JMX and firewalls

You just deployed your Java web application to production and everything is working - great! And as you always follow best practices, you included some meaningful metrics via JMX beans. You tested them locally and in test stage. But production servers have an extra firewall which prevents you from accessing any port except your web application's HTTP(S) port! What to do now?

You ask the firewall guy to give you access to the JMX port (you know which one it is because you defined it using the -Dcom.sun.management.jmxremote.port=... parameter). He does it and you try to connect... timeout! Why that?

So you search the internet and find out that the JVM dynamically and randomly chooses which port to use for the second necessary connection. You imagine asking the firewall guy to open the ports 40000 to 60000 and quickly search some more. There has to be something else...

And there is (if you use a recent version of Java)! Consider the option -Dcom.sun.management.jmxremote.rmi.port=... which exists since Java 7u4. You can even set it to the same port as -Dcom.sun.management.jmxremote.port=..., thus only one port has to be opened.

Great, huh?

Reference: http://hirt.se/blog/?p=289