7
Configuring Discoverer 4i Plus for Firewall Support

This chapter explains how to configure Oracle Discoverer 4i Plus to work with corporate firewalls, using Visibroker Gatekeeper version 3.4.

Note: This chapter does not apply to Discoverer Viewer 4i Viewer. Discoverer Viewer 4i uses HTTP and HTTPS protocols that are firewall compliant and do not require Visibroker Gatekeeper.

The topics include:

• Terminology

• Getting More Information

• Before you start

• About Internet Firewalls

• About Visibroker Gatekeeper

• Choosing a Gatekeeper configuration for Discoverer

• Using Visibroker Gatekeeper with an IIOP Proxying Configuration

• Using Visibroker with a HTTP Tunnelling Configuration

• Configuring the Discoverer client

• Configuring Visibroker Gatekeeper

7.1 Terminology

• HTTP Server machine refers to the machine on which the HTTP Server software resides. This machine is commonly referred to as a Web Server.

• HTTP Server software refers to the HTTP software itself (e.g. Oracle HTTP Server).

• Discoverer Services refers to the Locator, Preference and Session components.

• Proxy Server refers to a machine that acts as an intermediary between a workstation and the Internet. Proxy servers provide security, administrative control, and a caching service.

7.2 Getting More Information

For more information about Visibroker Gatekeeper, refer to the Borland Inprise Corporation Internet site at:

http://www.inprise.com/techpubs/books/vbgate/vbgate33/gatekeeper/contents.html

7.3 Before you start

Before you can decide how to deploy Discoverer 4i Plus through your organization's firewall, you need to work with your Network Administrator to find out what the firewall policy is in your organization. You might also take into consideration the firewall policies in organizations that wish to access your Discoverer data across the Internet.

When discussing your organization's firewall policy with your Network Administrator, you need to be aware of the following basic concepts:

• Firewalls and secure TCP/IP ports - read Section 7.4, "About Internet Firewalls" to find out about firewalls, Demilitarized Zones (DMZs), and secure TCP/IP ports.

• Visibroker Gatekeeper - read Section 7.5, "About Visibroker Gatekeeper" to find out what Visibroker Gatekeeper is and why it is used.

• Firewall topologies - read Section 7.6.1, "About firewall configurations" and Section 7.6.2, "DMZ configuration examples" to find out how networks are physically organized.

• Visibroker Gatekeeper configurations - read Section 7.6.3, "Which Gatekeeper configuration do I choose?" to find out what network protocols are allowed by your firewall policy.

7.4 About Internet Firewalls

7.4.1 What is an Internet Firewall?

An Internet Firewall is one system or a group of several systems put in place to enforce a security policy between the Internet and an organization's network.

In other words, an Internet firewall is an electronic `fence' around a network to protect it from unauthorized access.

Figure 7-1 A typical Internet connection with a Client-side and Server-side firewall

Typically, an organization using a Web Server machine that communicates across the Internet has a firewall between its HTTP Server machine and the Internet. This is known as a Server-side firewall. Other organizations (or remote parts of the same organization) connecting to this Web Server machine typically have their own firewall, known as a Client-side firewall. Information that conforms to the organization's firewall policy is allowed to pass through the firewalls enabling server machines and client machines to communicate.

7.4.2 What is a Demilitarized Zone?

A Demilitarized Zone (DMZ) is a firewall configuration that provides an additional level of security. In this configuration, the DMZ is an extra network placed between a protected network and the Internet. Resources residing within the DMZ are visible on the public Internet, but are secure. DMZs typically hold servers that host a company's public web site, File Transfer Protocol (FTP) site, and Simple Mail Transfer Protocol (SMTP) server.

Refer to Section 7.6.1, "About firewall configurations" for more information about DMZs.

7.4.3 About secure ports

Internet servers and clients interconnect using Transmission Control Protocol/Internet Protocol (TCP/IP) ports, known as secure ports. Internet server machines run different services (for example HTTP or FTP) on different TCP/IP ports (see table below).

Table 7-1 Commonly used TCP/IP ports and their services

Port	Service
21	FTP
23	Telnet
79	Finger
80	HTTP
443	SSL

A port can only operate one service. For example, port 80 can only be used for HTTP traffic and port 443 can only be used for SSL traffic.

