IBM Support

Electronic Service Agent (ESA) and Electronic Customer Support (ECS) VPN and HTTP Firewall Settings

Troubleshooting


Problem

This document provides information for properly setting the firewall to allow Virtual Private Network (VPN) and HTTP ESA (IBM Electronic Service Agent) and ECS connections.

Resolving The Problem

The following is a summary of the information available in the InfoCenter. To see the complete documentation, refer to the Information Center by release:

R540: http://www.ibm.com/support/knowledgecenter/ssw_i5_54/welcome.html
R610: http://www.ibm.com/support/knowledgecenter/ssw_ibm_i_61/welcome.html
R710: http://www.ibm.com/support/knowledgecenter/ssw_ibm_i_71/welcome.html
R720: http://www.ibm.com/support/knowledgecenter/ssw_ibm_i_72/rzahg/ic-homepage.htm
R730: http://www.ibm.com/support/knowledgecenter/ssw_ibm_i_73/rzahg/welcome.htm


IP Packet Filter Firewall

An IP packet filter firewall allows you to create a set of rules that discards or accepts traffic over a network connection. The firewall itself does not affect this traffic in any way. Because a packet filter can discard only traffic that is sent to it, the device with the packet filter must perform IP routing or be the destination for the traffic.

A packet filter has a set of rules with accept or deny actions. When the packet filter receives a packet of information, the filter compares the packet to your preconfigured rule set. At the first match, the packet filter accepts or denies the packet of information. Most packet filters have an implicit deny all rule at the bottom of the rules file.

Packet filters usually permit or deny network traffic based on the following:

o Source and destination TCP/IP addresses
o Protocol (for example, TCP, UDP, or ICMP)
o Source and destination ports and ICMP types and codes
o Flags in the TCP header (for example, whether the packet is a connect request)
o Direction (inbound or outbound)
o Which physical interface the packet is traversing

All packet filters have a common problem: The trust is based on TCP/IP addresses. Although this security type is not sufficient for an entire network, this type of security is acceptable on a component level.

Most IP packet filters are stateless in that they do not remember anything about the packets they previously process. A packet filter with state can keep some information about previous traffic providing the ability to configure that only replies to requests from the internal network are allowed from the Internet. Stateless packet filters are vulnerable to spoofing because the source IP address and ACK bit in the header for the packet can be easily forged by attackers.

The operating system allows specifying packet filter rules on interfaces and remote access service profiles. See the following topics for more details: Create IP Filter Rules and Remote Access Services: PPP Connections. If using an external packet filter firewall or packet filter rules on the operating system and your Universal Connection data passes through these filters, the filter rules must be changed to allow the connection to the IBM Virtual Private Network (VPN) Gateway as follows:

VPN Settings (Not available for Electronic Service Agent processing starting at V7R2)
 

IP filter rules IP filter values
UDP inbound traffic filter rule Allow port 4500 for VPN gateway addresses
UDP inbound traffic filter rule Allow port 500 for VPN gateway addresses
UDP outbound traffic filter rule Allow port 4500 for VPN gateway IP addresses
UDP outbound traffic filter rule Allow port 500 for VPN gateway IP addresses
ESP inbound traffic filter rule Allow ESP protocol (X'32') for VPN gateway IP addresses
ESP outbound traffic filter rule Allow ESP protocol (X'32') for VPN gateway IP addresses


HTTP Settings

For those Universal Connection applications that use HTTP and HTTPs for a transport, the filter rules must be changed to allow connections to the IBM service destinations as follows, both ports 80 & 443 are required for this type of connection:

IP filter rules IP filter values
TCP inbound traffic filter rule Allow port 80 for all service destination addresses
TCP inbound traffic filter rule Allow port 443 for all service destination addresses
TCP outbound traffic filter rule Allow port 80 for all service destination addresses
TCP outbound traffic filter rule Allow port 443 for all service destination addresses


HTTP (port 80) is used for the 'bulk' transmissions such as PTF orders and the list of IBM IP address
HTTPS (port 443 SSL) is used for data transmission such as ESA inventory, PM i data, contact information,

Part of changing the filter rules involves specifying an actual IBM VPN Gateway address. The addresses and ports (HTTP, port 80 & HTTPS, port 443) can be determined by reviewing the Service provider files on the IBM i as described below in topic Determine the IBM VPN Gateway Addresses.

