Kbase P98541: Which ports needs to be open on a firewall between a 4GL client and a database?
Autor |
  Progress Software Corporation - Progress |
Acesso |
  Público |
Publicação |
  1/26/2009 |
|
Status: Verified
GOAL:
Which ports needs to be open on a Firewall between a 4GL client and a database?
GOAL:
How to configure a Firewall between a 4GL client and the Progress database?
FACT(s) (Environment):
Progress 9.x
OpenEdge 10.x
All Supported Operating Systems
FIX:
Firewalls are implemented by network administrators typically to block access to certain network ports in order to prevent unauthorized network access to a machine. It might become necessary to open access to these ports through the firewall because Progress in client-server mode uses TCP ports to communicate with remote clients.
NOTE: This solution is for information purposes only. Progress Technical Support is neither capable nor qualified to make specific recommendations for a particular firewall setup and Progress is not specifically tested or certified for use with any firewall implementation.
Knowledge of the way Progress uses TCP ports should allow an experienced network administrator to configure a firewall for use with Progress. Most of the following information applies equally to Progress and WebSpeed.
The broker port:
The first communication to take place between the client and the database is on the broker port. The broker port is defined by the use of the "-S <servicename -or- TCP portnumber>" parameter when the database broker is started.
The "<servicename>" is assigned to a specific port in a services file on the system. This port must be open for communication between the client and the database broker. From Progress 9.x one can use a free portnumber directly for the -S parameter.
The remote servers:
Remote servers are process-spawned by the broker to service remote clients. The maximum number of servers that can be spawned is defined by the -Mn parameter when the broker is started (there are 4 by default).
Each remote server is assigned to a port when it is spawned. By default, the remote servers use the first available port in the 1025-2000 range on UNIX (3000-5000 for Windows). For Progress Version 8.2 and later, the range of available ports can be specified with the -minport and -maxport parameters when the broker is started. To have this port range smaller will result in less open ports on the Firewall, and therefore more secure. But be sure to open enough ports through the firewall in the correct range so that each remote server has a port available to it.
Therefore the ports that needs to be open are:
The -S xxxx
And the -minport yyyy -maxport zzzz port range
NOTE:
In case you use a bit port range for -minport and -maxport values (as the default) and open only a few ports on the Firewall (i.e. The -minport -maxport range is smaller than the open port range on the Firewall) you will get problems since these ports are allocated dynamically and one risks to allocate a port that is not open on the Firewall.
EXAMPLE:
A database called "db1" is running on machine "host1". Progress 4GL clients are running on PCs that need to connect to the database. The firewall is between host1 and the client PCs.
|
host1 | PC clients
|
|
Firewall
The database broker is started with the command:
proserve db1 -H host1 -S db1sv -N TCP -Mn 6
- or -
proserve db1 -H host1 -S 2051 -N TCP -Mn 6
If you chose the first command line you will have to define the broker port assigned to service "db1sv" in the services file:
db1sv 2051/TCP
If the broker port is used directly, second option, you do not need to specify it in the services file.
This means that the broker port is 2051. Since the -Mn parameter is specified as 6, there are up to 6 remote servers spawned and one needs a port available. Assuming that no other processes on the system use the same ports, these server processes use ports 1025-1030. So in this example the firewall must be configured to allow the clients to access port .2051 and ports 1025-1030. .