Firewalls provide secure networks by restricting traffic to secure TCP/IP ports, for example port 80 for HTTP.

A typical firewall blocks all communication to all ports except port 80 and port 443:

• Port 80 only allows HTTP traffic

• Port 443 only allows SSL traffic.

All other types of traffic on all other ports are blocked. Therefore, a person could not use the FTP on port 80 to access the Internet server and retrieve files because FTP communcation is blocked on port 80.

7.5 About Visibroker Gatekeeper

This section explains what Visibroker Gatekeeper is and why it is used by Discoverer.

7.5.1 What is Visibroker Gatekeeper?

Visibroker Gatekeeper is a third-party software package, developed by Inprise Corporation, which enables Visibroker CORBA clients and servers to communicate across networks while still conforming to security restrictions imposed by Internet browsers and firewalls.

7.5.2 Why does Discoverer Plus need Visibroker Gatekeeper?

Discoverer 4i Plus uses CORBA (Common Object Request Broker Architecture) to enable clients and servers to communicate. CORBA is an architecture that enables pieces of programs (called objects) to communicate with one another regardless of what programming language they were written in or what operating system they are running on.

CORBA is implemented over the internet using the IIOP (Internet Inter-ORB Protocol) protocol. The IIOP protocol enables the exchange of integers, arrays, and more complex objects between server and client machines. By contrast, the HTTP (HyperText Transfer Protocol) protocol that is the underlying protocol used by the internet only supports transmission of text.

For security reasons, some commercial firewalls do not allow IIOP traffic to pass directly through.

Visibroker Gatekeeper enables CORBA-based IIOP traffic to pass through firewalls.

Figure 7-2 A firewall with a port opened to allow CORBA IIOP traffic to pass through to the Gatekeeper installed on the HTTP Server

Visibroker Gatekeeper typically runs behind the Server-side firewall on the HTTP Server machine. Visibroker Gatekeeper:

• `listens' to (or monitors) all IIOP or HTTP requests from clients.

• forwards appropriate requests to Discoverer Services.

• listens for replies from the Discoverer Services and forwards them back to clients.

In this respect, Visibroker Gatekeeper works like a proxy server machine (a machine that acts as an intermediary between a workstation and the Internet).

7.5.3 Required Visibroker Gatekeeper Versions

Oracle Discoverer 4i Plus uses Visibroker Gatekeeper version 3.4. Visibroker Gatekeeper is included as part of the Discoverer 4i Plus installation.

7.6 Choosing a Gatekeeper configuration for Discoverer

This section describes typical firewall configurations and advises you on which Visibroker Gatekeeper configuration you need to deploy Discoverer 4i Plus across public networks such as the Internet.

7.6.1 About firewall configurations

Firewall policies vary across organization, and there are a wide variety of bespoke and off-the-shelf firewall packages in use. This guide cannot cover every firewall scenario. Therefore, only the most common firewall configurations are covered.

A typical DMZ configuration comprises two firewalls, (see figure below):

• A server-side firewall between the Internet and your public resources.

• An internal firewall between your public resources and your private resources.

Figure 7-3 A Demilitarized Zone (DMZ)

A good firewall configuration assumes that resources in the DMZ will be breached, and should minimize damage to the internal network and any sensitive data residing on the network when this happens. This involves two steps:

• Move sensitive private resources (at a miniumum, databases and application logic) from the DMZ to the internal network behind the internal firewall.

• Restrict access to sensitive private resources from the DMZ itself, as well as from internal networks.

7.6.2 DMZ configuration examples

When deploying the Discoverer Server, two typical security configurations are:

1. Deploy the Discoverer Server and HTTP Server in the DMZ. Deploy the database behind the Internal firewall, (see figure below). This provides a good level of security and is recommended for Discoverer 4i Plus.

Figure 7-4 Discoverer Server and HTTP deployed in a DMZ

2. Deploy the HTTP Server in the DMZ. Deploy the Discoverer Server and the database behind the Internal firewall, (see figure below). This provides a higher level of security, but is more difficult to implement.

Figure 7-5 Discoverer Server deployed behind an internal firewall

7.6.3 Which Gatekeeper configuration do I choose?

Visibroker Gatekeeper typically handles IIOP or HTTP protocol traffic from clients and forwards them to Discoverer Services. This means that Visibroker Gatekeeper uses either an IIOP Proxying configuration or a HTTP Tunnelling configuration. Which configuration you choose depends on the restrictions imposed by your firewall policy.

