21
Sat, Dec
3 New Articles

iSeries Access Through a Firewall

IBM i (OS/400, i5/OS)
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times
As everyone is aware, there are risks involved with remote TCP/IP connectivity. Firewalls are a good way of limiting what type of traffic you will allow in from the outside world, but there are some unique considerations when accessing an iSeries. The iSeries Access for Windows product (formerly Client Access Express) uses a number of different servers when communicating to an iSeries. Each one of these servers communicates using one or more ports, and firewalls have to be configured to allow traffic through these ports. This article explains what ports you need, depending on what functions of iSeries Access for Windows you use. Note that the information given here also applies to all versions of Client Access Express.

To better understand the need for certain servers on the iSeries, you need to understand the connection process for iSeries Access. When a PC running iSeries Access first tries to make a connection, the default behavior is that it will first send a request to the port mapper to find out what port needs to be communicated with. A connection to the Sign-on server is always made first, so the first request sent to the port mapper is to find out what port the Sign-on server is listening on. After connecting to the Sign-on server, the next port to be communicated with will depend on what function of iSeries Access is being performed. If a function that requires an iSeries Access license is being used, then the next server to be contacted will be the Central server. The only functions of iSeries Access that require this license are the PC5250 emulator and the data transfer application. Before contacting the Central server, iSeries Access will ask the port mapper for the address of the Central server. After this, the next port that is contacted will depend on the function being performed. Preceding each request to a different server, the port mapper will be contacted to find the port for that server.

One item to note regarding the Central server is that, in multilingual environments, it could be used for almost any iSeries Access function. When iSeries Access is installed onto a PC, only one language is installed. However, if an application needs to be run in an alternate language, some character conversion may be required. The conversion tables are automatically downloaded from the iSeries to the client via the Central server when needed.

You may be wondering if there is a way to reduce the number of port mapper requests, and the answer is "yes." Although all of the servers used by iSeries Access are shipped with a default port assignment, an administrator can reconfigure each to use a different port. This may be done to avoid collisions with other servers or to make it more difficult for unauthorized individuals to access the system. If the administrator does not change any of the port assignments, then iSeries Access can be configured to just use the default ports (the "Standard" option). In that case, no calls to the port mapper are made, thereby reducing the number of exchanges between the client and the server. It also means that you don't need to open the Port Mapper port in your firewall. Even if the administrator does reconfigure the servers to use different ports, there is an option that can eliminate the port mapper calls. This involves creating a local Services file on the PC that maps each server to the port that it listens on. Then, iSeries Access can be configured to use that local Services file by choosing the "Local" option. Both of these options are available by going into iSeries Navigator (formerly known as Operations Navigator), right-clicking on the iSeries name in the left column, and selecting Properties. Under the Communications tab, there are Performance properties at the bottom that let you choose the appropriate port lookup option. The Server option is the default, and this is the one that forces a port mapper call for each server connection.

In addition to the Sign-on and Central server ports, another port that is used pervasively across iSeries Access is the Remote Command port. If an administrator sets any Application Administration settings, iSeries Access will always make a call to the Remote Command server to retrieve those settings, which are used to determine if the iSeries Access user has the authority to use any function attempted. For example, if the administrator creates an Application Administration setting preventing user JOEUSER from doing data transfers to the iSeries, iSeries Access will use that retrieved setting to stop any data transfer request that JOEUSER attempts. Because of this, plus the fact that iSeries Navigator always requires the use of Remote Command server, you will usually have to ensure that the port for the Remote Command server is open.

Figure 1 lists all of the servers used by iSeries Access and their associated default ports. Note that most of the servers have an additional port listed in parentheses. This port is used if SSL communications is needed. On the iSeries, most of the host servers can be configured for SSL by using the Digital Certificate Manager (DCM) to assign a certificate to that individual server. Once that assignment is made, that host server starts listening on the additional port (in addition to the non-SSL port that was already listening). A common method of forcing all remote clients to use encrypted sessions is to only allow traffic to flow through the firewall on the encrypted ports.

Servers
Ports
Descriptions
Port Mapper
449
Port Mapper returns the port number for the requested server.
Sign-on
8476 (9476)
Sign-on is used for every iSeries Access connection to authenticate users and to change passwords. It is also used to retrieve Application Administration settings.
Central
8470 (9470)
Central is used when an iSeries Access license is required. It's also used for downloading conversion tables.
Data Queue
8472 (9472)
Data Queue allows access to the iSeries data queues, used for passing data between applications.
Database
8471 (9471)
Database is used for accessing the OS/400 database.
Remote Command
8475 (9475)
Remote Command is used for sending commands from a PC to an iSeries and for program calls.
File
8473 (9473)
File is used for accessing any part of the OS/400 file system.
Print
8474 (9474)
Print is used to access printers known to the OS/400.
Web Admin
2001 (2010)
Web Admin is used to access Web applications served by the iSeries.
DDM
446 (448)
DDM is used to access data via DRDA. It's also used for record-level access.
Telnet
23 (992)
Telnet is used to access 5250 emulation.
Netserver
137, 138, 139, 8474
Netserver allows access to the OS/400 Integrated File System (IFS) from Windows PCs.
USF
8480
USF (or Ultimedia) is used for multimedia data. (Note: This server is being removed in a future release.)
LDAP
389 (636)
LDAP provides a network directory service.
Management Central
5555 5544 5577 (5566)
Management Central is used to manage multiple iSeries 400s in a network.

Figure 1: These are the ports associated with the servers used by iSeries Access for Windows.

Figure 2 lists some common iSeries Access functions and the servers that they utilize. Using Figure 1 and Figure 2, you should be able to determine which ports you need to open on your firewall. Also, these two tables are available on the iSeries Access Web site, in the Information APARs section. Select II12227. This page is kept up-to-date with the latest information on iSeries Access port usage. There could be additions to this table at any time, although it's likely that changes will be seen only on release boundaries.

Client Access Function
Servers Used
PC5250 display and printer emulation
Sign-on, Central, Telnet
Data transfer
Sign-on, Central, Database
Base iSeries Navigator support
Sign-on, Remote Command
All iSeries Navigator functions
Sign-on, Remote Command, File, Print, Database, Web Admin, Management Central, USF, Netserver, LDAP, Data Queue
ODBC
Sign-on, Database
OLE DB
Sign-on, Database, DDM, Remote Command, Data Queue
AFP Viewer
Sign-on, Print
Client Access Install from iSeries
Netserver
Incoming Remote Command
Uses no specific server, and iSeries port will vary. PC-side port is 512.
Fax support
Sign-on, Print

Figure 2: These are the servers used by some of the functions available through iSeries Access for Windows.

In addition to the ports used by iSeries Access, you may need to also open up a port for Domain Name Server (DNS) lookup. If an iSeries Access request to connect to a system needs to flow into your internal network to get the TCP/IP address for that system, the port for the DNS must be open. The default port for that is 53, and the Windows operating system handles getting the address from the DNS. If the iSeries Access user connects to the system by using the TCP/IP address of the system, rather than using the system name, then no DNS request will be required. Also, a request to the DNS for an IP address can be avoided by configuring iSeries Access to set the IP Address Lookup Frequency to "Never Specify IP Address." This property can be set in iSeries Navigator, on the same dialog that's used to change the port look-up (described earlier).

Many of the ports listed in Figure 1 are pre-started once your iSeries becomes active. The standard iSeries Access ports of 449 and those starting with 8 and 9 can be started by using the STRHOSTSVR *ALL command, if they are not running for some reason. In addition, any servers that are not pre-started can be configured to be pre-started by using iSeries Navigator. Selecting "Networking" in the tree of functions under a system name on the left side leads you to an option for TCP/IP servers. This is where you can check a box next to each server that you want to have pre-started.

A couple servers have some exceptions. One is Netserver. It uses four different ports while it is active. However, note that one of those, 8474, is only used internally and does not need to be opened through a firewall. Another special one is Management Central. Port 5544 is required only on V5R1 and later systems and is used for both non-SSL and SSL traffic. Port 5577 is only required for SSL connections between the "central" system and "endpoint" systems.

Of course, you could always choose to allow communications to flow on all ports into an iSeries. However, this will increase your risk of an attack on your system. You should only open the minimum number of ports that you really need in order to allow your users to access your system securely. Every port that you open increases your risk. Another option is to utilize a virtual private network (VPN) as the way of allowing remote connections to your iSeries. With VPN, you create a secure tunnel between the remote location and your server, and there isn't a need to open all the ports individually on your firewall. This is a more secure mechanism, but is much more complicated to get set up. For more information on VPNs, go to the iSeries Information Center and navigate in the left column to Security -> Virtual Private Networking.

Still another option that is available to iSeries Access customers who don't want to spend the time to set up lots of port restriction rules is the iSeries Access for Web product. As the name suggests, this product is designed for Web usage, and it's better suited for access through the Internet. It runs within a Web server on the iSeries, such as the Websphere Application Server (WAS), and does not require any code to be installed on PCs that connect to the system. All communications are through a single HTTP port or a single HTTPS port for encrypted sessions. Therefore, only a single port needs to be opened in a firewall to get to the iSeries. This product does not have all the capability of iSeries Access for Windows, but it has most of the functions that a typical user would require.

