Product: | DBConnectivity Products for IBM Db2 for i (HiT ODBC/400, HiT OLEDB/400, Ritmo/i, HiT JDBC/400) |
Version: | All |
ID: | 1561 |
Summary: | Identifying which ports to open in a firewall with HiT middleware clients |
This article describes which ports to open in a firewall when setting up secure communication using TCP/IP and IBM i
IPSec (IP Security--a set of protocols developed by the Internet Engineering Task Force, IETF, the main standards organization for the Internet) has been deployed widely to implement Virtual Private Networks (VPN), and it is now supported by most of the firewalls. Using IPSec for communications with the IBM i means identifying and securing IBM i ports through firewalls.
The IBM i default port required for the Host Database Server is 8471.
On the TCP/IP client side, the client system automatically assigns a number > 1024 (searching for available ports on the system) for the IN port and we cannot make sure the port used is always the same. The settings can change depending on where the firewall is running (on the client, on the server, both). A good rule for a client-side firewall is the following:
ip web server, port > 1024 - ip IBM i port 8471
ip IBM i port 8471 - ip web server, port # > 1024 using the ACKN flag to accept only established connections
The communication is established on a unique couple of sockets, so the IN TCP stream on the client firewall is received from port 8471.
The same rules can be applied to port 8475, used for DPC/Remote Command support and to port 446 if accessing the DB2/400 via DRDA.
Note: HiT middleware requires access only to port 8471 (and 8475 if DPC is involved) for IBM i specific products and port 446 to access Db2 via DRDA (HiT DB2 products). However, as a general rule, when using IBM middleware you have to make sure that the following ports are open:
PC Function |
Server Name |
Port Non-SSL |
Port SSL |
Server Mapper |
as-svrmap |
449 |
449 |
License Management |
as-central |
470 |
9470 |
Database Access |
as-database |
8471 |
9471 |
Data Queues |
as-dtaq |
8472 |
9472 |
Network Drives |
as-file |
8473 |
9473 |
Network Printers |
as-netprt |
8474 |
9474 |
Remote Command |
as-rmtcmd |
8475 |
9475 |
Signon Verific. |
as-signon |
8476 |
9476 |
Telnet (5250 Emul) |
telnet |
23 |
992 |
HTTP Admin |
as-admi > |
2001 |
2010 |
POP3 (MAPI) |
pop3 |
5010 |
--- |
Management Central |
as-mgtc > |
5555 |
5566 |
Ultimedia Services |
as-usf |
8480 |
9480 |
Network Drives |
as-netd |
*8477 |
--- |
File Transfer |
as-tran |
*8478 |
--- |
Virtual Print |
as-vrtp |
*8479 |
--- |
DRDA |
DRDA |
446 |
--- |
DDM |
DDM |
447 |
448 |
AnyNet |
APPC over TCPIP |
397(TCP&UDP) |
--- |
* These ports used only by 5763XK1.
If any of the above ports are restricted via a firewall or any other mechanism, middleware may fail to operate. For assistance with configuring ports or working with a firewall beyond the above information, contact the firewall provider.