7.6.3.1 IIOP Proxying Configuration

• In this configuration, you open your Server-side firewall to allow TCP/IP traffic to pass through at a specific port. Client-side firewalls must also allow TCP/IP traffic to pass from the client to outside of the firewall.

• This configuration is recommended as it allows you to get the best performance from Discoverer 4i Plus.

• However, because you often do not control your clients' firewalls, an IIOP configuration is more difficult to implement than a HTTP Tunnelling Configuration.

  Refer to Section 7.7, "Using Visibroker Gatekeeper with an IIOP Proxying Configuration".

7.6.3.2 HTTP Tunnelling Configuration

• In this configuration, you embed IIOP traffic inside HTTP packets to allow them to pass through your firewall.

• This method has the advantage that you do not need to open up the Server or Client-side firewalls for TCP/IP traffic.

• Therefore, the HTTP Tunnelling Configuration is more secure than the IIOP Proxying Configuration.

• This configuration has a significant performance overhead and is not as efficient as the IIOP Proxying Configuration.

  Refer to Section 7.8, "Using Visibroker with a HTTP Tunnelling Configuration".

7.7 Using Visibroker Gatekeeper with an IIOP Proxying Configuration

This section explains how to configure Discoverer 4i Plus to use an IIOP Proxying configuration.

7.7.1 Overview

In an IIOP Proxying configuration, the Server-side and Client-side firewalls are opened to allow TCP/IP traffic.

When Discoverer 4i Plus starts, the HTTP Server sends the Discoverer Applet to the Browser via Port 80. Once initialized, the Discoverer Applet communicates with the Gatekeeper via the specified IIOP port.

Figure 7-6 Discoverer using an IIOP Proxying Configuration

Visibroker Gatekeeper runs behind the Server-side firewall on the HTTP Server machine and helps Clients communicate with Discoverer Services. To do this, the Gatekeeper intercepts all requests from Clients and forwards them to Discoverer Services on behalf of the Clients. Replies from Discoverer Services to the Client are also passed through the Gatekeeper.

You can configure the Gatekeeper to use an IIOP Proxying configuration at two different security levels:

• Configuring Gatekeeper with no firewall separating Discoverer Services - Here, the Discoverer Server is deployed in the DMZ.

• Configuring Gatekeeper with Discoverer Server components behind an internal firewall - Here, the Discoverer Server is not deployed in the DMZ.

7.7.2 Configuring Gatekeeper with no firewall separating Discoverer Services

In this configuration, the Discoverer Server and the HTTP Server are deployed in the DMZ.

IIOP packets are not restricted to Discoverer Services - they can be sent to any location. The Discoverer Services and Locator are on the same sub-net (see figure below).

Figure 7-7 IIOP Proxying with Discoverer deployed behind an internal firewall

To configure Visibroker Gatekeeper:

• When you install Discoverer 4i Plus, Visibroker Gatekeeper is installed on the HTTP Server at:

  <ORACLE_806_HOME>/vbroker/bin/gatekeeper.exe

• Visibroker Gatekeeper is started automatically by the Discoverer 4i Plus NT Service.

• By default, Visibroker Gatekeeper listens to port 15000. To change the default port number, refer to Section 7.10.5, "Changing the default Visibroker Gatekeeper port".

• Once you have configured Visibroker Gatekeeper to run at a particular port, you must configure your Server firewall to allow TCP/IP traffic to go to Visibroker Gatekeeper's host and port.

  If you do not control the Client-side firewall, there are three possible solutions for configuring the Server firewall:

  • If the Client's Firewall Administrator has configured the Client firewall to allow TCP/IP traffic to go out at all ports, the IIOP Proxying configuration will work correctly.

  • If the Client's Firewall Administrator has configured some ports for TCP/IP (e.g. for Real Audio), you can use these opened ports to run the Gatekeeper.

  • If there are clients that are not behind a client-side firewall, the IIOP Proxying configuration will work for them.

Note: Firewall configuration is specific to the firewall type used by your site. Contact your Firewall Administrator for details.

7.7.3 Configuring Gatekeeper with Discoverer Server components behind an internal firewall

In this configuration, the HTTP Server is deployed in the DMZ. The Discoverer Server and the database are deployed behind the Internal firewall (see figure below).

