Configuring connections through a firewall

Introduction

For client connections through the firewall, 2 ports need to be open:
  • The Statistics daemon or listening port. By default the port number is within the 3000 range, varying based on the version number. For example, the port number can be 3031 for version 31.
  • The response port used by Statistics server child processes to communicate with multiple Statistics client connections. For multiple client/server connections, you might want to configure more than one client response port.

When a SPSS® Statistics client connects to the SPSS Statistics Server, the client port is locked and can be used by only one client until the connection process has concluded. The time to connect is in the range of 1–3 seconds (this time can vary depending on the system load). When a second or third SPSS Statistics client attempts to connect during this time, the clients are blocked until the client port becomes available. Opening multiple client ports reduces the wait time when connecting in an environment where many users simultaneously initiate SPSS Statistics sessions. The number of response ports are controlled by the STATISTICS_CLIENT_PORTS environment variable.

Note: IBM® SPSS Statistics Server can reuse the same port number for client connections. But port re-use depends on the client reconnect capability. By default, client-reconnect is enabled for 100 minutes. When client-reconnect is enabled, SPSS Statistics Server has a 1:1 ratio of connected clients to open response ports. In order to enable port re-use, you must first disable client-reconnect. This is done by editing the reconnect-timeout setting in <Statistics Install Path>/config/statisticsd.conf. For example:
<reconnect-timeout desc="The timeout in minutes that the server uses to drop disconnected clients (default: 100)." value="0"/>

Example

Assume that five client ports are listed in the STATISTICS_CLIENT_PORTS system environment variable (ports 40001–40005) and there are four possible client. A user initiates a connection with the SPSS Statistics Server and first contact is made through the listening port (3028). The server spawns a child process and continues communication through the first available client port (4001). If port 40001 is not locked (because communication with another client has just started), the port will be re-used. If port 40001 is locked, communication moves on to the next port (4002), assuming it's not locked, and so on.

After all four clients are connected they will most likely all use the same port number (40001). There is a small chance that one or more clients will use port 40002, a smaller chance that a client will use port 40003, and an even smaller chance that one or more clients will use port 40004. There in no chance that a client will use port 40005 because there are only four clients, and the algorithm starts at the first available port number that is listed in STATISTICS_CLIENT_PORTS system environment variable.

There are two recommended methods for configuring SPSS Statistics Server connections through a firewall.

Configure the firewall to allow processes

Using your firewall software, ensure that the following processes are allowed to accept network connections.

statisticsproc.exe
The statisticsproc.exe process opens, closes, and re-uses the response ports (or ports that are defined in STATISTICS_CLIENT_PORTS).
statisticssrvr.exe (Microsoft Windows) or statisticsd (UNIX or Linux)
The process is the main Windows service, or UNIX/Linux daemon, and manages the listening port.
Providing access to the processes effectively allows any port that the process will use.
Note: The following conditions apply when the reconnection timeout value is greater than 0 and statisticsproc.exe is allowed to accept network connections:
  • STATISTICS_CLIENT_PORTS is irrelevant, except for diagnostics. Any port can be used.
  • There is no limit to the number of connections unless ports are defined in STATISTICS_CLIENT_PORTS. The number of defined STATISTICS_CLIENT_PORTS ports effectively limits the ports that SPSS Statistics Server will use.

Configure the firewall by manually opening ports

To manually configure the server software and the firewall, follow these steps:

  1. Install the server software as usual. You need to know IP address of the computer on which the server is installed and the port number that the server software uses for communications. For example, install the server on 202.123.456.78 at listening port 3028.
  2. Configure the system environment variable STATISTICS_CLIENT_PORTS by specifying at least one port number. The environment variable lists the ports that are used to continue client connections with the server (RESPONSE ports). If needed, you can specify a comma-delimited list and a range of ports (for example, 4001, 4002, 4003-4005).
    Important:
    • When setting the automatic reconnection timeout to a value greater than 0, STATISTICS_CLIENT_PORTS defines the maximum number of allowed concurrent client and server connections.
    • Do not list the LISTEN port (3028) in the STATISTICS_CLIENT_PORTS environment variable.
    Microsoft® Windows™
    Use the Windows System properties to create and configure the environment variable. See System Properties for instructions.
    UNIX
    Edit the server software’s environment script, statsenv.sh, which is included in the /bin subdirectory of the installation directory. Define the port that can be used by the client processes that the server starts. For example, add the following lines:

    STATISTICS_CLIENT_PORTS=4001

    export STATISTICS_CLIENT_PORTS

  3. When you use Network Address Translation (NAT), create and map IPs. Using your firewall software, create a masqueraded IP for external use and map it to the server’s internal IP. For example, create a masquerade IP 10.10.10.2 and map it to 202.123.456.78.
  4. Using your firewall software, enable port numbers on the firewall:
    • The server’s LISTEN port number. For example, enable port 3028.
    • The port numbers that you specified in the STATISTICS_CLIENT_PORTS environment variable. For example, enable port 4001.
  5. Distribute connection information to the users who connect to the server software from outside the firewall.
    • If used, the masqueraded IP of the computer on which the server software is installed (do not distribute the server’s internal IP). For example, distribute 10.10.10.2 as the server’s IP.
    • Distribute the server software’s port number as usual. For example, distribute 3028 as the server’s LISTEN port number.