Note: DDP protocol is used to download the serviceProviderIBMLocationDefinitiondefinition files and PTFs. DDP protocol is similar to FTP with more capabilities and will need to be allowed through a site network connection on ports 80 and 443.

Note:  ESA has its own internal certificate to exchange with the IBM backend server, so any 'addition' by Proxy/Firewall during the communication will make it fail.
If the environment has a Proxy/Firewall that is terminating the SSL connection and returning its own self-signed certificate, it is not supported.


V7R3 AND HIGHER:

Starting V7R3 the new EDGE server is used. Edge is a new ECC server environment (esupport.ibm.com) that provides a front-end proxy to the current ECC infrastructure.
Edge simplifies the IT for ECC consumer products by reducing the number of customer facing IBM servers, enabling IPv6 connectivity, and providing enhanced security. Customers will have fewer IBM addresses to open on their firewall. All Edge internet traffic will flow through the Edge proxy and then fan out to various internal IBM service providers.

To summarize, Edge provides the following advantages over the current infrastructure.

1. Fewer IPs for customers to configure for both ports 80/443

129.42.54.189
129.42.56.189
129.42.60.189

Edge replaces IP addresses needed for Service Providers, Download Servers, Upload Servers and CCF, but not FTP .

Note: Having PTF SI68172 on system would require ONLY port 443 to be open. Port 80 will not longer needed.

We recommend customers open 129.42.0.0/18 (EI IPv4 address range) for the least amount of hassle going forward. Port range will include the above 3 IP addresses listed (minimum required) and will prepare system for future enhancements.


2. IPv6 connectivity for both ports 80/443. The Edge server allows IPv6 connections from the client. Not all legacy servers support IPv6 connections.

2620:0:6c4:200:129:42:54:189
2620:0:6c0:200:129:42:56:189
2620:0:6c2:200:129:42:60:189


3. Edge is the platform for security enhancements such as NIST 800-131a and NSA Suite B enablement.



EDGE server is enabled by default. It can be disabled with changing the config in
WRKLNK '/QIBM/UserData/OS400/UniversalConnection/eccConnect.properties'
from PREFER_EDGE=ALL to PREFER_EDGE=NO
and
from DEFAULT_DATAURI_TYPE=INDIRECT to DEFAULT_DATAURI_TYPE=DIRECT

This will require all IP addresses to be enabled for port 80/443 like previous releases, not just the EDGE IPs above.


Configure V7R2 to use EDGE:
By default, V7R2 use Legacy servers to connect for ECS/ESA (long IP address list at the bottom)
By modifying a configuration file, it's possible to use the new EDGE server. Be aware that Firewall rules changes might be required. See more information and details on V7R3 AND HIGHER section of this document.
1- PTFs SI64358 and SI69059 MUST be on system prior to change anything. Otherwise, it won't work.
2- EDTF STMF('/qibm/proddata/os400/universalconnection/eccConnect.properties') 
Include the following lines. Some are edits of existing lines, others may be new lines:
_IBM.SP_UPDATE_INIT = NO     
_IBM.SP_LOCATION_URL = https://esupport.ibm.com/eccedge/gateway/services/projects/ecc/serviceProviderIBMV2.gzip
PREFER_EDGE = ALL
DEFAULT_DATAURI_TYPE = INDIRECT
Or could use the eccConnect.properties file from below and replace the one in your system.
Assure to rename the existing one prior to replace. 
3- Once file is replaced, will need to recreate the service configuration. Follow the steps from the following document


Determine the IBM Service Destination Addresses

To find the exact IBM Service Destination addresses that might be used for HTTP and HTTPs traffic, the service provider location definition files can be browsed.

The files available for this on the system are located at: WRKLNK '/qibm/userdata/os400/universalconnection'

Notes:

1. For each option, type WRKLNK, followed by the full path. This will go directly to the noted file.
2. If using WRKLNK, taking Option 5 through the path and using F22 on the file will show the full name.

Option 1: '/qibm/userdata/os400/universalconnection/serviceProviderIBMLocationDefinition.txt'
Note: This file is written in a more readable format than the file noted in Option 2.

This option is only available if a client installs PTFs SI34505 (V5R4) or SI34552 (V6R1). These PTFs are noted as required, so all systems should have this option.

