -0800
Message-ID: <30546606.post@talk.nabble.com>
Date: Tue, 28 Dec 2010 10:54:49 -0800 (PST)
From: amythyst <roxanne.gates@deltasolutions.com>
To: users@tomcat.apache.org
Subject: Re: isapi_redirector.dll Problems - Bad Gateway?
In-Reply-To: <4D1A0C42.9020205@ice-sa.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Nabble-From: roxanne.gates@deltasolutions.com
References: <30500400.post@talk.nabble.com> <20101221085951.GW2712@wladimir>
 <30539418.post@talk.nabble.com> <20101227162114.GC3596@wladimir>
 <30545344.post@talk.nabble.com> <4D1A0C42.9020205@ice-sa.com>


Yes, exactly.  I have been thrown to the wolves and it is really causing a
problem because our application rollout schedule has been pushed back
because of this problem and its been going on for like 3 weeks.  The other
annoying thing is that the application vendor does not support getting the
app to work externally, so I have no real help desk to turn to.

Thank you for the further details... "I'm with ya".

I have the following connector string in my server.xml file:

<Connector port="8009" redirectPort="8443" enableLookups="false"
protocol="AJP/1.3" URIEncoding="UTF-8"/>

I will attach the file itself to make sure you guys think it looks ok.

I ran the netstat command you gave me... lots of stuff there!  But I do see
this:

TCP   0.0.0.0:8009    0.0.0.0:0   LISTENING  4

Thanks in advance!


awarnier wrote:
> 
> oh oh. So it looks like you have been thrown to the wolves, he ?
> The positive side of it, is that if you solve it, you'll be the star.
> 
> Time for some ascii-art I think.
> 
> Except for firewalls, you have the following schema :
> 
> 
> Browser-1 <--->             <--->               - webapp
> Browser-2 <--->   IIS + IR  <---> AJP + Tomcat  - webapp
> ...                         <--->               - webapp
> Browser-n <--->             <--->               - webapp
> 
> The dotted lines represent TCP/IP connections.
> IIS + IR : IIS plus the Isapi_Redirector module
> AJP + Tomcat : The Tomcat <Connector protocol="AJP"> module, plus Tomcat
> itself, and then 
> the applications (webapps) running in Tomcat.
> 
> A request starts at the browser, goes to IIS over a connection to port 80
> (if simple 
> HTTP), or port 443 (if HTTPS).
> IIS sees that this request is really for Tomcat, so it passes it to its
> Isapi_redirector 
> module.
> The Isapi_redirector module creates another connection to Tomcat's AJP
> "Connector", this 
> time over port 8009, where presumably this AJP connector is listening.
> When the AJP connector receives the request, it creates a "thread" in
> Tomcat to handle 
> this request.
> A thread is like a sub-process of tomcat; it is created to process one
> request, and will 
> disappear when this request is processsed and it has sent the response.
> To create the response, the thread "runs" one of the webapps.
> 
> Now to clear some side-issues :
> - the protocol/format used between the browsers and IIS may be HTTP or
> HTTPS (SSL),
> - but the protocol/format between the "IR" module on the IIS side, and the
> "AJP" module on 
> the Tomcat side, is neither.  It is using a special protocol/format named
> AJP. (So the 
> notion of SSL is not relevant here; the decryption already happens at the
> IIS level, and 
> over the AJP connection the data flows essentially "in clear".)
> 
> For this whole scheme to work, there are a few pre-requisites :
> - the browsers must be able to establish a TCP/IP connection to the IIS
> server.  I guess 
> that part works.
> - the IIS server (and its IR module), must be able to establish a TCP
> connection to the 
> AJP module of Tomcat, which is usually configured to "listen" on port #
> 8009.
> - the numbers of requests sent at the same time by the sum of all the
> browsers, needs to 
> be more or less matched to the number of connections that the IR module
> and the AJP module 
> can establish between themselves (otherwise some browser requests would
> never reach Tomcat)
> - the number of simultaneous threads that the AJP connector can start
> inside of Tomcat, 
> must also be more or less matched to the number of browser requests. 
> Otherwise, requests 
> would pile up and have to wait, for a thread to become available to take
> care of them.
> In the long term, that is not sustainable.
> 
> So the first thing here, would be to make sure that the Tomcat AJP
> connector is really 
> listening on port 8009.  The wish for that is indicated, inside your
> server.xml, by a tag 
> like :
>   <Connector port="8009" protocol="AJP/1.3" ... />
> Do you have such a tag ?
> 
> The second step would be to verify that it is really listening there.
> For that, you could use the "netstat" command in a command window on the
> server, as follows :
> 
> netstat -aon -p tcp
> 
> and look for a line that looks like this :
> 
>    TCP    0.0.0.0:8009           0.0.0.0:0              LISTEN        
> 2704
> 
> (the important part being that ":8009" part)
> 
> Do you see that ?
> 
> 
> 
> 
> 
> 
> 
> 
> 
> amythyst wrote:
>> Thanks for the reply.
>> 
>> With that script, how exactly would I execute that script?
>> Pardon my ignorance, but I am a database developer that has been thrown
>> into
>> networking because our network admin is at a loss to what the problem is
>> and
>> doesn't seem keen on fixing it.
>> 
>> According to him, all the ports that we are using are open on the
>> firewall... 8080, 8081, 443, 8443 and 8009.  Tomcat is set to listen on
>> port
>> 8009 and I have configured the server.xml file to accept requests from
>> 8009.
>> 
>> When you ask how many threads I have configured you're talking about
>> worker
>> threads right?  I only have the one.
>> 
>> 
>> Michael Ludwig-6 wrote:
>>> amythyst schrieb am 27.12.2010 um 06:52 (-0800):
>>>> Hi, yes we have a connector configured for port 8009.
>>> Configured, okay; but it is not replying to your redirector's requests.
>>> You can test AJP connectivity using this Perl script:
>>>
>>> http://www.perlmonks.org/?node_id=766945
>>>
>>>> Question about the firewall... IIS is set up for port 8081 and 443
>>>> for our default website.  The application is running on 8080 and
>>>> 8443. And as I said, tomcat is listening on 8009 to route traffic to
>>>> the application.  In the firewall, I believe the network guy has set
>>>> up port 8081 to allow traffic inside.  Does he also need to do
>>>> something for 8009 or 8080 and 8443?
>>> He needs to allow Tomcat to listen on 8009, and IIS to connect to
>>> tomcat-server:8009. The other two ports your Tomcat is configured to
>>> listen on should be irrelevant as far as the ISAPI redirector is
>>> concerned; it does AJP, not HTTP or HTTPS.
>>>
>>>> We are running the app with SSL, so it would be the secure ports I
>>>> should be focusing on right?
>>> Not for the AJP connection between IIS and Tomcat.
>>>
>>>> Below are my worker files for the connector:
>>>>
>>>> # uriworkermap.properties - IIS
>>>> /jira/*=worker1
>>> Okay.
>>>
>>>> # workers.properties.minimal -
>>>> worker.list=worker1
>>>> worker.worker1.type=ajp13
>>>> worker.worker1.host=localhost
>>>> worker.worker1.port=8009
>>> Also okay. If you don't configure the connection_pool_size, the
>>> default applies, which is 250 for IIS.
>>>
>>> http://tomcat.apache.org/connectors-doc/reference/workers.html
>>>
>>> How many threads have you configured for your AJP connector?
>>>
>>> -- 
>>> Michael Ludwig
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>>
>> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 
> 

-- 
View this message in context: http://old.nabble.com/isapi_redirector.dll-Problems---Bad-Gateway--tp30500400p30546606.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org