Interesting issue with WCF wsHttpBinding through a Firewall

Posted by Marko on Stack Overflow See other posts from Stack Overflow or by Marko
Published on 2008-12-11T21:34:15Z Indexed on 2010/03/15 5:19 UTC
Read the original article Hit count: 834

I have a web application deployed in an internet hosting provider. This web application consumes a WCF Service deployed at an IIS server located at my company’s application server, in order to have data access to the company’s database, the network guys allowed me to expose this WCF service through a firewall for security reasons. A diagram would look like this.

[Hosted page] ---> (Internet) ---> |Firewall <Public IP>:<Port-X >| ---> [IIS with WCF Service <Comp. Network Ip>:<Port-Y>]

link text

alt text

I also wanted to use wsHttpBinding to take advantage of its security features, and encrypt sensible information.

After trying it out I get the following error:

Exception Details: System.ServiceModel.EndpointNotFoundException: The message with To 'http://<IP>:<Port>/service/WCFService.svc' cannot be processed at the receiver, due to an AddressFilter mismatch at the EndpointDispatcher. Check that the sender and receiver's EndpointAddresses agree.

Doing some research I found out that wsHttpBinding uses WS-Addressing standards, and reading about this standard I learned that the SOAP header is enhanced to include tags like ‘MessageID’, ‘ReplyTo’, ‘Action’ and ‘To’.

So I’m guessing that, because the client application endpoint specifies the Firewall IP address and Port, and the service replies with its internal network address which is different from the Firewall’s IP, then WS-Addressing fires the above message. Which I think it’s a very good security measure, but it’s not quite useful in my scenario.

Quoting the WS-Addressing standard submission (http://www.w3.org/Submission/ws-addressing/)

"Due to the range of network technologies currently in wide-spread use (e.g., NAT, DHCP, firewalls), many deployments cannot assign a meaningful global URI to a given endpoint. To allow these ‘anonymous’ endpoints to initiate message exchange patterns and receive replies, WS-Addressing defines the following well-known URI for use by endpoints that cannot have a stable, resolvable URI. http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous"

HOW can I configure my wsHttpBinding Endpoint to address my Firewall’s IP and to ignore or bypass the address specified in the ‘To’ WS-Addressing tag in the SOAP message header? Or do I have to change something in my service endpoint configuration?

Help and guidance will be much appreciated.

Marko.

P.S.: While I find any solution to this, I’m using basicHttpBinding with absolutely no problem of course.

© Stack Overflow or respective owner

Related posts about wcf

Related posts about firewall