firewall ports open for webspeed

W

webguy

Member
Hi all,

We are configuring a new firewall and want to lock down the ports that are only used by webspeed. Our DB server and transaction server are on our internal network. The webserver is in the DMZ which is running the messenger. I know I have to open up port 5162 for the nameserver. What are the port ranges the agents use when the messenger communicates back and forth? We are on progress 10
 
Rob Fitzpatrick

Rob Fitzpatrick

ProgressTalk.com Sponsor
The range of ports used by the broker for its agents are specified by srvrMinPort and srvrMaxPort in $DLC/properties/ubroker.properties.

You don't technically need the NameServer if you configure the messenger to connect directly to the broker. If you are doing load balancing then you want it but otherwise it just adds connection overhead. It also requires you to open one more port through the firewall. I prefer to run without a NameServer where possible.
 
W

webguy

Member
Rob Fitzpatrick said:
The range of ports used by the broker for its agents are specified by srvrMinPort and srvrMaxPort in $DLC/properties/ubroker.properties.

You don't technically need the NameServer if you configure the messenger to connect directly to the broker. If you are doing load balancing then you want it but otherwise it just adds connection overhead. It also requires you to open one more port through the firewall. I prefer to run without a NameServer where possible.
Click to expand...


Thanks Robert. We are using load balancing so I do need to open port 5162. As far as port range for the agents, We never seemed to use the srvrMinPort and srvrMaxPort params in the ubroker.properties file. We definitely should do that, but what is the default port ranges? Would you know?
 
Rob Fitzpatrick

Rob Fitzpatrick

ProgressTalk.com Sponsor
I believe the default WS agent range is still TCP 3202 - 3502. As with any Progress unified broker I strongly recommend not using the default port range, not least because it is probably far larger than you require and opening unjustifiably large holes in your firewall is not a best practice.

Regarding your original question about ports through the firewall my understanding is that the connection flow goes like this:
  • messenger gets a web request;
  • it connects to the NameServer to determine which broker to connect to;
  • it disconnects from the NameServer and connects to the broker;
  • the broker tells it the port of the agent it is to connect to;
  • it disconnects from the broker and connects to the agent which fulfills the request.
We use WebSpeed in stateless mode so what I have described above is the behaviour I have seen. Other modes may have different connection mechanics. You could read the WebSpeed docs, which may describe this, but I prefer direct observation: run Wireshark or tcpdump on a test web server and transaction server, filtering for the appropriate source and destination IPs, and let the packets talk to you.

So in summary the messenger needs to connect through the firewall on the NameServer port, the broker ports, and the range of agent ports for each broker.
 
W

webguy

Member
Rob Fitzpatrick said:
I believe the default WS agent range is still TCP 3202 - 3502. As with any Progress unified broker I strongly recommend not using the default port range, not least because it is probably far larger than you require and opening unjustifiably large holes in your firewall is not a best practice.

Regarding your original question about ports through the firewall my understanding is that the connection flow goes like this:
  • messenger gets a web request;
  • it connects to the NameServer to determine which broker to connect to;
  • it disconnects from the NameServer and connects to the broker;
  • the broker tells it the port of the agent it is to connect to;
  • it disconnects from the broker and connects to the agent which fulfills the request.
We use WebSpeed in stateless mode so what I have described above is the behaviour I have seen. Other modes may have different connection mechanics. You could read the WebSpeed docs, which may describe this, but I prefer direct observation: run Wireshark or tcpdump on a test web server and transaction server, filtering for the appropriate source and destination IPs, and let the packets talk to you.

So in summary the messenger needs to connect through the firewall on the NameServer port, the broker ports, and the range of agent ports for each broker.
Click to expand...


Excellent info Robert thanks again.
 
You must log in or register to reply here.

Similar threads

Mike
Appserver agent are busy and stuck.
Replies
2
Views
531
Cringer
Cringer
M
  • Locked
[Progress News] [Progress OpenEdge ABL] What is a Web Application Firewall (WAF) and Why Do You Need One?
Replies
0
Views
834
Maurice McMullin
M
Ryszard Musielak
Resolved [SOLVED] Possible port number conflict - how to change?
Replies
5
Views
1K
Ryszard Musielak
Ryszard Musielak
K
  • Locked
[Progress News] [Progress OpenEdge ABL] UX Crash Course: Nielsen’s Usability Heuristics
Replies
0
Views
142
Kathryn Grayson Nanz
K
T
  • Locked
[Progress News] [Progress OpenEdge ABL] Effective Use of APIs: Top Questions from the DataDirect Ask Me Anything Webinar
Replies
0
Views
204
Todd Wright
T
Top