Figure 7-8 IIOP Proxying with Discoverer deployed behind an internal firewall

To configure Visibroker Gatekeeper with a Demilitarized Zone:

• Follow the steps in Section 7.7.2, "Configuring Gatekeeper with no firewall separating Discoverer Services".

• Open the firewall between your HTTP Server and your Discoverer Servers to allow all TCP/IP traffic to go to Discoverer Server machines on all ports. Then selectively block ports to which you want to restrict access, (for example, the HTTP or telnet port).

• On your HTTP Server machine, prevent the Locator from running. To do this go to the Registry and set the key \HKEY_LOCAL_MACHINE\SOFTWARE\ORACLE\DCW4_START_LOCATOR to 0. Then stop and start the NT Service OracleDiscoverer4i.

• On one of your Discoverer Servers, run the Locator. To do this, make sure that the registry key \HKEY_LOCAL_MACHINE\SOFTWARE\ORACLE\DCW4_START_LOCATOR is set to 1. Then stop and start the NT Service OracleDiscoverer4i.

• Make sure that the Locator and Discoverer Session and Preferences are on the same subnet.

• Each time the Locator is started, the locator.ior file generated by the Locator must be copied to the <iSUITES_HOME>\apache\apache\htdocs\discwb4\applet directory on the HTTP Server machine.

7.8 Using Visibroker with a HTTP Tunnelling Configuration

This sections explains how to configure Discoverer to use a HTTP Tunnelling configuration.

7.8.1 Overview

If the Client is running behind a firewall that only allows HTTP traffic, the client and server communicate by embedding IIOP data into HTTP packets, which allows them to pass through the firewall.

In an HTTP Tunnelling Configuration, Visibroker Gatekeeper extracts the IIOP requests from the HTTP packets and passes them on to the Discoverer Server components. Replies are sent back to the Client as HTTP response packets, which the Client extracts to get the IIOP packets.

Figure 7-9 Discoverer using an HTTP Tunnelling Configuration

The main advantage of using the HTTP Tunnelling configuration is that you do not have to open up your firewall for TCP/IP traffic. However, you must ensure that the firewall allows HTTP traffic to the host and port that your Gatekeeper is running on, see Section 7.10.1, "Where to run Visibroker Gatekeeper".

NOTE: There is an alternative method of running Discoverer through multiple firewalls without having to open up the firewalls. This involves running Visibroker Gatekeeper on port 443, (refer to Section 6.8, "Configuring Discoverer 4i Plus to use SSL").

Because the port 80 is the default port used by HTTP Servers, Visibroker Gatekeeper must use a different port number when running Visibroker Gatekeeper on the HTTP Server. The default port number that Visibroker Gatekeeper uses is port 15000. You can also run Visibroker Gatekeeper on a different machine from the HTTP Server, see Section 7.10.3, "Running Visibroker Gatekeeper on a different Server".

You can configure the Gatekeeper to use an HTTP Tunnelling configuration at two different security levels:

• Configuring Gatekeeper with no firewall separating Discoverer Services - Here, the Discoverer Server is placed in the DMZ

• Configuring Gatekeeper with Discoverer server components behind an internal firewall - Here, the Discoverer Server is not in the DMZ.

7.8.2 Configuring Gatekeeper with no firewall separating Discoverer Services

In this configuration, the Discoverer Server and the HTTP Server are deployed in the DMZ (see figure below).

Figure 7-10 HTTP Tunnelling with Discoverer deployed behind an internal firewall

To configure Visibroker Gatekeeper:

• When you install Discoverer 4i Plus, Visibroker Gatekeeper is installed on the HTTP Server at:

  <ORACLE_806_HOME>/vbroker/bin/gatekeeper.exe

• Visibroker Gatekeeper is started automatically by the Discoverer 4i Plus NT Service.

• By default, Visibroker Gatekeeper listens to port 15000. To change the default port number, refer to Section 7.10.5, "Changing the default Visibroker Gatekeeper port".

• Once you have configured Visibroker Gatekeeper to run at a particular port, you must ensure that the firewall allows HTTP traffic to the host and port that Visibroker Gatekeeper is running on.

Note: Firewall configuration is specific to the firewall type used by your site. Contact your Firewall Administrator for details.

