Using firewalls

The following sections describes working with firewalls.

About using firewalls

Working with a firewall means that you can prevent unauthorized access to or from a private network, on specific port numbers.

For example, you can specify that no access is allowed to any port from the outside world, with the exception of the mail port (25), or you can specify that no outside connection is allowed from any ports to the outside except from the mail port and WEB port (80). The port settings are configured by the system administrator.

In a typical performance test (not over a firewall), the Controller has direct access to the LoadRunner Agents running on remote machines. This enables the Controller to connect directly to those machines.

Test not over a firewall

When running Vusers or monitoring applications over a firewall, this direct connection is blocked by the firewall. The connection cannot be established by the Controller, because it does not have permissions to open the firewall.

Direct connection blocked when running Vusers or monitoring over a firewall

This problem is solved by using secure TCP over proxy. This communication is secure by using TLS (formerly SSL). For details on communication over proxy, see Set up your deployment (TCP or TCP over proxy).

The agent is already installed on load generators (running Vusers over a firewall), and on Monitor Over Firewall machines (that monitor the servers that are located over a firewall). The agent communicates with the MI Listener machine on port 443.

The MI Listener is a component that serves as router between the Controller and the LoadRunner Agent.

Using secure TCP over proxy

When the LoadRunner Agent connects to the MI Listener, the MI Listener keeps a listing of the connection to the agent using a symbolic name that the agent passed to it.

When the Controller connects to the MI Listener, it communicates to the MI Listener on port 50500.

Controller communicating with MI Listener on port 50500

The Controller uses a symbolic name for the agent, and provides the MI Listener machine's name. If there has been a connection from the agent with the same symbolic name to this MI Listener, the connection is made between the Controller and the agent. After you have a connection with the agent, you can run Vusers over firewall or monitor AUT machines behind the firewall.

Connection between the Controller and the agent

Back to top

Over firewall deployment - example

The following diagram is a basic example of a deployment over a firewall.

Deployment over a firewall

As explained in the previous section, the LoadRunner Agent is installed on both the load generator machine and the Monitor Over Firewall machine. During installation, the agent is added as a Windows service.

The MI Listener serves as a router between:

  • The agent on the load generator machine and the Controller, enabling the Controller to run Vusers over a firewall.

  • The agent on the Monitor Over Firewall machine and the Controller, enabling the Controller to monitor the servers that are located over a firewall.