Skip to main content
P
phpfaizan
Participating Frequently
December 3, 2009
Answered

Concerning Origin/Edge Setup

  • December 3, 2009
  • 2 replies
  • 2237 views

Hello, I'm quite new to Adobe Flash Media Server and have been reading through the administration guide.

After reading through the origin/edge information here:

http://livedocs.adobe.com/fms/2/docs/wwhelp/wwhimpl/common/html/wwhelp.htm?context=LiveDocs_Parts&file=00000130.html

I ran into a few questions.

1. It says the edge servers basically act as a 'proxy' which gets all incoming connections and directs them to the origin server.

But I read here:

http://livedocs.adobe.com/fms/2/docs/wwhelp/wwhimpl/common/html/wwhelp.htm?context=LiveDocs_Parts&file=00000130.html

that the edge server basically just uses 1 connection to the origin and directs that to all users connecting. I'm a former shoutcast/icecast user and this terminology is a bit different. Origin/Edge setup is basically relaying correct? An edge server relays a stream from the origin server and directs that everyone else correct?

Therefore I could have a relatively weak and low bandwidth origin server and have 3 edge servers connect to the origin and have about 100 users connect to each of the 3 edge servers?

2. This is the question I'm most concerned about. Currently I have swf and HTML domain restriction for my application on the origin server. If I set up an edge server it will abide by the security (html and swf domain restriction) set on the origin server correct? Or would I have to reenter the domains in those 2 files on the edge server?

3. When I have completely setup my origin/edge servers, will still be able to connect to the origin? Or will they only have access to the edge?

4. Is there a way to limit the number of users connected to a certain server and after it maxes it out, every future connection is then routed to another edge server?

Hope to hear for you guys.

Thank you!

    This topic has been closed for replies.
    Correct answer Asa_-_FMS

    It's not that we don't know, it's that we haven't gotten here yet.

    1. Edge/Origin does a lot of things.  It's neither a simple proxy nor a compelte solution.  The edge tries to shoulder as much load for the Origin server as possible, consequently it handles VOD delivery locally if the media is cached, distributes live streams by pulling only once but redisting, and it multiplexes all incoming connections to the edge over one (actually two but that's a minor detail) toward the origin per application being remote handled. Origin must handle all the scripting, is the authority on content, and point of recording or meet at the top in live topologies.  Should you have a weak origin?  Probably not as it is going to have to back fill media content, especially at the beginning when caches are empty this is constly.  If you run script it gets to process script for ALL clients including those on edges so that can be costly - does it need to be a super machine?  probably not - when caches are running properly then you should see limited load on the origin etc.

    2.  Edge server has its own independent domain restrictions.  They're not communicated from origin to edge.  This allows you to create an origin setup where it only accepts from edges or other machines on your domain and you can target other domains per edge server.  So, if you want them all to honor those settings you'll want to change it on all configurations.

    3.  An origin server can still handle direct traffic with or without subscribing edges.  I'd make sure that you're up to date with the most recent version of FMS, especially 3.5.3 when it comes out as we fixed a few bugs in our DVR implementation in this area.  Nothing catastrophic, just want to make sure you have the build that works the best and we're aware of fixed issues when heavily loading both edge based and local based traffic (especially in a 3 tier network or more, but you're not there)

    4.  You can write logic like this in an access adaptor - in fact that's exactly what it's designed for.  It has the connections counts for the server and the redirect command at your disposal - so write whatever logic there you please.

    Asa

    2 replies

    Asa_-_FMS
    Adobe Employee
    Asa_-_FMSCorrect answer
    Adobe Employee
    December 6, 2009

    It's not that we don't know, it's that we haven't gotten here yet.

    1. Edge/Origin does a lot of things.  It's neither a simple proxy nor a compelte solution.  The edge tries to shoulder as much load for the Origin server as possible, consequently it handles VOD delivery locally if the media is cached, distributes live streams by pulling only once but redisting, and it multiplexes all incoming connections to the edge over one (actually two but that's a minor detail) toward the origin per application being remote handled. Origin must handle all the scripting, is the authority on content, and point of recording or meet at the top in live topologies.  Should you have a weak origin?  Probably not as it is going to have to back fill media content, especially at the beginning when caches are empty this is constly.  If you run script it gets to process script for ALL clients including those on edges so that can be costly - does it need to be a super machine?  probably not - when caches are running properly then you should see limited load on the origin etc.

    2.  Edge server has its own independent domain restrictions.  They're not communicated from origin to edge.  This allows you to create an origin setup where it only accepts from edges or other machines on your domain and you can target other domains per edge server.  So, if you want them all to honor those settings you'll want to change it on all configurations.

    3.  An origin server can still handle direct traffic with or without subscribing edges.  I'd make sure that you're up to date with the most recent version of FMS, especially 3.5.3 when it comes out as we fixed a few bugs in our DVR implementation in this area.  Nothing catastrophic, just want to make sure you have the build that works the best and we're aware of fixed issues when heavily loading both edge based and local based traffic (especially in a 3 tier network or more, but you're not there)

    4.  You can write logic like this in an access adaptor - in fact that's exactly what it's designed for.  It has the connections counts for the server and the redirect command at your disposal - so write whatever logic there you please.

    Asa

    P
    phpfaizanAuthor
    Participating Frequently
    December 6, 2009

    Thank you for the reply and I apologize for my impatience.

    Judging by your #2 answer, does that mean that anyone can just set up their server as an edge and basically capture my stream?

    All I have done is installed FMS 3.5 and enter my domain into swf domain restriction file and the html domain restriction file.

    Could you please elaborate?

    Thank you.

    Asa_-_FMS
    Adobe Employee
    Asa_-_FMS
    Adobe Employee
    December 6, 2009

    Given your configuration - yes, that exploit is possible.  However there are numerous ways to deal with it

    1.  Only allow direct connections to your network at the edge level and activate SWF Verification for each of them.  This is easily the most common as another FMS isn't capable of performing SWF Verification and most origins are guarded.

    2.  Use domain level allow/deny as configured in FMS' Adaptor.xml files to make sure that you've composed a whitelist as you so desire for connections

    3.  Barring all that you can also go the original way.  Back when this was first discovered working on edge/origin we included this configuration that you'll need to add to VHost.xml : Under the <VirtualHost> tag add <AllowGroupConnections>false</AllowGroupConnections> at the edges that are exposed to the public traffic and then create a whitelist for your origin.  That will ensure that it's not possible.

    Asa

    P
    phpfaizanAuthor
    Participating Frequently
    December 6, 2009

    Bump..guys 3 days and no one knows the answer to any of these questions?

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices