Squeezing JMX through firewall

Getting JMX connection working through a firewall seems to be a recurring topic and a great source of confusion.

Typically, you use something like this:

-Dcom.sun.management.jmxremote 
-Dcom.sun.management.jmxremote.port=<some port>
-Dcom.sun.management.jmxremote.ssl=false 
-Dcom.sun.management.jmxremote.authenticate=false 
-Djava.rmi.server.hostname=localhost

to start the application with the JMX enabled for remote connection and then configure port forwarding for to let the traffic pass through the firewall.

And it just does not work. Whatever you do you can not get that connection working. It's really annoying, frustrating and infuriating. And you did everything right ...

The dark secret is that there is a second port in play. The port for the RMI registry which is, by default, generated randomly each time you start the application. Without this port the JMX can not locate the stub required for proper remoting and fails. This makes JMX practically unusable in environments with firewalls between the monitored application and the monitoring tool.

This was fixed in JDK7u4 (and later) where you can use the following system property

-Dcom.sun.management.jmxremote.rmi.port=<rmi registry port>

to define the RMI registry port to be used. After that the only step left is to define the port forwarding for the RMI registry port and you are done. You can access your JMX enabled system through firewall. Yippie!

-JB-