Migrated post from http://labs.skiinfo.com in 2009:
VisualVM was included for the first time with JDK 6u07, and is improving with every release.
For our production environment there is one huge show stopper: It doesn’t work very well through firewalls. RMI allocates a random port number, which is unpractical when we want to tunnel the traffic with SSH. A possibility has been to use WideCap, tsocks or a similar proxifier, but we were really looking for a cleaner solution.
With a combination of a SOCKS proxy (like putty or openssh!), and setting some system properties on startup, we’ll traverse the firewalls!
Run “ssh -D 9696 your.production.internal.com” and you’ll have a SOCKS server on localhost. (Or add a dynamic tunnel in Putt). In this way you can tunnel jstat traffic with a command like this:jstat -gcutil -J-DsocksProxyHost=localhost -J-DsocksProxyPort=9696 25883@cluster1.internal.com
But unfortunately VisualVM does not support the system properties setting a global SOCKS proxy. However, VisualVM is based on Netbeans, and in the sources we find that Netbeans have a more advanced support for proxies, letting you select between http proxies or SOCKS proxies.
We finally managed to run VisualVM over SSH with the following command line:visualvm.exe -J-Dnetbeans.system_socks_proxy=localhost:9696 -J-Djava.net.useSystemProxies=true
You might need Jstatd running on your server. If your firewall blocks most ports from your external interface, you can use the following permission file:
grant {
permission java.security.AllPermission;
};
in grant-all-permissions.txt
Then start
jstatd -J-Djava.security.policy=grant-all-permissions.txt
If you have remote JMX enabled in your application server, you can add a JMX connection separately (easy in VisualVM 1.2-beta) for the JMX port.
Thanks to ankon (http://stackoverflow.com/users/196315/ankon) for noting.
The same probably applies to the built in jconsole and jvisualvm programs.
Henning's Public Lab Book 