The Pleasant and Pliable Proxy Panacea

Version 8.0

Background

Tim owns a small VFX company with his brother, Jim. Jim lives in Germany and Tim lives in Los Angeles. Instead of owning their own hardware to support their render farm, they host virtual instances on their favorite cloud provider. Because they are so far apart, they’ve decided to host some instances between them in the Eastern region of North America.

Tim and Jim would like to be able to use their personal computers to monitor their render farm. However, they don’t have much knowledge in setting up a network with “Virtual Private Network” (VPN) access, which was a requirement prior to Deadline 8. This is because the Deadline client applications (like the Deadline Monitor) normally require direct access to the Repository (which is just a file share) and the Database. Without a VPN, that would mean exposing the Repository and Database over public Internet, which simply isn’t an option.

In addition, performance is also a concern, due to the distance between them and their render farm. It’s almost like they need something that sits between them and their render farm to provide security and improve the overall experience. Some sort of “proxy” like system...

Introducing the Deadline Proxy Server!

Well, that’s convenient! Deadline 8 has introduced a new Proxy Server application that is meant to solve the two problems that Tim and Jim are running into. It removes the requirement of a VPN, and it also helps improve performance over high-latency network connections.

In order to optimize their workflow, they decide to set up the new Proxy Server in their cloud render farm.

How Does the Proxy Server Work?

The Proxy Server functions very similar to other Deadline client applications in that it connects directly to the Repository and Database. However, once a Proxy Server is running, the other Deadline client applications can connect to it instead of connecting directly to the Repository and Database. An HTTP connection is used between the client applications and the Proxy Server, which is much more tolerant to network latency, and helps improve performance in these remote situations.

In addition, a web server like Nginx and Apache can be set up “in front” of the Proxy Server to provide security. With the web server in place, a VPN is no longer required because the client applications are no longer connecting directly to the Repository and Database. More on security a bit later!

Installing and Running the Proxy Server?

The Proxy Server is included in the Deadline Client installation, and therefore installs with all of the client applications such as the Monitor, Slave, etc. Tim and Jim sigh in relief because they already have experience running the Client installer, so the simply set up a new instance in their cloud render farm, and run the Client installer on it.

After the installation finishes, they open a Windows Explorer and navigate to the Deadline 8 bin folder. Since they are on a Windows instance, they were able to find it in its default location at C:\Program Files\Thinkbox\Deadline8\bin. In this folder, they see the deadlineproxyserver.exe executable. After reviewing the documentation on how to start the Proxy Server, they double click the executable.

However, instead of it starting successfully, they get this error:

HTTP could not register URL http://+:8080/db/balancers/. Your process does not have access rights to this namespace (see http://go.microsoft.com/fwlink/?LinkId=70353 for details).

This is nothing to panic about! Since they aren’t logged in as an Administrator on this Windows instance, they need to register a “urlacl” before the Proxy Application will run properly. This can be done by following these instructions:

  1. Run a command prompt as administrator:

    • Click Start, click All Programs, and then click Accessories.
    • Right-click Command prompt, and then click Run as administrator.
    • If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  2. Enter the following command. Note that if you are following along, the user “tim” in the command should be swapped out for your account’s user name).

    netsh http add urlacl url=http://+:8080/ user=tim
    
  3. You should get the message “URL reservation successfully added” if everything was successful. This means you can now run the Proxy Server without administrator privileges.

After Tim and Jim added the “urlacl”, they double-clicked the deadlineproxyserver.exe executable again, and this time it worked! The Proxy Server is now running.

Now What?

In order to connect their Deadline Monitors to their cloud render farm, Tim and Jim need to know the public IP address of the machine running their Proxy Server. This is different from an “internal” IP address which usually looks something like 192.168.1.1 or 10.0.0.1. To find this information, they sign into their cloud provider account and locate the “Virtual Machine” (VM) instance running the Proxy Server. In addition, it is necessary that the machine hosting the Proxy Server allow incoming “HTTP” traffic on port “8080” (the default listening port, which can be configured via Repository Options in the Deadline Monitor). This allows Deadline client applications to communicate with it.

Once Tim and Jim know their Proxy Server’s IP address, they can connect their Deadline Monitors installed on their home computers to the cloud render farm. To do this, they select the “Change Repository” icon in the Deadline Monitor. In the “Select Repository” dialog, after selecting “Use Proxy”, they enter the IP address of the Proxy Server in the Proxy Server field, and the default listening port 8080 for the Port field.

And that’s it! Tim and Jim can now monitor and manage their cloud render farm from their home computers through their Deadline Monitors!

The only difference with Tim and Jim’s configuration is that their Deadline client applications at home are not actually connecting directly to the Repository and Database. Instead, they are connecting to the Deadline Proxy Server in their cloud render farm which is facilitating communication.

What About Security?

With the current setup, Tim and Jim are concerned about security, since the information they are pulling down from the cloud render farm is being sent over public Internet. This is sensitive information, and the last thing they want is for it to be intercepted and read by unauthorized users.

Lucky for them, the communication with the Proxy Server uses HTTP, which means that any standard web server (like Nginx or Apache) can be set up to provide the security layer they require. The steps for this are fairly technical, but there is ample documentation on Proxy Configuration that covers how to install and configure different web servers. It also covers how to generate the SSL Certificates, which are required to ensure authorized access to the Proxy Server.

After Tim and Jim finish setting up the web server and generating the SSL certificate, they simply go back to the Change Repository option in the Deadline Monitor to enter in the IP Address and the Port for the web server (instead of the Proxy Server). They also enter in the path to their SSL certificate, which they copied locally to their machines. Now they can sleep soundly knowing that all their data is safe and sound.

One caveat that may cause confusion if not mentioned: the Proxy Server itself doesn’t support SSL, and will not be able to understand an “SSL encrypted” message. Therefore, the SSL certificate can only be specified when connecting to a web server.

Are There Other Benefits to Proxying?

Of course! While one of the biggest work-flow improvements is accessibility, it isn’t the only problem that is addressed.

Let’s fast forward to a time where Tim and Jim’s company has grown, and they now have large offices in each location with dedicated on-premise render farms. They now have a full time IT team, who set up a VPN connection between the offices for direct access. However, they still have to deal with a high-latency connection between them, so directly connecting to each other’s render farms can still be slow. In this case, they can set up the Proxy Server in each on-premise render farm that a remote user can use to connect to it. Since they are using a VPN, there is no need to set up a web server for security, yet they can still enjoy the performance benefits of the Proxy Server.

In addition, if they ever get to a point where they need load balancing between the Deadline client applications and the Proxy Server, they can choose to set up an Nginx web server and take advantage of its load balancing capabilities!

Wrap It Up

The Deadline Proxy Server provides a really easy way to get setup with a cloud render farm, or any distributed render farm (multiple components in different locations). In cases where VPN access is difficult or impossible, the Proxy Server provides a solution. By utilizing an Nginx server, Deadline users can customize their configuration for security and scalability (load balancing across multiple Proxy Servers). It’s safe to say that the Deadline Proxy Server gives Deadline users a lot more flexibility in customizing their render farm configurations, and it doesn’t come at the cost of usability.

Check out the Proxy Server and Proxy Configuration documentation for more information.