In Phase 2 of the project I will upgrade to ISA 2006 Enterprise
and install a 2nd ISA server for resilence. I'll then beef up the front end
firewalls with some failover as well.
Accessing remote queues for reading messages and performing any other queuing
operation requires TCP ports to be published and RPC filters configuring.
Key points to bear in mind when dealing with MSMQ
- If you need to send to a remote queue then all that is needed is to open
TCP Port 1801 with a server
publishing rule and use direct format names.
- Accessing remote queues for reading messages and performing any other
queue operations requires additional ports and the RPC filters configuring
- Message Queuing needs to be installed to send messages. Messages are
sent via the Local Queue manager on the sending machine
- Although a message appears to be sent it could be stuck in the outgoing
queue of the sending server. Unless you build it in to your sending application
there is no acknowledgement that a message has arrived.
- To send to remote queues certain privileges need to be assigned to receiving
queues. Windows 2003 has security enhancements than can block messages(I'll
cover these later in this article)
- Remote transactional queues can't be read
MSMQ briefly
Before we get into configuring ISA 2004 a bit of explanation on MSMQ might
help.
MSMQ is basically an asynchronous application that works just like email.
You send it and hope it gets there. You only know it didn't get there when
the receiver informs you.
If you run a website that uses a database you need to have a connection to
it before you can process anything. Using queues you can just send a message
to a queue and then have your middle teir pick it up and do the database processing.
So your website/web service is not constrained by SQL server connections.
Messages will be queued until a connection with the database is established.
You still need some code to read from the Queue and send to the database,
my company has a bunch of services thats do this.
MSMQ support several type of queues the most common being public and private.
You need to address the queues with direct format names fro remote queues
In C# I used FORMATNAME:DIRECT=OS:MYServer\QUEUE1
because MS Cluster work with names when it comes to queues.
You could use FORMATNAME:DIRECT=TCP:192.168.1.1\QUEUE1
if your using a single server.
These are both for public queues, for private queues use FORMATNAME:DIRECT=OS:MYServer\Private$\privatequeue.
You can use HTTP to send messages if you're using Windows 2003 and just change
the format name to FORMATNAME:DIRECT=HTTP:www.myserver.com\Private$\privatequeue.
This means you need to use port 80, HTTPS is supported as well, I didn't
want to open up port 80 to my internal LAN.
As I've said if you only need to send then TCP port 1801 is all that is required.
MSMQ use the following ports
| Port number |
Protocol type |
Direction |
Purpose |
| 1801 |
TCP |
inbound |
Sending messages |
| 2101 |
TCP |
inbound |
Queue creation and AD functionality |
| 2103 |
TCP |
inbound |
Reading remote queues |
| 2105 |
TCP |
inbound |
Reading remote queues |
| 135 |
TCP |
both |
RPC filter |
Configuration
I needed to be able to read remote queue as well as sending so I started
by reading the excellent example on the www.isaserver.org website http://www.isaserver.org/articles/2004rpc.html
but making the necessary changes for MSMQ.
As stated in the article on www.isaserver.org RPC end points can de difficult
to find but I found them by running MS portqry tool.
I pointed it at the queue server with the following command �portqry
-n MYServer -e 135�. This produces a fairly long list but it's quite
easy to identify the relevant MSMQ ports.
| UUID
for MSMQ |
| UUID: 1088a980-eae5-11d0-8d9b-00a02453c337
Message Queuing - QM2QM V1 |
| UUID: 1a9134dd-7b39-45ba-ad88-44d01ca47f28
Message Queuing - RemoteRead V1 |
| UUID: 76d12b80-3467-11d3-91ff-0090272f9ea3
Message Queuing - QMRT V2 |
| UUID: fdb3a030-065f-11d1-bb9b-00a024ea5525
Message Queuing - QMRT V1 |
Creating a New RPC Protocol Definition
We now know the UUID's to publish so we need to create the firewall rule
to implement it.
First of all, we need to create our own �RPC protocol' by giving all the
UUIDs to publish.
To do so, create a new firewall rule, but rather than selecting a protocol
in the list, click New, then RPC Protocol:
Select -add interfaces manually: This option will provide an interface
where we can manually type the UUID(s) we want to publish (on that screen
interface means RPC UUID):
The best way to add the interface is to capture the output for the portqry
used earlier to a file and then copy and paste the MSMQ UUID's , this avoids
any typo. Don't forget the curly braces.
Add all the interfaces identified in the MSMQ UUID table above
Next I created a new Protocol for the MSMQ which included all the Ports listed
above and I called this MSMQ Inbound
Next you need 2 server publishing rules on for the MSMQ Inbound and one for
the RPC filter to the relevant server
Almost there, next we need to configure security
Security
Remote queues need the 'Receive Message' for ANONYMOUS LOGON to send
messages. This sounds back to front but it's in respect to the sending application
in that it can receive messages from the remote queue.
If you're using Windows 2003 server then you'll need to edit the registry
because 2003 MSMQ by default establishes an encrypted channel to access queues
from domain clients. If you're accessing from a non trusted domain then you'll
need to add
NewRemoteReadServerAllowNoneSecurityClient as a DWORD and set it to
1.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSMQ\Parameters\security for
a non-clustered server and at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSMQ\Clustered
QMs\MSMQ$<Resource Name> Service\Parameters\security for a clustered
resource .
See the MSMQ Security Overview http://technet2.microsoft.com/WindowsServer/en/library/97efae9f-8657-43fa-89de-e299b45dc7501033.mspx?mfr=true
Restart the MSMQ service.
Testing
I developed and application from code in the Apress Book Pro MSMQ
http://www.apress.com/book/bookDisplay.html?bID=287
This sends in the FormatName:DIRECT=OS: because clusters work with names
rather than IP addresses. You'll need .Net Framework 2.0 and MSMQ installed.
Sending always works because it goes to the local queue manager and then
that tries to send. If it can't get through it will end up in the dead letter
queue
Conclusion
I've found that MSMQ information can be difficult to locate, it all seems
to be out there but it does take some finding. MSMQ is heavily biased toward
developers and as a system admin we quite often have to pick up the pieces
when doesn't work (must be the network!). My advice is stick with it, it's
not that difficult but follow a few guides lines.
- Make sure your network is healthy. The network I inherited wasn't. Run
some tests. I used a small Perl script to test how long a 4 MB file would
take to transfer. On my network if a 4MB file took more than a couple seconds
then there were issues. Usually NIC cards not matching switch ports and
dropping down to half duplex mode at one end. It really does crawl then.
- Use private queues if possible, they don't involve Active Directory
- Only use journaling if necessary
- Read Pro MSMQ form Apress, although it's mainly a developer's
resource it has a fair amount on administration.
http://www.apress.com/book/bookDisplay.html?bID=287
- Have a go with C#, you can download it from Visual Studio C# Express editions
for free from http://msdn.microsoft.com/vstudio/express/visualcsharp
and if you install the code snippets it makes it a lot easier. Let face
it, if you're anything of a systems admin then you can script and C# with
Visual Studio Express edition and code snippets isn't that big a leap (sorry
developers!)
Hope this helps to demistify some of the black art with MSMQ, 12 months ago
(March 2006) I new nothing about MSMQ apart from it was a option to install.
I'm still not an expert but throuhg necessity I've had to get to undestand
it. There's lots of other part to MSMQ like transaction and triggers that
you may want to explore.
Drop me an email if your still having problems and I do my best to help