    • - Example



      ************Beginning of data**************      
      Configuration Date: 2016-06-21T11:41:11           
                                                         
      IP Address       TCP Port   Destination            
      ----------       --------   -----------            
      198.74.67.240    19285      URSF_1                
      198.74.71.240    19285      URSF_2                
      ...


      Note: In the list, there are three tables. The first table is a 1-to-1 mapping between the Service Destination and the IP address and port used to reach that destination. This list may include duplicate IP address information. The second table eliminates duplicates and provides the IP addresses and ports. The third table is the VPN information. All IP addresses in the tables noting Unique IPs can be used by ECS/ESA.

      serviceProviderIBMLocationDefinition.txt

      Note that this file continues for several pages and includes the following lists:

      First list in file:
      IP Address TCP Port Destination
      ---------- -------- -----------
      Second list in file:
      Unique IPs TCP Port
      ---------- --------
      Third list in file:
      Unique VPN Gateways UDP Port
      ------------------- --------

      A complete listing of this file is located at the end of this document. In addition, a document is available for ports 80 & 443 sorted by IP address.

      Note: When using this option, all IP addresses must be allowed in the site firewall rules, omitting any may cause connection attempts to fail.


    Option 2: '/qibm/userdata/os400/universalconnection/serviceProviderIBMLocationDefinition.xml'

    When using this option, test the connection using the following commands to populate the IP addresses used for each application:
    SNDPTFORD SF98xxx
    where xxx is the version and release of the system (for example, SF98540).
    SNDSRVRQS *TEST
    Go Service, Option 15 (error log id 00000000)
    Go Service, Option 2
    Note: To check for errors when using the Go Service options, review the audit log in Go Service, Option 14; b in the position to line field.

      • - Example



        ************Beginning of data**************
        <?xml version="1.0" encoding="UTF-8"?><Service-Provider-Configuration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNa
        <Service-Provider>IBM</Service-Provider>
        <Update-Interval>30</Update-Interval>
        <VPN-Supported>true</VPN-Supported>
        <Dialup-Supported>true</Dialup-Supported>
        <HTTP-Supported>true</HTTP-Supported>
        <HTTPS-Supported>true</HTTPS-Supported>
        <FTP-Supported>false</FTP-Supported>
        <Service-Provider-Connection-Information>
        <Configuration-Date>2009-01-26T11:35:42</Configuration-Date>
        <Service-Provider-Connection-Information-Entry>
        <Country-Region>AD</Country-Region>
        <Service-Destination>URSF_1</Service-Destination>
        <VPN-Gateway>129.42.160.16</VPN-Gateway>
        <IP-Address>198.74.71.241</IP-Address>
        <Port>19285</Port>
        <Supported-Transports>TCP</Supported-Transports>
        <VPN-Required>true</VPN-Required>
        </Service-Provider-Connection-Information-Entry>
        <Service-Provider-Connection-Information-Entry>
        <Service-Provider-Connection-Information-Entry>
        <Country-Region>AD</Country-Region>
        <Service-Destination>URSF_2</Service-Destination>
        <VPN-Gateway>207.25.252.196</VPN-Gateway>
        <IP-Address>198.74.67.241</IP-Address>
        <Port>19285</Port>
        <Supported-Transports>TCP</Supported-Transports>
        <VPN-Required>true</VPN-Required>
        </Service-Provider-Connection-Information-Entry>
        <Service-Provider-Connection-Information-Entry>
        <Country-Region>AE</Country-Region>
        ...

        serviceProviderIBMLocationDefinition.xml


        The <IP-Address> and <Port> elements define the address information that might be needed for filter rule or SOCKS configuration.


      Note: The address settings are at the bottom of a file and have many blank pages. Type B for BOTTOM on the control line. Then, work your way up. Write down the addresses for Port 443 and Port 80.

      • - If the above file is not found, a master file can be viewed or Option 2 can be utilized in most cases



        If the above file is not found, the master file (containing addresses for all worldwide locations) can be found at one of the following:

        '/qibm/userdata/os400/universalconnection/serviceProviderIBM.xml'
        '/qibm/proddata/os400/universalconnection/serviceProviderIBM.xml'

        Any of these files can be browsed with the DSPF CL command.

