Copy link to clipboard
When I installed CF 2021 Ent I accepted the defaults like I normally do and set up the instances and all run just fine. BUT now I want to use performance monitoring toolset to monitor those instances from a remote machine and cannot make it work. CF is running everything on the internal server as localhost or 127.0.0.1 and since those are not reachable from a remote machine PMT will not connect to each instance. If I use the domain name assigned to the IIS site for an instance and port 8500, the result is a server 500 error.
I assume that when I installed CF I should have specified the DNS hostname for the EC2 server instead of localhost in order to make this work, but server is in production and I cannot re-install coldfusion.
So is there any way to edit config files for the internal web server used for admin and PMT to use the hostname of the server instead of localhost or 127.0.0.1?
Copy link to clipboard
Forrest you'll be writing a book on configuring the pmt soon. Or the answers we offer here could form the start of one. 🙂 So, first there's no option during the install that configured localhost for the cf admin and builtin web server (biws) . All you're asked to confirm is the choice of port, 8500 by default.
And to be clear, what you may use to get to iis doesn't relate directly to the biws, in that by default we can no longer access the CF Admin via IIS. But sure, if there's a domain name you use with IIS that resolves to the server, then a request using that WOULD be passed to the biws if you also use its port.
But what you're encountering (I suspect) is instead how the ip address FROM WHICH you can reach the admin can be limited. And you can control that in the cf admin itself, in the Security>Allowed IP Addresses page, and it's SECOND section.
If you add the ip of the machine from which you want to run the pmt, does that solve it? No cf restart should be required.
Related to this, there IS in fact an option in the installer to control that/those initial ip address values. But only if you choose production+secure as the deployment type (which I'd argue is a mistake on Adobe's part, as anyone may want to set that then). But again it's not the domain name.
And actually, since cf2018 the installer new DOES have an additional screen that offers a field with the default value of the machine name. That is indeed for the sake of the pmt, and some internal config that it makes. That's discussed also in that Adobe video I referred to in another comment earlier this week, and in some doc or blog post of theirs.
But I don't think that's your issue and the info above should help. If it doesn't, there may be yet another tweak needed, if the http connector (not the ajp connector) in the cfusion/runtime/conf/server.xml may have a host value needing to be tweaked.
I'm not at my computer as I write this.
I can update things to confirm that no, by default, there's not something in the server.xml that limits access from off of localhost. I really didn't think there was, but I wanted to give you that possibility to consider if the other "Allowed IP Addresses" feature wasn't the solution. There IS indeed a defaulthost="localhost" value in the Engine element, but I can confirm that (as I suspected) I am able to access my CF admin and that BIWS from off the host and using a domain name that resolves to the IP of the machine (assuming of course that the firewall has been set to allow access to the biws port for the IP from which I'm making the test, or I am VPNed into its network.)
Let's see how you fare and then I or others can help if you're still stuck. As I've noted in other threads, the pmt is a fairly complex beast to get setup unless everything's on the same machine...which is not the way adobe recommends it be installed....or at least on the same network. It can be done. It just leads to the very issues you are hitting, and that others have.
IP addresses are already allowed in CF admin.
Yes it was in the CF2021 install where it asked for the dns hostname for PMT that I messed up
and left it at the default.
A request to the servers hostname and port 8500 appears to be going to the IIS server and returning a 500 error page, but I find that strange because IIS only listens on 80 and 443, so if the request is getting to the CF internal web server then why does it return a 500 error?
The main reason my client upgraded to Enterprise was for separate instances allowing application isolation and the PMT being used to monitor instances remotely. Installing PMT and Datastore on the production CF server is not recommended and would require too many system resources so why can't I find specific instructions for using it from a remote server?
Sorry but this is getting frustrating. Do you know of anyone who has managed to set up PMT to monitor a remote instance outside of the local network?
As always I appreciate the efforts to help.
Well, that host name is indeed something you can change after the install. See the CF admin, and its pmt button/monitoring settings page. Again these things are covered more in the docs and that video is mentioned.
I appreciate your frustration. I'm just a volunteer here trying to help you. If you need more and no one else steps up to satisfy your expectations, especially from Adobe, reach out to them directly via email@example.com. That's for free install support, and this fits that I'd think.
If you somehow can't get satisfaction, the purchase of enterprise is not lost. The ability to create instances is just one of many benefits to buying enterprise, not to mention that an enterprise license covers 8 cores while Standard only covers 2.
Finally, others who found the pmt not suitable for whatever reason have generally been very satisfied with fusionreactor instead (fusion-reactor.com). No, it's not free. I help people use it every day, solving problems for hundreds of engagements per year. Only a few use the pmt, so the number of variations I see are indeed limited.
Again, perhaps others will step up for you, but in the meantime I'll keep trying.
Copy link to clipboard
This doesn't sound to me like a ColdFusion or PMT question. It sounds like the kind of question Server Admins have from breakfast.
ColdFusion may be installed on the "local" machine, but 127.0.0.1 is NOT the IP that the rest of the world would use to get access. On your home computer or on a computer abroad, which IP and port or domain-name do you use to gain access to the ColdFusion application? Those are the details PMT needs.
PMT is on a separate machine, which may be hosted, say, in Outer Mongolia. It should still be able to have access to the ColdFusion application. Get your Server Admin to set the necessary firewall rules in place, if necessary.
The settings that PMT needs for connecting to any ColdFusion instance are:
( https://helpx.adobe.com/coldfusion/performance-monitoring-toolset/configure-coldfusion-performance-m... )
And BKBK, I had pointed that link you offer in a reply to another thread Forrest had opened this week, which is why I'd not repeated it here. (I had hinted at that in my first reply.) But fair enough to repeat it for the sake of others. Again, I foresee a compilation of such pmt resources, in addition to a how-to on understanding and resolving such issues. Otherwise many are left "stuck in the mud", as Forrest feels here.
