Kbase 17852: Setting up Firewall for Progress & WebSpeed
| Autor |
Progress Software Corporation - Progress |
| Acesso |
Público |
| Publicação |
12/27/2007 |
|
Status: Verified
GOAL:
Allow for Progress remote client connections through a Firewall
GOAL:
How to configure Firewall TCP ports and allow for Progress remote client connections?
GOAL:
How to configure Progress database and clients for use with a Firewall?
GOAL:
How to enable Progress clients connection to a Progress Database through a Firewall
GOAL:
What ports should be open in a Firewall between a computer with WebSpeed and the Database server?
GOAL:
What ports should be open in a Firewall configuration between a computer that has the complete WebSpeed installation and a computer that has the Database?
GOAL:
How to configure WebSpeed agents with Firewall?
FACT(s) (Environment):
All Supported Operating Systems
Progress 8.2x
Progress 8.3x
Progress 9.x
OpenEdge 10.x
FIX:
Firewalls are implemented by network administrators typically to block access to certain network ports in order to prevent unauthorized network access to a machine. It might become necessary to open access to these ports through the Firewall because Progress in client-server mode uses TCP ports to communicate with remote clients.
NOTE: This solution is for information purposes only.
Progress Technical Support is neither capable nor qualified to make specific recommendations for a particular Firewall setup and Progress is not specifically tested or certified for use with any Firewall implementation. Knowledge of the way Progress uses TCP ports should allow an experienced network administrator to configure a Firewall for use with Progress.
Most of the following information applies equally to Progress and WebSpeed.
The broker port:
The first communication to take place between the client and the database is on the broker port. The broker port is defined by the use of the "-S <servicename>" parameter when the database broker is started. The "<servicename>" is assigned to a specific port in a services file on the system. This port must be open for communication between the client and the database broker.
The remote servers:
Remote servers are process-spawned by the broker to service remote clients. The maximum number of servers that can be spawned is defined by the -Mn parameter when the broker is started (there are 4 or 5 by default, depending on the Progress release). Each remote server is assigned to a port when it is spawned. By default, the remote servers use the first available port in the 1025-2000 range (3000-5000 on Windows).
For Progress Version 8.2 and later, the range of available ports can be specified with the -minport and -maxport parameters when the broker is started. Be sure to open enough ports through the Firewall in the correct range so that each remote server has a port available to it.
For example:
A Progress Version database called "db1" is running on machine "host1". Progress clients (including WebSpeed agents) are running on PCs that need to connect to the database. There is a Firewall between host1 and the client PCs.
The database broker is started with the command: proserve db1 -H host1 -S db1sv -N tcp -Mn 6
For the broker port, determine what port is assigned to service "db1sv".
The services file contains an entry: "db1sv 2051/tcp" . This means that the broker port is 2051.
Since the -Mn parameter is specified as 6, there are up to 6 remote servers spawned and each one needs a port available. Assuming that no other processes on the system use the same ports, these server processes use ports 1025-1030. For the example, the Firewall must be configured to allow the clients to access port 2051 and ports 1025-1030.
Open interface brokers, DataServer brokers, and AppServer brokers:
Open Interface Brokers (OIB), DataServer Brokers, and AppServer brokers use network ports in much the same way as do database brokers.
In each case, the broker is spawned with a "-S <servicename>" parameter when the broker is started. The "<servicename>" is assigned to a specific port in a services file on the system. This port must be open for communication between the client and the broker.
Each time a client connects to the broker, a process is spawned that also uses a network port. For example, OIB spawns an Open Interface Driver (OID), the Oracle DataServer broker spawns an Oracle DataServer, and the AppServer broker spawns an AppServer agent.
As with database remote servers, the process is assigned to the first available port in the minport-maxport range when it is spawned.
NOTE: Depending on the Progress release used, -minport and -maxp.ort may not be available for OIBs, DataServers, or AppServers. If not available the default ranges will be used.
Be sure to open enough ports through the Firewall in the minport-maxport range so that the maximum number of OID, DataServer, and AppServer processes will have a port available to them. Also remember that your remote database servers might also be using ports in this range, so be sure to open enough ports for all the processes that need them.
WebSpeed:
WebSpeed can have additional Firewall configuration requirements, particularly when the messenger is on a separate machine from the WebSpeed broker. If a Firewall comes between any two WebSpeed components, the Firewall must be opened on the appropriate port.
WebSpeed requires the following network communications:
- Browser to Web server. The browser must have access to the Web server. This is typically on port 80, but could be any port. This requirement is part of the Web server configuration.
- Messenger to WebSpeed broker. The WebSpeed messenger communicates with the WebSpeed broker on a specific port that is defined when the broker is configured. On Windows NT, this port is defined in the WebSpeed configuration utility, and on UNIX, it is defined in the webspeed.cnf file.
- Messenger to WebSpeed agents. The messenger also communicates directly with WebSpeed agents. When the WebSpeed broker is configured, you must specify a port range for the agents. On Windows NT, this is done on the "Agents" tab of the configuration utility. On UNIX, the range is specified by the AgentMinPort and AgentMaxPort settings in the webspeed.cnf file. This range of ports must be open through the Firewall.
- WebSpeed agents to database. WebSpeed agents are just Progress clients, so this part of the configuration is exactly the same as for client-server Progress..