WebSpeed and Firewalls

[crjunk]

I'm not very educated when it comes to working with network related issues, so hopefully what I'm asking will make sense.

I'd like to move my WebSpeed app over from our development server to the DMZ.
On our DMZ we're running IIS on W2K. We also have Progress Explorer installed on the DMZ.

Currently, I'm trying to get Progress Explorer to connect to our DB server. The DB server is running on a Sun box. I'm assuming that I am unable to connect to the DB because we have most of the ports blocked on the DMZ.

In order to connect to the DB, would we just have to open the port for the broker (5163) and the ports numbers that fall between the Minimum Port Number (3202) and Maximum Port Number (3502) range?

Also, the WSISA messenger NameServer Client Port Range minimum and maximum values are both set to 0.


Thanks,
CR Junk

 

[ddavis]

Choices....

You can have progress installed on the webserver in the dmz and start the broker there, in which case you need to open the ports you mention to establish remote client/server db connections.

Perhaps a better solution is to not install progress at all on the windows IIS server, but just install the messenger component. Then you only need to open ports for messenger communication. This way, you start the webspeed broker local to the db and can take advantage of shared memory connections which are much faster.

 

[Casper]

Hi,

The best configuration IMHO is to put the messnenger on the webserver in the dmz.

If you do it this way then you must open the following ports:

Broker port for webspeee broker (TCP)
Ports for the running agents defined by minSrvPort, maxSrvPort (TCP)
UDP port to nameserver (defined on the db machine) and reponse ports (UDP) to nameserver configured in messenger, smallish range ( e.g range of 15 ),
(minNSClientport,maxNSClientport)

No other ports need to be enabled for the Progress environment. You should minimise the number of ports open, and use non-standard ports where possible, as this will increase security. There is not much use having a lock on a door if the door has many holes in it that you can reach through!!

HTH,

Casper.

​

 

[crjunk]

Thanks for everyone's help.

Casper, if I put the messenger on the webserver n the dmz, how wide of a range should be used for the agent? Currently, I have it setup like this:
Minimum: 3202 Maximum: 3502.

Thanks,
CR Junk

 

[Casper]

Hi,

The range for the agents you can set with progressexplorer: minimum port number and maximum port number under agent settings, or in ubroker.properties srvrMinPort and srvrMaxPort. You only have to open 1 port per agent so if you have 5 agents a range of 5 port numbers is enough. (TCP is the protocol which is used for this)

Casper

 

[crjunk]

Casper,

I think we have all the appropriate ports open now.

I'm having trouble finding documentation that shows me how to setup everything (maybe I've come across it but didn't realize what I was looking at??).

I have the messenger installed on the dmz and the ports open now. Where do I place my CGI Wrapper that I've created - does it need to be placed on the dmz as well (if so, how do I determine where to place it?)?

Thanks,
CR Junk

 

[Casper]

Hi,

If you only have the messenger installed on the webserver (like you should),
then the ports you have to open are the ports which I stated ealier in this thread.

The cgi-wrapper or what ever progress program you use should be on the application server, where the database, Nameserver, webspeedbroker and agents reside.

If you send me an e-mail I can sent you a very good powerpoint presentation on this topic.

Regards,

Casper.