Interesting issue with WCF wsHttpBinding over firewall
I have a web application deployed to an internet hosting provider. This web application uses a WCF service deployed on an IIS server hosted on my company application server to access the data in the company database, the network guys allowed me to expose this WCF service through a firewall for security reasons. The diagram will look like this.
[Hosting] ---> (Internet) ---> | Firewall
<Public IP>:<Port-X >
| ---> [IIS with WCF Service<Comp. Network Ip>:<Port-Y>
]
I also wanted to use wsHttpBinding to take advantage of its security features and encrypt sensible information.
After checking, I get the following error:
Exception Details: System.ServiceModel.EndpointNotFoundException: A message with "http: //: /service/WCFService.svc" could not be processed in the receiver due to an AddressFilter mismatch on the EndpointDispatcher. Make sure the sender and recipient of the Endpoint Addresses agree.
After doing some research, I found out that wsHttpBinding uses the WS-Addressing standards and reads about this standard. I found out that the SOAP header has been extended to include tags like "MessageID", "ReplyTo", "Action" and "To".
So my guess is that since the client application endpoint specifies the IP address and port of the firewall and the service responds with its internal network address, which is different from the Firewalls IP, then WS-Addressing triggers the above message. Which I consider to be my very good security measure, but not very useful in my scenario.
Quoting the standard WS-Addressing submission ( http://www.w3.org/Submission/ws-addressing/ )
"Due to a number of networking technologies that are currently widely used (eg NAT, DHCP, firewalls), many deployments are unable to assign a meaningful global URI to a given endpoint. To allow these anonymous endpoints to initiate messaging patterns and receive responses, WS-Addressing defines the following well-known URI for use by endpoints that cannot have a stable, resolvable URI. http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous "
HOW can I configure the wsHttpBinding endpoint to address my Firewalls IP address and ignore or bypass the address specified in the "To WS-Addressing" tag in the SOAP message header? Or do I need to change something in the service endpoint configuration?
Help and advice would be much appreciated.
Marko.
PS: While I find any solution for this, I use basicHttpBinding with absolutely no problem of course.
source to share
I don't know about the solution from Mitch Baker, never tried it. But that includes changing the generated code. There is another way to get around this.
I am assuming you have generated client code using svcutil.exe with the MEX address pointing to the firewall. When you do this, all the required configuration is added to App.config (or Web.config). However, the service address in the configuration will point to the real service address (as in the WSDL file, the service threshold address will be the real service address).
So I think this will solve this problem:
-
Create a client code with a MEX address (for example: http: //: Port-X / service / wcfservice.svc? Wsdl). This will create all the required configuration.
-
When calling the client constructor, give the firewall URI as an EnpointAddress and the configuration name of the generated configuration. Thus, the client will send the message as if it were sending it to the service, but to the firewall address:
client = new ServiceClient (endpointConfigName, new System.ServiceModel.EndpointAddress ("http: //: Port-X / service / wcfservice.svc"));
source to share