Skip Nav

Sitemap Contact Us Quick Links

• About Us
• Hardware
• System Software
• Applications
• Scientific Visualization
• PET
• News/Events
• Publications

Sci-Vis Home Hardware Software Who We Are Background Facilities Media Center Image Library Video Library HPCMP DAAC

Using SSH port forwarding/tunneling with Ensight

Ensight utilizes TCP/IP ports to communicate to the license manager (default port 7790) and to establish a client and server connection (default port 1106). [Note: There are additional TCP/IP ports used as the complexity of the interactions increase, such as through the use of Server of Server (SoS).] Often times, when attempting to run a client/server application across domains, these ports are blocked as part of an enhanced network security posture. The mechanism that blocks these ports is often times referred to as a “firewall”. However, there is a legitimate, secure mechanism that allows for this firewall to remain in place while providing a network path to allow the Ensight client/server process to connect.

Traditionally, when doing a client/server connection, the user would simply enter the following command from the client workstation after obtaining the appropriate Kerberos tickets:

$ ensight82.client -rsh /usr/brl/bin/ssh -c {hostname}.arl.hpc.mil
  

(on the client)

$ ensight82.client -cm
  

(on the HPC server)

$ ensight82.server -c {client}.arl.army.mil
  

Both of these examples assume that the client and server can communicate over standard TCP/IP sockets to port 7790 on the license server machine and port 1106 between the client & server. But, what if the client system is not sitting on an ARL network, or the server system has these TCP ports blocked? SSH provides a mechanism to tunnel ports through a valid SSH connection for the purpose of creating a virtual port (tunnel) through the SSH protocol. Let us consider two different scenarios. In the first scenario, your client workstation is on an ARL network and can establish the appropriate TCP/IP connection on port 7790 to the Ensight license server, but cannot establish the TCP/IP connection on port 1106 to a remote HPC server. In the second scenario, the client workstation is outside the ARL domain and cannot establish appropriate TCP/IP communication to either the Ensight license server or the remote HPC server.

Scenario 1: Client workstation on an ARL network, Ensight server on a remote HPC system

1. Establish appropriate kerberos credentials to allow access to remote HPC system 
2. On client workstation, start up ensight on the client workstation with the flag “-cm” ... it will wait for a server connection before proceeding 

   $ ensight82.client -cm
     

3. From a different terminal window, open up an ssh connection to the HPC system (in this example, a system located at AFRL)

    
   $ ssh -R 1106:localhost:1106{hostname}.afrl.hpc.mil 
      

   you are now connected to the remote HPC system and have created a tunnel for port 1106 as required to allow the client/server connection to work

4. From this HPC system, start up the Ensight server

 
$ ensight82.server -c localhost
   

the ensight server will communicate to the client over port 1106 to localhost as defined in the ssh command

Scenario 2: Client workstation outside the ARL domain, Ensight server on a remote HPC system

This scenario assumes that you have the CEI/Ensight software installed on your desktop system and an HPC-approved kerberos implementation. The Ensight software can be downloaded from the CEI website, however you must contact your system administrator to get a valid license file that will allow you to use the software. Kerberos can be downloaded from the HPCMO website.

NOTE: It has been identified that the syntax for the SSH command in both of these scenarios is somewhat different on a Mac (OS X 10.4/10.5).

1. On the client workstation, edit the slim8.key file and change the first license server entry from {hostname}.csi.hpc.mil to localhost. 
2. Establish an SSH connection to an HPC system (or to a system where you want to run the Ensight server, we assume that this remote server can access the ensight license host)

   $ ssh -L 7790:{hostname}.csi.hpc.mil:7790 \

   -R 1106:localhost:1106{hostname}.afrl.hpc.mil 
     

   this command establishes two tunnels ... the tunnel for port 7790 allows the client to communicate through the tunnel to the remote host to access a license seat from {hostname}.csi.hpc.mil. It also establishes the tunnel for port 1106 so that the server can communicate back to the desktop client.

3. In a different window on the client workstation, start up the ensight client with the “-cm” flag

$ ensight82.client -cm 
  

4. Back on the remote server, start up the Ensight server

$ ensight82.server -c localhost 
  

1.2 Machines without modules (64-bit Linux Workstations)

The correct syntax to use on a Mac is:

$ ssh -R 1106:127.0.0.1:1106 {hostname}.afrl.hpc.mil

or

$ ssh -L 7790:{hostname}.csi.hpc.mil:7790 \

 -R 1106:127.0.0.1:1106{hostname}.afrl.hpc.mil 
  

Disclaimer: Setting up SSH to establish a tunnel through the firewall is not an exact science and may require assistance from your system administrator and/or network support staff.

Additional information on the use of SSH tunneling can be found at the HPC DAAC and at CEI/Ensight.

---