7.8.3 Configuring Gatekeeper with Discoverer server components behind an internal firewall

In this configuration, the HTTP Server is deployed in the DMZ. The Discoverer Server and the database are deployed behind the Internal firewall (see figure below).

Figure 7-11 HTTP Tunnelling with Discoverer deployed behind an internal firewall

To configure Visibroker Gatekeeper:

• Follow the steps in Configuring Gatekeeper with no firewall separating Discoverer Services.

• Open the firewall between your HTTP Server and your Discoverer Servers to allow all TCP/IP traffic to go to Discoverer Server machines on all ports. Then selectively block ports to which you want to restrict access, (for example, the HTTP or telnet port).

• On your HTTP Server machine, prevent the Locator from running. To do this go to the Registry and set the key \HKEY_LOCAL_MACHINE\SOFTWARE\ORACLE\DCW4_START_LOCATOR to 0. Then stop and start the NT Service OracleDiscoverer4i.

• On one of your Discoverer Servers, run the Locator. To do this, make sure that the registry key \HKEY_LOCAL_MACHINE\SOFTWARE\ORACLE\DCW4_START_LOCATOR is set to 1. Then stop and start the NT Service OracleDiscoverer4i.

• Make sure that the Locator and Discoverer Session and Preferences are on the same subnet.

• Each time the Locator is started, the locator.ior file generated by the Locator must be copied to the <iSUITES_HOME>\apache\apache\htdocs\discwb4\applet directory on the HTTP Server machine.

7.8.4 Persistent HTTP Connections

Because HTTP is a connectionless protocol, a new HTTP connection must be established every time a Discoverer Client wants to communicate via the gatekeeper. This connection is made, a response is received, and the connection is closed.

The Discoverer Client and the gatekeeper can communicate via a connection that is established and used for all requests until the Discoverer Client exits. This is known as a Persistent Connection. When using HTTP Tunnelling, Persistent Connections are recommended for Discoverer 4i Plus.

To use a Persistent Connection, the HTTP proxies running on the firewalls between the client and gatekeeper must support Persistent Connections.

Note: Firewall configuration is specific to the firewall type used by your site. Contact your Firewall Administrator for details.

7.9 Configuring the Discoverer client

This section explains how to configure the Discoverer client to work with Visibroker Gatekeeper.

7.9.1 About the Discoverer client connection sequence

By default, a new Discoverer client session tries to connect to the Discoverer server in the following three-step connection sequence.

1. The Discoverer client tries to connect directly to the Locator (i.e. not using the Gatekeeper).

2. If the Discoverer client cannot make a direct connection, it tries to connect to the Discoverer server using IIOP Proxying.

3. If IIOP Proxying is not configured, the Discoverer client uses HTTP Tunnelling to communicate with the Discoverer server.

Figure 7-12 Default Discoverer client default three-step connection sequence

To improve the performance of Discoverer, you can specify an alternative connection sequence (for more information refer to Section 7.9.2, "How to use a specific connection method").

7.9.2 How to use a specific connection method

You can specify a connection method for a Discoverer client using one of the following URL parameters:

• ORBalwaysProxy - connect using IIOP Proxying (see table below).

• ORBalwaysTunnel - connect using HTTP Tunelling (see table below).

NOTE: Do not use both URL parameters in the same connect string.

Table 7-2

Argument and Values	Purpose	Example
ORBalwaysProxy=yes	Set this parameter to yes to bypass the direct connection and try to connect via IIOP Proxying. If this fails, the client tries to connect using HTTP Tunnelling.	http://server.com/discwb4/html/ english/ms_ie/start_ie.htm ?ORBalwaysProxy=yes
ORBalwaysTunnel=yes	set this parameter to yes to bypass both the direct connection and the IIOP Proxying and try to connect using HTTP Tunnelling	http://server.com/discwb4/html/ english/ms_ie/start_ie.htm ?ORBalwaysTunnel=yes

Discoverer URL Parameters for specifying a connection method

Note: Use these parameters to set up separate URLs for clients who you know will always be connecting from behind firewalls.

See also "Enabling SSL in Discoverer 4i Plus start pages".

7.10 Configuring Visibroker Gatekeeper

This section explains how to configure Visibroker Gatekeeper to work with Discoverer 4i Plus.