        Example

        DSPF STMF('/qibm/userdata/os400/universalconnection/') (type 5 to display)

        Opt Name Size Owner
        <ionManagerRoute.dat 8K QSECOFR
        <ationDefinition.bak 32K QSYS
        phone4.csv 384K QSYS
        5 <ationDefinition.xml 32K QSYS
         


      In the files above, one or more of the TCP/IP addresses are used for ECS and ESA. The TCP/IP addresses listed below can be utilized; however, it is strongly recommended that one of the files above is reviewed on the system for the appropriate TCP/IP addresses. The lists below may not be complete.

      Complete example of WRKLNK '/qibm/userdata/os400/universalconnection/serviceProviderIBMLocationDefinition.txt file described above in Option 1, the following IP addresses can be utilized for ECS and ESA functions:

      *Only configure port 80 & 443 IP addresses from this list. Do not include any 198.x.x.x IP addresses in the network configuration.

      Configuration Date: 2016-06-21

      IP Address TCP Port Destination
      ---------- -------- -----------
      198.74.67.240 19285 URSF_1
      198.74.71.240 19285 URSF_2
      170.225.15.41 443 Bulk_Data_1
      192.109.81.20 443 Bulk_Data_2
      170.225.15.31 21 FTP_Bulk_Data_1
      129.42.160.48 80 Doc_Update_1
      207.25.252.200 80 Doc_Update_2
      170.225.15.107 80 Fix_Repository_1
      129.35.224.107 80 Fix_Repository_2
      170.225.15.104 80 Fix_Repository_3
      129.35.224.104 80 Fix_Repository_4
      129.35.224.115 80 Fix_Repository_5
      170.225.15.115 80 Fix_Repository_6
      129.35.224.105 80 Fix_Repository_7
      170.225.15.105 80 Fix_Repository_8
      170.225.15.76 80 Fix_Repository_9
      129.35.224.114 80 Fix_Repository_10
      170.225.15.103 80 Fix_Repository_11
      129.35.224.103 80 Fix_Repository_12
      129.35.224.113 80 Fix_Repository_13
      170.225.15.113 80 Fix_Repository_14
      170.225.15.124 80 Fix_Repository_15
      129.35.224.124 80 Fix_Repository_16
      170.225.15.108 80 Fix_Repository_17
      129.35.224.108 80 Fix_Repository_18
      129.35.224.109 80 Fix_Repository_19
      170.225.15.109 80 Fix_Repository_20
      129.35.224.110 80 Fix_Repository_21
      170.225.15.110 80 Fix_Repository_22
      207.25.252.197 443 Gateway_1
      129.42.160.51 443 Gateway_2
      207.25.252.197 443 Inventory_Report_1
      129.42.160.51 443 Inventory_Report_2
      129.42.26.224 443 Problem_Report_1
      129.42.50.224 443 Problem_Report_2
      129.42.42.224 443 Problem_Report_3
      129.42.26.224 443 Problem_Report_4
      129.42.50.224 443 Problem_Report_5
      207.25.252.197 443 Profile_1
      129.42.160.51 443 Profile_2
      198.74.71.235 11111 Remote_Support_1
      198.74.67.235 11111 Remote_Support_2
      129.42.160.48 443 SAS_1
      207.25.252.200 443 SAS_2
      207.25.252.200 443 SDR_1
      129.42.160.48 443 SDR_2
      129.42.160.48 443 SDR_3
      207.25.252.200 443 SDR_4
      207.25.252.197 443 Service_Provider_1
      129.42.160.51 443 Service_Provider_2
      204.146.30.17 443 SP_Config_1
      170.225.15.41 443 SP_Config_2
      204.146.30.17 80 SP_Config_3
      204.146.30.17 443 SRM_1
      207.25.252.197 443 Status_Report_1
      129.42.160.51 443 Status_Report_2
      207.25.252.197 443 Update_Order_1
      129.42.160.51 443 Update_Order_2
      Unique IPs TCP Port
      ---------- --------
      198.74.67.240 19285
      198.74.71.240 19285
      170.225.15.41 443
      192.109.81.20 443
      170.225.15.31 21
      129.42.160.48 80  443
      207.25.252.200 80  443
      170.225.15.107 80
      129.35.224.107 80
      170.225.15.104 80
      129.35.224.104 80
      129.35.224.115 80
      170.225.15.115 80
      129.35.224.105 80
      170.225.15.105 80
      170.225.15.76 80
      129.35.224.114 80
      170.225.15.103 80
      129.35.224.103 80
      129.35.224.113 80
      170.225.15.113 80
      170.225.15.124 80
      129.35.224.124 80
      170.225.15.108 80
      129.35.224.108 80
      129.35.224.109 80
      170.225.15.109 80
      129.35.224.110 80
      170.225.15.110 80
      207.25.252.197 443
      129.42.160.51 443
      129.42.26.224 443
      129.42.50.224 443
      129.42.42.224 443
      198.74.71.235 11111
      198.74.67.235 11111
      204.146.30.17 443  80
      Unique VPN Gateways Protocols UDP Port
      ------------------- --------- --------
      207.25.252.196 ESP, UDP 500  4500
      129.42.160.16 ESP, UDP 500  4500