BKBK, it is actually more complicated than that, in that his problem is not about accessing his remote cf admin from his local machine, but about getting the his local pmt to be able to monitor his remote pmt.
And while you share the fields for him to configure in the local pmt for pointing to his remote cf, he's beyond that. The points we're discussing are how that not enough, because of the two-way nature of the setup of the pmt...and some design choices Adobe made about other aspects of storing the names of these things.
So it's a combination of the "fundamentals" of networking as you assert, but then it's also more. One needs to make sure the pmt can reach the cf instance AND that the cf instance can reach the pmt (see my first comment here).
But then if anything needs to change about the setup to make such tests of the two-way communications work, the settings are buried in various config files for the pmt and datastore (including how the pmt reaches the datastore, so really it's a 3-way comms).
As I said in my last reply to Forrest, all this works well when the 3 items (cf, pmt, and pmt datastore) are on the same machine. It can work almost as easily if the are at least in the same network. It gets harder when they are NOT.
And that's not been well-documented, though bits and pieces have been shared in other forum threads, blog posts, and videos. Even Adobe's docs on configuring the pmt (substantial though they are) don't address this 3rd scenario, and how to troubleshoot its setup. It may be up to us in the community. (And Forrest, I've been working on that, prompted by your various messages here this past week.) It is indeed a lamentable situation.
BKBK, it is actually more complicated than that, in that his problem is not about accessing his remote cf admin from his local machine,...
By @Charlie Arehart
Huh? I thought nothing about accessing the ColdFusion Administrator. My suggestion is on how to monitor a ColdFusion application remotely, using PMT that is installed elsewhere, on an arbitrary network.
OK, so that addresses my first paragraph's misinterpreting of your earlier comment. Does it diminish the rest? In the spirit of solving this issue, do you have anything to say on all else I've written, in that comment and my others?
Copy link to clipboard
Forrest, any update on your progress? Did anything from BKBK or me perhaps help get you any further? Any new lessons learned that you might share for the sake of others?
I contacted Adobe support at the firstname.lastname@example.org address and have been working with them to debug and resolve the issue with commecting PMT to an instance on an outside network. He spent quite some time today with me in screen share working to resolve it and finally got some error messages that he is using to work on a fix. When we do get it running I will post everything we found here for others who might have similar issues. Right now the main problem seems to be an issue with the datasource where CF is trying to use my datasource internal IP which is not reachable instead of my external IP, even though all config files specify the external IP
I will post here when resolved hopefully soon
Yep, thanks. Though I suspect you meant to say "datastore" (as in the pmt datastore on your local machine) rather than "datasource" (a db pointer on your remote server). Just clarifying for anyone else reading this, trying to connect all the dots.
But yep, this is another facet of the 2-way communication, which has to be working right (and does seem to have ways that are more challenging when the two are remote to each other, not in the same network). Whatever you may document should be a real help.
And I wonder if it will be that you need to run the datastore.bat (in the pmt datastore/bin folder) or .sh (on Linux/macos), which allows you to name the way it should be exposed.
Copy link to clipboard
OK here is the update and the fix that worked for me. Vikram at Adobe support was very helpful and tried hard to find a resolution. In the process of both of us testing connections from PMT running on one network and a CF instance running on another network (AWS EC2) I finally came up with a solution that worked for me.
First make sure all the ports needed are opened both ways as others have instructed.
Some background: On the CF server the PMT datastore had been set to my PMT server's external IP address.
On the PMT server the datastore service would only start up when I set the network.host setting in the elasticsearch.yml config file to my PMT servers INTERNAL IP address. So the CF machine was told to use the external IP reachable from one network to the other, but the PMT datasource running on my server in the office was bound to the internal IP address.
When trying to connect to a remote CF instance from PMT it would fail with a 500 page error showing as the content in the little error icon mouseover. Logs for PMT did not show anything.
Checking logs on the CF instance that I tried to connect to I found a ton of errors like this in the coldfusion-error.log,
even though the connection failed it starts some elassticsearch sniffer process on the CF server that was trying to connect to my internal datastore IP instead of the external one configured in coldfusion. Even worse these did not stop filling the logs until I shut down both my local PMT service and the datastore and restarted the CF instance!
Jul 19, 2021 4:43:39 PM org.elasticsearch.client.sniff.Sniffer error
SEVERE: error while sniffing nodes
java.net.ConnectException: Timeout connecting to [/192.168.254.71:9250]
So I knew the issue was on the PMT side which was bound to my internal IP. So that is what it was telling the CF server to use for the datastore. And Datastore would not start if bound to my external IP.
We tried all kinds of things and today I discovered that the Elasticsearch datastore can bind to multiple hosts/ips AND it can use a different host/ip for incoming and outgoing traffic.
So, after stopping both the datastore and the PMT service on my office server, in my elasticsearch.yml file in the datastore/config folder where you installed PMT file I did these things:
Comment out with a # as the first character the entries for these items if they are in your file:
Then below those add two new entries, replacing the values in <> brackets with your IPs or hosts:
network.bind_host: <Your Internal IP or host name>
network.publish_host: <Your External IP or host name>
Save your changes, then restart the datasource service and the PMT service.
If you had already tried to connect PMT to a remote CF instance and have not restarted that instance
since the failure do that first. Then try to connect PMT to your remote instance.
For me this worked first try after trying without success for days ... I hope someone else finds it helpful.
Thanks to Vikram at Adobe for all the effort he put in as well!
Now that I have PMT running and connceting to remote instances, I see a couple other issues I don't understand. Should I create a new post or add to this one?
Yes, I think a new post is preferable.