[squid-users] T3/T3S Protocol

Farci, Anatole V anatole.v.farci at intel.com
Sun Apr 12 04:41:58 UTC 2015 

Hi,

I have a JavaClient that uses T3S:443 to connect to Oracle's WLS application server. WLS is in DMZ and I have Squid proxy between the DMZ and our Intranet (in its own DMZ) to fwd all requests to WLS. The ports (443) is open since the browsers can talk to the WLS but it appears that the T3S is not going thru the proxy. I have searched to see what I can add to allow this T3 (RMI protocol) to go thru and our Squid configuration is very simple and have a whitelist and allows all traffic on port 80 and 443 to go thru.

On the client side, I get this error:
javax.naming.CommunicationException [Root exception is java.net.ConnectException: t3s://xxxx.yyy.intel.com:443: Destination xxx.yyy.zzz.www, 443 unreachable; nested exception is:
        java.net.ConnectException: Connection timed out: connect; No available router to destination]

on the Squid Acccess.log where <dns> and <fqdn> are the correct values and using a browser, I can open reach the WLS with either of them using HTTPS:443
1428776399.835  27238 10.254.98.83 TCP_MISS/200 2439 CONNECT <dns>.intel.com:443 - DIRECT/xxx.yyy.zzz.www -
1428776414.999  15117 10.254.98.83 TCP_MISS/200 2199 CONNECT <dns>.intel.com:443 - DIRECT/xxx.yyy.zzz.www -
1428776430.068  27768 10.254.98.83 TCP_MISS/200 9658 CONNECT <dns>.intel.com:443 - DIRECT/xxx.yyy.zzz.www -
1428776445.200  15085 10.254.98.83 TCP_MISS/200 2439 CONNECT <dns>.intel.com:443 - DIRECT/xxx.yyy.zzz.www -
1428776460.396  15118 10.254.98.83 TCP_MISS/200 2439 CONNECT <dns>.intel.com:443 - DIRECT/xxx.yyy.zzz.www -
1428776480.270  15211 10.254.98.83 TCP_MISS/200 9722 CONNECT <FQDN>.intel.com:443 - DIRECT/xxx.yyy.zzz.www -
1428776495.293  27207 10.254.98.83 TCP_MISS/200 2439 CONNECT <dns>.intel.com:443 - DIRECT/xxx.yyy.zzz.www -

Store.log has this one entry only:
1428773672.888 RELEASE -1 FFFFFFFF 93F32BC091B147DF27B4355731396BC9  200 1428770072 1428770072 1428773672 application/cache-digest 144/144 GET internal://proxy..intel.com/squid-internal-periodic/store_digest

and the squid config looks like this:
visible_hostname proxy.intel.com
http_port 912

logfile_rotate 30
cache_access_log C:/squid/var/logs/access.log

acl all src 0.0.0.0/0.0.0.0
acl whitelist dstdomain .intel.com
acl http proto http t3
acl port_80 port 80
acl port_443 port 443
acl port_23791 port 23791
acl CONNECT method CONNECT


# rules allowing non-authenticated users
http_access allow http port_80 whitelist
http_access allow CONNECT port_443 whitelist
http_access allow CONNECT port_23791 whitelist


I've tested that the ACL is open from the squid DMZ to WLS DMZ but running the JavaClient on the Squid server.

Any help is appreciated.

Thanks

Anatole



Anatole V. Farci
Product Development IT (PDIT) - Integrated Lifecycle Solutions (ILS)
503-696-2917
Mobile # available on outlook

More information about the squid-users mailing list