         

      Attached document contains a List of IP addresses used by ECS/ESA for ports 80 and 443, sorted by IP address.
      Note: When using this option, all IP addresses must be allowed in the site firewall rules, omitting any may cause connection attempts to fail.                    

      ECS IP Addresses for port 80 443.doc

      For information about VPN security, refer to the InfoCenter by release:

      R540: http://publib.boulder.ibm.com/infocenter/iseries/v5r4/index.jsp?topic=/rzatj/vpncon.htm
      R610: http://publib.boulder.ibm.com/infocenter/iseries/v6r1m0/index.jsp
      R710: http://publib.boulder.ibm.com/infocenter/iseries/v7r1m0/index.jsp

      Electronic Service Agent (ESA) security information:
      http://www-01.ibm.com/support/esa/security.htm


      For additional information, refer to the following document:

      New, VPN Remote Support Security:


      Note: If a Remote or Multi-hop or Multihop connection is being used (RMTSYS) in CRTSRVCFG, port 1701 must be open for UDP communication between the source and remote servers. If a HTTP proxy is being used, the default port for *IBMSVR is port 5026


      Quick Test for the HTTP/HTTPS Connection:

      For this test, you should open two IBM i sessions, noted below as Session A and Session B:

      On Session A:
      1. Issue NETSTAT, Option 3
      2. Press F15, and in the Remote port range, enter the following:
      Remote port range:
      Lower value . . . . . . . . 80
      Upper value . . . . . . . . 443

      On Session B:
      1. Issue SNDPTFORD SF98xxx
      where xxx is the version and release of the operating system (in other words, SF98540).

      2. While the PTF order is running on Session B, watch the IP address traffic on Session A. On a successful connection, the state or status should be established. If several IP addresses appear and leave with only Syn_Sent status, the site network is blocking the connection.

      At R710, the Verify Service Configuration command has been enhanced to do additional connection tests:
      Verify Service Configuration Enhancements

      Internal Use Only

      OS/400 BASE (5722SS100)

      [{"Business Unit":{"code":"BU009","label":"Systems - Server"},"Product":{"code":"SGYQGH","label":"IBM i"},"Component":"Electronic Service Agent","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.4.0;7.3.0;7.2.0;7.1.0;6.1.1;6.1.0;5.4.5;5.4.0","Edition":"Standard"},{"Product":{"code":"SSC5L9","label":"IBM i 7.2"},"Business Unit":{"code":"BU009","label":"Systems - Server"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":""},{"Product":{"code":"SSC52E","label":"IBM i 7.1"},"Business Unit":{"code":"BU009","label":"Systems - Server"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":""},{"Product":{"code":"SSC3X7","label":"IBM i 6.1"},"Business Unit":{"code":"BU009","label":"Systems - Server"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":""},{"Product":{"code":"SSTS2D","label":"IBM i 7.3"},"Business Unit":{"code":"BU009","label":"Systems - Server"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":""},{"Product":{"code":"SGYQGH","label":"IBM i"},"Business Unit":{"code":"BU009","label":"Systems - Server"},"Component":"Electronic Service Agent","Platform":[{"code":"","label":""}],"Version":"","Edition":""},{"Business Unit":{"code":"BU009","label":"Systems - Server"},"Product":{"code":"SS9QQS","label":"IBM i 7.4"},"Component":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"All Versions","Edition":""}]

      Historical Number

      419109186

      Document Information

      Modified date:
      30 September 2019

      UID

      nas8N1018980