You configure Visibroker Gatekeeper using the Gatekeeper Configuration Manager (see figure below).

Figure 7-13 The Visibroker GateKeeper Configuration Manager

7.10.1 Where to run Visibroker Gatekeeper

When configuring Visibroker Gatekeeper, you have two options:

1. If your firewall policy allows the HTTP Server to receive HTTP traffic at a port other than port 80, install and run Visibroker Gatekeeper on the HTTP server machine.

   NOTE: This configuration is strongly recommended for Discoverer 4i Plus.

   The default Visibroker Gatekeeper port is 15000, though this can be changed to any port number (except 80). See Section 7.10.2, "Running Visibroker Gatekeeper on the HTTP Server".

2. If your firewall policy only allows the HTTP Server to receive HTTP traffic at port 80, you must install Visibroker Gatekeeper on a different machine.

   NOTE: This configuration has a greater set up time and maintenance overhead and is not recommended for Discoverer 4i Plus, unless option 1 (above) is not viable.

   The Visibroker Gatekeeper file gatekeeper.ior must be copied to the HTTP Server every time Visibroker Gatekeeper is re-started. See Section 7.10.3, "Running Visibroker Gatekeeper on a different Server".

NOTE: If you wish to use Secure Sockets Layer (SSL), you must run Visibroker Gatekeeper on port 443, (the standard SSL port), (refer to "Installing Visibroker Gatekeeper to work with SSL").

7.10.2 Running Visibroker Gatekeeper on the HTTP Server

This section explains how to run Visibroker Gatekeeper on the HTTP Server (for more information about choosing a configuration, see Section 7.10.1, "Where to run Visibroker Gatekeeper").

• Visibroker Gatekeeper is installed on the HTTP server in the following location:

  <ORACLE_806_HOME>\vbroker\bin\gatekeeper.exe

• Visibroker Gatekeeper is started automatically by the Discoverer 4i Plus NT Service.

• Visibroker Gatekeeper is started in the <iSUITES_HOME>\apache\apache\htdocs\discwb4\applet directory in the HTTP Server's documents directory. The Gatekeeper writes out a file gatekeeper.ior in the directory in which it is started. The Discoverer client expects to find this file in the <iSUITES_HOME>\apache\apache\htdocs\discwb4\applet directory.

• Make sure that the gatekeeper is started by checking the gatekeeper.ior file is present in the <iSUITES_HOME>\apache\apache\htdocs\discwb4\applet directory in the HTTP Server's documents directory. You must also ensure that the gatekeeper.ior file has a time stamp corresponding to the time that the Discoverer 4i service was started. If not, users outside your firewall will not be able to connect to Discoverer.

7.10.3 Running Visibroker Gatekeeper on a different Server

This section explains how to run Visibroker Gatekeeper on a machine other than the HTTP Server machine (for more information about choosing a configuration, see Section 7.10.1, "Where to run Visibroker Gatekeeper").

• To install Visibroker Gatekeeper on a different Server machine, you have two options:
  1. Install iAS on the separate Server machine, which installs Visibroker Gatekeeper.

  2. If you do not want to do a full iAS install on the separate Server machine just to install the Gatekeeper, we recommend that you consider purchasing a stand alone copy of Visibroker for Java 3.4 from Inprise Corp. For more information, visit the Visibroker Web site at: http://www.inprise.com/visibroker/.

• The gatekeeper.ior file generated by Visibroker Gatekeeper must be copied to the <iSUITES_HOME>\apache\apache\htdocs\discwb4\applet directory in the HTTP Server's documents directory. The file must be copied every time you restart Visibroker Gatekeeper.

• Visibroker Gatekeeper must only run on the other machine and not on the HTTP Server machine. To prevent Visibroker Gatekeeper starting automatically on the HTTP Server machine, change the following registry setting to `0':

  HKEY_LOCAL_MACHINE\Software\Oracle\DISCWB4_START_GATEKEEPER

7.10.4 Configuring the Visibroker Gatekeeper port

To work with Discoverer, Visibroker Gatekeeper is configured as follows:

• Visibroker Gatekeeper is installed on the HTTP Server, or a separate server.

• By default, Visibroker Gatekeeper monitors (or `listens') to port 15000. To change the default port, see Section 7.10.5, "Changing the default Visibroker Gatekeeper port".

