Configuring firewall settings for outbound (static) ports

If your network uses a firewall or other security mechanism that requires static ports for communication, then you must specify the ports that other computers can use to communicate with Access Server services.

About this task

The configuration of firewall settings is not available when Access Server is configured in LDAP CHCCLP with embedded Access Server mode.

If your network uses a firewall or other security mechanism that requires static ports for communication, then you must specify the ports that other computers can use to communicate with Access Server services.

Each instance of client, where the client is Management Console or CHCCLP, requires the following number of ports:

  • Two input and output ports to Access Server.
  • One input and output port for each datastore (regardless of whether or not you connect to the datastore).

To calculate this set of ports from all clients, use the following formula:

(number of clients * 2) + (number of clients * number of datastores)

Each datastore that any of your clients connect to through Access Server, requires the following number of ports:

  • One input and output port per instance of client.
  • Two input and output ports per datastore (shared across all client instances).

To calculate the set of ports from Access Server, use the following formula:

(number of clients * number of datastores) + (number of datastores * 2)

Therefore, the complete set of ports to open is shown in the following formula:

local_port_count = (number of clients * 2) + (number of clients * number of datastores) + (number of clients * number of datastores) + (number of datastores * 2)

All connections are initiated from Management Console to Access Server, and Access Server to the datastores. You must configure your routers and firewalls to allow communication through the configured ports. For more information, contact your network administrator.

Note: In addition to a network firewall, you might have personal firewall software installed and enabled on client machines that may need to be configured to allow Management Console to connect to Access Server.

Procedure

  1. Open the dmaccessserver.vmargs file in a text editor. This file is located in the conf directory in your Access Server installation directory.
  2. Replace the entry in this file with the following text:

    -jar lib/server.jar local_port:<first_port> local_port_count:<number_available_ports> <Access_Server_listener_port>

    where:
    • <first_port> is the first port in the range that you want the Access Server service to use when sending messages or establishing connections.
    • <number_available_ports> is the number of ports you want to reserve for this use.
    • <Access_Server_listener_port> is the port number that Access Server listens on and is set during the Access Server installation. You do not have to specify a value here if you are using the default port number of 10101.

    Optionally, specify the local address to bind a socket when establishing connections to datastores from Access Server. The operating system will auto-select the interface for connecting to Access Server, if an address is not provided. To specify the address, include the following in dmaccessserver.vmargs: local_address:<local_address>

    Any changes made to dmaccessserver.vmargs will take effect after you restart the Access Server service.

Example: calculating ports required

To help determine the number of ports required, take a scenario where there are ten concurrent clients and three datastores. To calculate the number of ports to open using the following formula:

local_port_count = (number of clients * 2) + (number of clients * number of datastores) + (number of clients * number of datastores) + (number of datastores * 2)

The number of port required will be the total of the following calculation: 10 * 2 + 10 * 3 + 10 * 3 + 3 * 2 = 86

You will require 86 ports.