Setting up firewall for Progress and/or WebSpeed(All Vers.)
Increasingly, security concerns are forcing network administrators
to implement firewalls. Typically, firewalls block access to
certain network ports to prevent unauthorized network access to a
machine. Since Progress in client-server mode uses TCP ports for
communication between the database and remote clients, it may be
necessary to open up access to these ports through the firewall.
Please note that this document is for information purposes only.
Progress Technical Support is niether capable nor qualified to
make specific recommendations for a particular firewall setup, and
Progress is not specifically tested or certified for use with any
firewall implementation. However, knowledge of the way Progress
uses TCP ports should allow an experienced network administrator
to configure a firewall for use with Progress. Most of this
information applies equally well for Progress and WebSpeed.
Additional information for WebSpeed will follow at the end of
this document.
THE BROKER PORT
The first communication to take place between the client and the
database is on the broker port. This port is defined by the use
of the "-S <servicename>" parameter when the database broker is
started. The "<servicename>" will be assigned to a specific port
in a services file on the system. This port must be open for
communication between the client and the database broker.
THE REMOTE SERVERS
Remote servers are process spawned by the broker to service remote
clients. The maximum number of servers that can be spawned is
defined by the -Ma parameter when the broker is started (4 by
default). Each remote server will be assigned to a port when it
is spawned. By default, the remote servers will use the first
available port in the range 1025-2000. For version 8.2 and later,
the range of available ports can be specified with the -minport and
-maxport parameters when the broker is started. Be sure to open
enough ports through the firewall in the correct range so that each
remote server has a port available.
AN EXAMPLE
A Progress 7.3E database called "db1" is running on machine "host1".
Progress clients are running on PCs that need to connect to the
database. There is a firewall between host1 and the client PCs.
|
host1 | PC clients
|
|
firewall
The database broker is started with the command:
proserve db1 -H host1 -S db1sv -N tcp -Ma 6
For the broker port, we must determine what port is assigned to
service "db1sv". The services file contains an entry:
db1sv 2051/tcp
So, the broker port is 2051. Since the -Ma parameter is
specified as 6, there will be up to 6 remote servers spawned, and
each one will need a port available. Assuming no other processes
on the system use the same ports, these server processes will use
ports 1025-1030.
So, for our example, the firewall must be configured to allow
the clients to access port 2051 and ports 1025-1030.
OPEN INTERFACE BROKERS, DATASERVER BROKERS, AND APPSERVER BROKERS
Open Interface Brokers (OIBs), Dataserver Brokers, and Appserver
Brokers use network ports in much the same way as database brokers.
In each case, the broker is spawned with a "-S <servicename>"
parameter when the broker is started. The "<servicename>" will be
assigned to a specific port in a services file on the system. This
port must be open for communication between the client and the broker.
Each time a client connects to the broker, a process is spawned that
also uses a network port. For example, the Open Interface Broker
spawns an Open Interface Driver (OID), the Oracle Dataserver
Broker spawns an Oracle Dataserver, and the Appserver Broker spawns an
Appserver. Like database remote servers, the process will be assigned
to the first available port in the range 1025-2000 when it is spawned.
Note: -minport and -maxport CANNOT be used for OIBs, Dataservers, or
Appservers.
Be sure to open enough ports through the firewall in the 1025-2000
range so that the maximum number of OID, Dataserver, and Appserver
processes that will run at any particular time will have a port
available. Also remember that your remote database servers may also
be using ports in this range, so be sure to open enough ports for all
the processes that need them.
WEBSPEED
WebSpeed may have additional firewall configuration
requirements, particularly when the messenger is on a separate
machine from the WebSpeed broker. If a firewall comes between any
two of WebSpeed's components, the firewall must be opened on the
appropriate port. WebSpeed requires the following network
communictions:
1. Browser to Web Server
The browser must have access to the web server. This is
typically on port 80, but could be any port. This is part of the
web server configuration.
2. Messenger to WebSpeed Broker
The WebSpeed messenger will communicate with the WebSpeed broker
on a specific port defined when the broker is configured. On
NT, this port is defined in the WebSpeed configuration utility,
and on Unix it is defined in the webspeed.cnf file.
3. Messenger to WebSpeed agents.
The messenger will also communicate directly with WebSpeed
agents. When the WebSpeed broker is configured, you must specify
a port range for the agents. On NT, this is done on the "Agents"
tab of the configuration utility. On Unix, this range is specified
by the AgentMinPort and AgentMaxPort settings in the webspeed.cnf
file. This range of ports must be open through the firewall.
4. WebSpeed agents to database.
WebSpeed agents are just Progress clients, so this part of the
configuration is exactly the same as for client-server Progress.