• An Oracle Discoverer 4i service starts the Visibroker Gatekeeper on the HTTP server or separate server. The registry key:
  HKEY_LOCAL_MACHINE\SOFTWARE\ORACLE\DCW4_START_GATEKEEPER is set to `1'.

Note: If you are running Visibroker Gatekeeper on the HTTP Server, you cannot set the Visibroker Gatekeeper port to port 80. This is because port 80 is the default HTTP Server port on which most HTTP Servers install themselves.

7.10.5 Changing the default Visibroker Gatekeeper port

To change the default Visibroker Gatekeeper port, follow these steps:

1. Run <ORACLE_806_HOME>\Vbroker\bin\gkconfig.exe to start the Gatekeeper Configuration Tool.

2. Choose File | Open and open the Visibroker Gatekeeper configuration file discwb4/applet/gatekeeper.properties in the HTTP Server (or separate server) document root directory (e.g. <iSUITES_HOME>\apache\apache\htdocs\discwb4\applet).

3. Click the Exterior tab.

Figure 7-14 Configuring the default Visibroker Gatekeeper port

4. Type a new port number in the Exterior Port field.

5. Choose File | Save.

6. Close the Visibroker Gatekeeper Configuration Tool.

7. From the Windows Start menu, choose Settings | Control Panel and double-click on the Services icon to display the Services dialog box.

8. Select OracleDiscoverer4i.

9. Click the Stop button, then click the Start button.

Visibroker Gatekeeper is now configured to use the new port number.

7.10.6 Getting Log Information from Visibroker Gatekeeper

To change the amount of information generated by the Visibroker Gatekeeper log, follow these steps:

1. Run <ORACLE_806_HOME>\Vbroker\bin\gkconfig.exe to start the Gatekeeper Configuration Tool.

2. Choose File | Open and open the Visibroker Gatekeeper configuration file gatekeeper.properties in the HTTP Server (or separate server) document root directory (e.g. <iSUITES_HOME>\apache\apache\htdocs\discwb4\applet).

3. Click the General tab.

Figure 7-15 Configuring your Visibroker Gatekeeper debug level

4. Select a log level from the options:
   • Quiet - do not print any messages.

   • Warning - print messages when an error occurs.

   • Normal - print error messages and information messages.

   • Debug - print all messages (the default value).

5. Click File | Save.

6. Close the Visibroker Gatekeeper Configuration Tool.

7. From the Windows Start menu, choose Settings | Control Panel and double-click on the Services icon to display the Services dialog box.

8. Select OracleDiscoverer4i.

9. Click the Stop button, then click the Start button.

Visibroker Gatekeeper is now configured to use the log level selected.

7.10.7 Configuring NAT devices to work in front of the Gatekeeper

To configure the Gatekeeper to work with your Network Address Translation (NAT) device in front of the Gatekeeper, follow these steps:

1. Run <ORACLE_806_HOME>\Vbroker\bin\gkconfig.exe to start the Gatekeeper Configuration Tool.

2. Choose File | Open and open the Visibroker Gatekeeper configuration file gatekeeper.properties in the HTTP Server (or separate server) document root directory (e.g. <iSUITES_HOME>\apache\apache\htdocs\discwb4\applet).

3. Click the Exterior tab.

Figure 7-16 Configuring a NAT device to work in front of the Gatekeeper

4. In the Exterior Proxy Address field, enter the IP address that your NAT device translates your Gatekeeper's IP address to.
   
   For example, if your Gatekeeper's IP Address is 101.20.34.6 and your NAT device translates that to 105.23.45.6, enter 105.23.45.6 in this field.

5. In the Exterior Proxy Port field, enter the port that your NAT device translates your Gatekeeper's port to.
   
   For example, if your Gatekeeper's default port is 15000 and the NAT device translates that to 235, enter 235 in this field.

6. Click File | Save.

7. Close the Visibroker Gatekeeper Configuration Tool.

8. From the Windows Start menu, choose Settings | Control Panel and double-click on the Services icon to display the Services dialog box.

9. Select OracleDiscoverer4i.

10. Click the Stop button, then click the Start button.

Visibroker Gatekeeper is now configured to use your NAT device in front of the Gatekeeper.

NOTE: Discoverer 4i does not support the use of NAT devices behind the Gatekeeper.