Last but not least, another member of the iSeries Access family that uses ports is the iSeries ODBC driver for Linux. This product is specialized for just one function and does not require use of the Sign-on server. In addition, the default setting is to not call the port mapper. So in general, the only port that will need to be opened for this family member is the Database server port. The only other one that could potentially be used is the Central Server, which could be used for downloading conversion tables in multilingual environments.

In summary, there are always risks with remote communications, but by limiting specific traffic through your firewall, you can help to minimize it. Using the tables listed in this article, you now have the information you need. Also, don't forget about the possibility of using iSeries Access for Web. It was designed from the beginning with secure remote access in mind.

Jeff Van Heuklon is currently the Technical Chief Engineering Manager for the IBM iSeries Access family. In this role, he is responsible for iSeries Access strategy, plans, and design control. He can be reached at This email address is being protected from spambots. You need JavaScript enabled to view it..

BLOG COMMENTS POWERED BY DISQUS

LATEST COMMENTS

Support MC Press Online

$

Book Reviews

Resource Center

  • SB Profound WC 5536 Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. You can find Part 1 here. In Part 2 of our free Node.js Webinar Series, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Brian will briefly discuss the different tools available, and demonstrate his preferred setup for Node development on IBM i or any platform. Attend this webinar to learn:

  • SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.

  • SB HelpSystems ROBOT Generic IBM announced the E1080 servers using the latest Power10 processor in September 2021. The most powerful processor from IBM to date, Power10 is designed to handle the demands of doing business in today’s high-tech atmosphere, including running cloud applications, supporting big data, and managing AI workloads. But what does Power10 mean for your data center? In this recorded webinar, IBMers Dan Sundt and Dylan Boday join IBM Power Champion Tom Huntington for a discussion on why Power10 technology is the right strategic investment if you run IBM i, AIX, or Linux. In this action-packed hour, Tom will share trends from the IBM i and AIX user communities while Dan and Dylan dive into the tech specs for key hardware, including:

  • Magic MarkTRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now!  Request Now.

  • SB HelpSystems ROBOT GenericForms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.

  • SB HelpSystems ROBOT GenericIT security is a top priority for businesses around the world, but most IBM i pros don’t know where to begin—and most cybersecurity experts don’t know IBM i. In this session, Robin Tatam explores the business impact of lax IBM i security, the top vulnerabilities putting IBM i at risk, and the steps you can take to protect your organization. If you’re looking to avoid unexpected downtime or corrupted data, you don’t want to miss this session.

  • SB HelpSystems ROBOT GenericCan you trust all of your users all of the time? A typical end user receives 16 malicious emails each month, but only 17 percent of these phishing campaigns are reported to IT. Once an attack is underway, most organizations won’t discover the breach until six months later. A staggering amount of damage can occur in that time. Despite these risks, 93 percent of organizations are leaving their IBM i systems vulnerable to cybercrime. In this on-demand webinar, IBM i security experts Robin Tatam and Sandi Moore will reveal:

  • FORTRA Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:

  • FORTRAManaging messages on your IBM i can be more than a full-time job if you have to do it manually. Messages need a response and resources must be monitored—often over multiple systems and across platforms. How can you be sure you won’t miss important system events? Automate your message center with the Robot Message Management Solution. Key features include:

  • FORTRAThe thought of printing, distributing, and storing iSeries reports manually may reduce you to tears. Paper and labor costs associated with report generation can spiral out of control. Mountains of paper threaten to swamp your files. Robot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing. Manage your reports with the Robot Report Management Solution. Key features include:

  • FORTRAFor over 30 years, Robot has been a leader in systems management for IBM i. With batch job creation and scheduling at its core, the Robot Job Scheduling Solution reduces the opportunity for human error and helps you maintain service levels, automating even the biggest, most complex runbooks. Manage your job schedule with the Robot Job Scheduling Solution. Key features include:

  • LANSA Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.

  • LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed. Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

  • LANSASupply Chain is becoming increasingly complex and unpredictable. From raw materials for manufacturing to food supply chains, the journey from source to production to delivery to consumers is marred with inefficiencies, manual processes, shortages, recalls, counterfeits, and scandals. In this webinar, we discuss how:

  • The MC Resource Centers bring you the widest selection of white papers, trial software, and on-demand webcasts for you to choose from. >> Review the list of White Papers, Trial Software or On-Demand Webcast at the MC Press Resource Center. >> Add the items to yru Cart and complet he checkout process and submit

  • Profound Logic Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.

  • SB Profound WC 5536Join us for this hour-long webcast that will explore:

  • Fortra IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn: