Remote Connection Server

Overview

The Remote Connection Server is an application that allows other Deadline components (such as the Deadline Slave, Deadline Monitor, etc.) to communicate with a Deadline Repository over HTTP. This application replaced the Deadline Proxy Server.

Note

The Deadline Proxy Server was fully removed in version 10.0.25. There are potential issues with the Proxy Server if automatically downgrading to an older version. Please see the Upgrading or Downgrading Non-Render Nodes and Non-Workstations First documentation for more info.

../_images/connection_servers_overview.png

The above diagram is what a simple configuration may look like. The dotted line represents the separation of networks over the internet. In this configuration, the external resources communicate with the Connection Server over HTTP. It is important to note that this means the communication between external resources and the local render farm is not secure.

In some cases, such as when using a VPN (virtual private network), this is acceptable. In this case the VPN would ensure the communication is secure. If using a VPN is not desirable, Transport-Layer Security (TLS/SSL) is also an option, though this requires a little more setup to accomplish. See HTTPS Configuration.

Note

In Deadline 10.0.21 and later, client applications (Pulse, Slave, etc.) that are connected to the Remote Connection Server will not be able to perform house cleaning operations. Instead, the Remote Connection Server has adopted this responsibility and will perform House Cleaning, Repository Repair, and Pending Job Scan periodically.

Client applications that use a direct Repository connection can still perform house cleaning operations as normal.

Running the Remote Connection Server

To start the Remote Connection Server:

  • On Windows, you can start the Remote Connection Server by double clicking on deadlinercs.exe in the Deadline client installation folder, usually under

    C:\Program Files\Thinkbox\Deadline[VERSION]\bin
    
  • On Linux, you can start the Remote Connection Server from a terminal window by running the deadlinercs script in the bin folder, usually under

    /opt/Thinkbox/Deadline[VERSION]/bin
    
  • On Mac OS X, you can start the Remote Connection Server from a terminal by running the DeadlineRCS application in

    /Applications/Thinkbox/Deadline[VERSION]/DeadlineRCS[VERSION].app/Contents/MacOS
    

where [VERSION] is the MAJOR release number of Deadline, such as 10.

Connection Servers Panel

Remote Connection Servers can be monitored through the Deadline Monitor with the “Connection Servers” panel. You can use this panel to check the state of Connection Servers and monitor their CPU and memory usage. Note that the Deadline Proxy Server is still considered a Connection Server, and instances of it will appear in this panel. These instances can be differentiated by a Connection Type column with the value Legacy.

../_images/connection_servers_panel.png

Configuration

Repository Configuration

By default, the Remote Connection Server listens for HTTP requests on port 8080. This can be configured in the Repository from the Deadline Monitor’s Connection Servers panel by right-clicking an item and selecting Modify Connection Server Properties.

../_images/connection_servers_modify_properties.png ../_images/connection_servers_properties.png

The configurable options include:

  • Host Name/IP Address Override: Overrides the hostname/IP address used to communicate with the Connection Server. By default, this property is blank (no override).
  • Listening Port: This is port that the Connection Server will listen on when started. By default, this property is 8080.

Command Line Parameters

You can also control the Connection Server’s behavior more granularly at runtime with command line parameters. Below is a table of available command-line parameters, they are all specified as follows:

deadlinercs --<param name> <param value>

Available parameters can be queried via deadlinercs –help, but are also provided here for convenience:

Param Name Param Value
ip The IP of the interface on which the Server will accept incoming connections. Defaults to 0.0.0.0.
port The Port on which the Server will accept incoming HTTP Connections. Defaults to 8080.
tls_port The Port on which the Server will accept incoming TLS (HTTPS) Connections. Defaults to 4433.
tls_cert The path to a PKCS#12 file containing an x509 certificate and key used for authentication and encryption during TLS communication. Required to serve HTTPS connections. Not specified by default.
ca_cert The path to a PKCS#12 or PEM file containing an additional trusted root certificate to use when authenticating clients. Not specified by default.

Similarly, there are a couple command line flags (which do not require a value) that help provide additional control over the Connection Server’s behavior. The syntax for these is like the parameters above, but does not require a value, e.g.:

deadlinercs --<flag name>
Flag Name Flag Behavior
tls_auth If specified, the Server requires Clients to authenticate themselves by presenting an x509 certificate. Otherwise, client certificates will not be required (but still will be validated if presented).
local_only If specified, the Server will only accept incoming requests originating from the local machine (i.e., 127.0.0.1)

Note that the Connection Server will prioritize parameter values specified in the command line over both the default settings set in the Repository Options (see section above), and in the Local Configuration (see below).

Local Configuration

The values for all the command line parameters described above can also be permanently configured in the Client Configuration ini file, so that they don’t have to be explicitly specified every time the connection server is started. Note that the parameter names in the *.ini file are different (see Client Configuration docs for the list), but the expected values and behavior remain the same.

For ease of configuration, these values can also be changed via Deadline Command. For more details, you can invoke:

deadlinecommand help ConfigureConnectionServer

Finally, the Deadline Launcher can be configured to automatically re-start the Connection Server in the event of a crash/shutdown via the Client Configuration ini file.

Connecting to the Remote Connection Server

The “Change Repository” dialog includes a Connection Type option. To connect to a Remote Connection Server, choose Remote Connection.

../_images/connection_servers_connect.png

Selecting this option allows you to enter the Remote Server address and port. The address should be a hostname or IP address that the machine running the Remote Connection Server is accessible with. The port should be the port that the Remote Connection Server is configured to listen on. If connecting with HTTPS, you can place the path to the PFX certificate in the “Client Certificate” text box, and supply the passphrase if required. See our SSL Certificate Generation documentation on how to create the certificates for your chosen web server.

See also Firewall and Security Considerations to ensure you allow the Remote Connection Server to be accessible through your firewall.

Windows Namespace Reservation

If the Remote Connection Server is running on Windows, you may also need to add a namespace reservation for the current user that the Remote Connection Server is running under, so that it can reserve namespaces for the URL connection. See the Configuring Namespace Reservations section in this MSDN Article for more information. Note, Windows XP users require SP2 to be installed and XP 64bit does NOT support namespace reservation. It is recommended to use a server based Windows OS such as Windows 2003, 2008 R2, 2012 or newer.

Note that by default, the Remote Connection Server listens on http://+:8080/, so make sure you set the port number correctly in the URL you use when reserving the namespace. For example:

netsh http add urlacl url=http://+:8080/ user=DOMAIN\username

Ensure you have correctly elevated Windows permissions when executing the above in a command prompt and replace username with the appropriate %USERNAME% that the Remote Connection Server is running under. For machines not on a domain, simply remove the DOMAIN prefix, but keep the backslash. Depending on your local security policy, the user account may need to have local administrator rights temporarily for you to initially reserve the namespace. The namespace reservation will also need updating if you ever modify the port number or user account used. Use the following command in a command prompt to help list what namespace reservations are currently present on your machine:

netsh http show urlacl

Note that this is NOT the same reservation that is required for the Web Service.

Linux Open File Limits

If the Remote Connection Server is running on Linux, it is recommended that you increase the maximum number of open files for the Remote Connection Server process. Since socket connections are treated as open files on Linux it is very easy for the default maximum value (1024) to be reached in an active farm. We recommend setting it to at least 64000. You can set by running the following command before running the Remote Connection Server:

ulimit -n 64000

The Remote Connection Server will check the file limit on startup and print a warning to the beginning of the log if it is set to a value that is too low, but will run anyway.

HTTPS Configuration

The Remote Connection Server can be configured to use TLS to encrypt communications and authenticate incoming client connections, if needed. To do so, you will need to configure the following settings for your Connection Server:

  • ‘TLS Certificate’ must be specified, and be a valid PKCS#12 file containing a certificate and corresponding private key.
  • ‘TLS Port’ must be specified to be a bindable Port that is not already in use by another application.
  • ‘TLS Auth’ should be specified to require clients connecting to the server to authenticate themselves by presenting a client x509 certificate.
  • ‘CA Cert’ can optionally be specified to provide an additional trusted Root CA to use when building a trust chain from incoming clients’ certificates.

Note that when configured to serve HTTPS connections, trying to connect to the HTTP Port directly (8080 by default) from an external machine will result in a 403 error being returned to the Client. When a Deadline client application connects to a Connection Server through HTTPS, you must enter the path a TLS/SSL client certificate in the “Client Certificate” field. It is strongly recommended that you keep this certificate (which must be accompanied with the key in a PKCS#12 file) protected by a password.

../_images/connection_servers_https_connect.png

To create SSL certificates, see the SSL Certificate Generation documentation. Alternatively, you can also re-run the Deadline Client Installer and select the option to configure the connection server. You will then be presented with an option to generate new certificates for use by the Connection Server.

In addition to configuring the Connection Server to handle HTTPS connections itself, you can also set up a third-party Web Server to handle the TLS termination as well – this might be desirable if you are looking to maximize performance, or are also in need of Load Balancing (see section below for details). In either case, if you are looking to have a third-party server handle TLS termination, the Connection Server itself would not need any of the above TLS configuration, and should NOT be exposed externally to the internet. It is also recommended in this case to use the Network Whitelisting feature to restrict incoming connections to only the machine hosting the TLS termination, ensuring that only connections coming through that server are allowed.

Load Balancing

Load balancing can be achieved by using a web service such as NGINX.

../_images/connection_servers_https_overview.png

In this configuration, we’ve introduced a couple new components. There is now an intermediary NGINX component that accepts HTTPS connections from external resources. The NGINX component can also be used to load balance between one or more connection servers. See the NGINX documentation for help setting this up.

FAQ

Does the Remote Connection Server use any license?

No. It is an unlicensed product and included in the Deadline Client software installer.

Can I run the Remote Connection Server on any machine in my farm?

You can run Remote Connection Server on any machine in your farm, including the Repository or Database machine. However, for larger farms, we recommend running the Remote Connection Server on a dedicated machine.

When choosing a machine to run the Remote Connection Server on, you should be aware that non-Server editions of Windows have a TCP/IP connection limitation of 10 new connections per second. If your render farm consists of more than 100 machines, it is very likely that you’ll hit this limitation every now and then (and the odds continue to increase as the number of machines increase). Therefore, if you are running Remote Connection Server on a farm with 100 machines or more, we recommend using a Server edition of Windows, or a different operating system like Linux.

Can I run the Remote Connection Server as a service or daemon?

Yes. If you’re running the Launcher as a service or daemon, then it will run Remote Connection Server in the background as well. See the Client Installation documentation for more information.

Is the Remote Connection Server used for usage based licensing or 3rd party licensing?

No. This is handled by the Cloud License Server Proxy and License Forwarder application respectively.