Manualshelf

Streaming Media Supplement sa2150 and sa2250

ManualsBrandsHP ManualsServerHP Media Cache Server Appliance sa2250
71727374757677787980
70
Chapter 7 Configuring Media-IXT for RealNetworks
In both examples, if host2.domain.com is unavailable, then all requests go directly to the origin server.
A hierarchical proxying workaround for PNA and firewalls
Hierarchical proxying of PNA is not a supported feature, but there is a special case where it's possible to
configure hierarchical proxying (not caching) of PNA. That is when Media-IXT is deployed in conjunction with
firewalls in the following way:
The Real Player clients are on an intranet. RealPlayer clients are configured to use TCP as the underlying
transport protocol for PNA.
One Media-IXT, the intranet Media-IXT, is on the intranet also.
One firewall stands between the intranet Media-IXT and a demilitarized zone (DMZ).
A second Media-IXT, the DMZ Media-IXT, is in the DMZ.
A second firewall stands between the DMZ and the Internet.
The intranet Media-IXT is configured as a child to the DMZ Media-IXT in a hierarchy.
For our example, we’ll assume that the IP addresses of the Media-IXTs are 1.2.3.4 for the intranet Media-IXT
and 6.7.8.9 for the DMZ Media-IXT, respectively.
We also assume that port 1090 is the Proxy Port on the DMZ Media-IXT, and that a hierarchy has been set up
between the two Media-IXTs.
This technique takes advantage of Traffic Server's ability to perform port forwarding.
To configure a PNA proxying hierarchy with firewalls:
1. On the intranet (child) Media-IXT, disable PNA (see note below).
2. On the DMZ (parent) Media-IXT, edit your records.config so that you have these two entries:
CONFIG proxy.config.http.server_other_ports STRING 1090:T
CONFIG proxy.config.http.ssl_ports STRING 1090 443 563
3. On the DMZ (parent) Media-IXT, edit your remap.config, adding the line:
map tunnel://1.2.3.4:1090/ tunnel://7.8.9.1:1090/
Only the DMZ Media-IXT performs caching.
In the remap.config entry, tunnel is the correct word. This method can be used to tunnel any TCP traffic;
PNA is just one possibility.
Another way to allow PNA requests through a firewall is to configure a layer 4 switch to direct all port 7070
requests to the PNA proxy firewall kit mentioned later in this chapter (see “Configuring firewalls for
RealNetworks” on page 75).
NOTE What we mean by disabling PNA is either of these techniques:
- Use a simple ssh tunnel in place of the intranet Media-IXT
- Keep the PNA port number secret from users