I have been recently working on a sharepoint2010 to 2013 migration project, and even though this might not be related to migration we stumbled upon an issue, which took forver to be resolved. Before i dive into the issue, let me explain the background and give you a run down of what was happening.
As a part of the migration, we where moving existing application from a fairly open data center to a location where everything is locked down. So when we did the move, we found that another farm, which was consuming the Managed Metadata service, wasn’t able to do this. This was expected, and we knew we had to open up firewalls, but what firewalls. Internally sharepoint user topology service to expose all its end points published as a service. So what we ended up doing is opening the firewall between two servers, which enable traffic over 32844 and 32843.(Prior to this we also had to setup trust and all the stuff require to publish managed metadata across farm. More can be found this this article).
So ideally this should work, and in a way it did. When we try to connect to our farm form the external farm, we where able to see all the service and even add them. However thats all we could do. We couldn’t consume the services. After reviewing the log we found this error
Microsoft.SharePoint.SPException: Addresses for this application have not yet been fetched.
After chaning our logs to be verbose, we found that sharepoint was trying not only connect to the application server where the service was hosted but also to the other servers in the fram. Why, even though the service was turned off? Till date i couldn’t figure out. However i learned that sharepoint internal does some kind of load balancing on its own for the topology service and since we hadn’t open up the entire farm to each other, we where getting the error as it couldn’t fetch the other site via the url.(More details about load balancing can be found here)
So after opening up ports between all the servers in the farm we where able to consume the Managed Metadata Service as well as view it from the other farm. So opening just the ports to the app server isn’t sufficient because of Sharepoint’s internal load balancing feature, which i know is being done with the right thoughts in mind. We want to make the service highly available. However we missed this one small thing, and it caused us a lot of pain and time. Also as a side note, we even tried to spoof this, but creating an entry in the DNS so that all url/server point to one IP, which is of the server to which the port is open. However this didnt help because the SSL certificate for some reason goofed up and we get error related to SSL/TSL trust issue as WCF level. So we can conclude that there is no option but to open up the firewalls for the entire farm. If there are other ways to get around this, i will surely like to know and fell free to drop me a line and we can hook up.