EPiServer UDP remote events in secure environments

In a production environment access between various servers is usually restricted to what is the minimum required for the solution to operate.

In an enterprise scenario it is common to find a setup where you have multiple load-balanced servers for public users and a separate publishing environment for web editors. These environments usually follow a “deny all” approach where all access has to be explicitly permitted.

episerver-enterprise-setup

EPiServer by default uses UDP multicast to transmit event messages (e.g. cache invalidation when a page is published) between the servers. In an environment where the servers can be in different networks then all communication routes must be explicitly defined and authorised.

The easiest solution is to enable UDP multicast on ports 5000, but if that is not possible then the servers need to be configured in UDP unicast mode.

This can be achieved by modifying the following sections in each web config for the example diagram above:

Publishing instance (172.20.10.1)

<system.serviceModel>
    <client>
      <endpoint name="SiteName-public-web-1"
          address="soap.udp://192.168.100.1:5000/RemoteEventService"
          binding="customBinding"
          bindingConfiguration="RemoteEventsBinding"
          contract="EPiServer.Events.ServiceModel.IEventReplication" />
      <endpoint name="SiteName-public-web-2"
          address="soap.udp://192.168.100.2:5000/RemoteEventService"
          binding="customBinding"
          bindingConfiguration="RemoteEventsBinding"
          contract="EPiServer.Events.ServiceModel.IEventReplication" />
    </client>
    <bindings>
      <customBinding>
        <binding name="RemoteEventsBinding">
          <binaryMessageEncoding />
          <udpTransport multicast="false" />
        </binding>
      </customBinding>
    </bindings>
    <services>
      <service name="EPiServer.Events.Remote.EventReplication" behaviorConfiguration="DebugServiceBehaviour">
        <endpoint name="RemoteEventServiceEndPoint" contract="EPiServer.Events.ServiceModel.IEventReplication" binding="customBinding" bindingConfiguration="RemoteEventsBinding" address="soap.udp://172.20.10.1:5000/RemoteEventService" />
      </service>
    </services>
  </system.serviceModel>

Public web 1 (192.168.100.1)

<system.serviceModel>
    <client />
    <bindings>
      <customBinding>
        <binding name="RemoteEventsBinding">
          <binaryMessageEncoding />
          <udpTransport multicast="false" />
        </binding>
      </customBinding>
    </bindings>
    <services>
        <service name="EPiServer.Events.Remote.EventReplication" behaviorConfiguration="DebugServiceBehaviour">
            <endpoint name="RemoteEventServiceEndPoint" contract="EPiServer.Events.ServiceModel.IEventReplication" binding="customBinding" bindingConfiguration="RemoteEventsBinding" address="soap.udp://192.168.100.1:5000/RemoteEventService" />
        </service>
    </services>
  </system.serviceModel>

Public web 2 (192.168.100.2)

<system.serviceModel>
    <client />
    <bindings>
      <customBinding>
        <binding name="RemoteEventsBinding">
          <binaryMessageEncoding />
          <udpTransport multicast="false" />
        </binding>
      </customBinding>
    </bindings>
    <services>
        <service name="EPiServer.Events.Remote.EventReplication" behaviorConfiguration="DebugServiceBehaviour">
            <endpoint name="RemoteEventServiceEndPoint" contract="EPiServer.Events.ServiceModel.IEventReplication" binding="customBinding" bindingConfiguration="RemoteEventsBinding" address="soap.udp://192.168.100.2:5000/RemoteEventService" />
        </service>
    </services>
  </system.serviceModel>

After applying these settings, you will have configured remote events between your servers in UDP multicast.

There is one final thing to do, explicitly open the firewall ports between the servers:

source destination protocol port

172.20.10.10 192.168.100.1 UDP 5000

172.20.10.10 192.168.100.2 UDP 5000

All done!