IBM Support

Electronic Service Agent (ESA) and Electronic Customer Support (ECS) VPN and HTTP Firewall Settings



This document provides information for properly setting the Firewall to allow Electronic Service Agent (ESA) and Electronic Customer Support (ECS) connections.


The following is a summary of the information available in the IBM Knowledge Center. To see the complete documentation, refer to the IBM Knowledge Center by release.

IP Packet Filter Firewall

An IP packet filter firewall allows you to create a set of rules that discards or accepts traffic over a network connection. The firewall itself does not affect this traffic in any way. Because a packet filter can discard only traffic that is sent to it, the device with the packet filter must perform IP routing or be the destination for the traffic.

A packet filter has a set of rules with accept or deny actions. When the packet filter receives a packet of information, the filter compares the packet to your preconfigured rule set. At the first match, the packet filter accepts or denies the packet of information. Most packet filters have an implicit deny all rule at the bottom of the rules file.

Packet filters usually permit or deny network traffic based on the following:

o Source and destination TCP/IP addresses
o Protocol (for example, TCP, UDP, or ICMP)
o Source and destination ports and ICMP types and codes
o Flags in the TCP header (for example, whether the packet is a connect request)
o Direction (inbound or outbound)
o Which physical interface the packet is traversing

All packet filters have a common problem: The trust is based on TCP/IP addresses. Although this security type is not sufficient for an entire network, this type of security is acceptable on a component level.

Most IP packet filters are stateless in that they do not remember anything about the packets they previously process. A packet filter with state can keep some information about previous traffic providing the ability to configure that only replies to requests from the internal network are allowed from the Internet. Stateless packet filters are vulnerable to spoofing because the source IP address and ACK bit in the header for the packet can be easily forged by attackers.

HTTP Settings

For those Universal Connection applications that use HTTP and HTTPs for a transport, the filter rules must be changed to allow connections to the IBM service destinations as follows, both ports 80 & 443 are required for this type of connection:

IP filter rules IP filter values
TCP inbound traffic filter rule Allow port 80 for all service destination addresses
TCP inbound traffic filter rule Allow port 443 for all service destination addresses
TCP outbound traffic filter rule Allow port 80 for all service destination addresses
TCP outbound traffic filter rule Allow port 443 for all service destination addresses

HTTP (port 80) is used for the 'bulk' transmissions such as PTF orders and the list of IBM IP address
HTTPS (port 443 SSL) is used for data transmission such as ESA inventory, PM i data, contact information,

DDP protocol is used to download the serviceProviderIBMLocationDefinitiondefinition files and PTFs. DDP protocol is similar to FTP with more capabilities and will need to be allowed through a site network connection on ports 80 and 443.

Resolving The Problem

Select your Operating System version

ESA has its own internal certificate to exchange with the IBM backend server, so any 'addition' by Proxy/Firewall during the communication will make it fail. If the environment has a Proxy/Firewall that is terminating the SSL connection and returning its own self-signed certificate, it is not supported.

Starting V7R3 the new EDGE server is used. EDGE is a new ECC server environment ( that provides a front-end proxy to the current ECC infrastructure.
Edge simplifies the IT for ECC consumer products by reducing the number of customer facing IBM servers, enabling IPv6 connectivity, and providing enhanced security. Customers will have fewer IBM addresses to open on their firewall. All Edge internet traffic will flow through the Edge proxy and then fan out to various internal IBM service providers.

To summarize, Edge provides the following advantages over the current infrastructure.

  1. Fewer IP addresses for customers to configure for both ports 80/443

    Edge replaces IP addresses needed for Service Providers, Download Servers, Upload Servers and CCF, but not FTP.

    Note: Having PTF SI68172 on system would require ONLY port 443 to be open. Port 80 will not longer needed.

    We recommend customers open (EI IPv4 address range) for the least amount of hassle going forward. Port range will include the above 3 IP addresses listed (minimum required) and will prepare system for future enhancements.

  2. IPv6 connectivity for both ports 80/443. The Edge server allows IPv6 connections from the client. Not all legacy servers support IPv6 connections.

  3. Edge is the platform for security enhancements such as NIST 800-131a and NSA Suite B enablement.

EDGE server is enabled by default. It can be disabled with changing the config in
WRKLNK '/QIBM/UserData/OS400/UniversalConnection/'

This will require all LEGACY IP addresses to be enabled for port 80/443 like previous releases, not just the EDGE IP addresses. Review LEGACY Server IP addresses tab.

NOTE: While V7R3 could use LEGACY IP addresses, using default EDGE IP addresses would provide better performance on the communication. So whenever is possible, use EDGE server.

By default, V7R2 uses LEGACY servers to connect for ECS/ESA. Information is listed in LEGACY Server IP addresses tab.
    By modifying a configuration file, it's possible to use the new EDGE server. Be aware that Firewall rules changes are required. See more information and details on V7R3 AND HIGHER section.
    To enable, follow next steps: 
    1. PTFs SI64358 and SI69059 MUST be on system before change anything. Otherwise, it won't work.
    2. 2- EDTF STMF('/qibm/proddata/os400/universalconnection/') 
      Include the following lines. Some are edits of existing lines, others may be new lines:
      _IBM.SP_UPDATE_INIT = NO     
      Or could use the file from below and replace the one in your system.
      Assure to rename the existing one before replace. 
    3. Once file is replaced, will need to re-create the service configuration. Follow the steps from the Configuration Instructions for Electronic Customer Support (ECS), Electronic Service Agent (ESA) and PM Agent for V5R4 and Higher releases document.

    EDGE server is not supported for these releases, need to use LEGACY servers.
    Review the information in the LEGACY Server IP addresses tab. 

    To find the exact IBM Service Destination addresses that might be used for HTTP and HTTPS traffic, the service provider location definition files can be browsed.

    The files available for this on the system are located at: '/qibm/userdata/os400/universalconnection'

    1. For each option, type WRKLNK, followed by the full path. This goes directly to the noted file.
    2. If using WRKLNK, taking Option 5 through the path and using F22 on the file shows the full name.

    Option 1: '/qibm/userdata/os400/universalconnection/serviceProviderIBMLocationDefinition.txt'

    Note: This file is written in a more readable format than the file noted in Option 2.

    A complete listing of this file is available below. In addition, a document is available for ports 80 & 443 sorted by IP address. 
    When using this option, all IP addresses must be allowed in the site firewall rules, omitting any may cause connection attempts to fail. Review LEGACY Server IP addresses tab.

    Option 2: '/qibm/userdata/os400/universalconnection/serviceProviderIBMLocationDefinition.xml'

    If the above file is not found, the main file (containing addresses for all worldwide locations) can be found at one of the following:


    Any of these files can be browsed with the DSPF CL command.

    DSPF STMF('/qibm/userdata/os400/universalconnection/')
    Type 5 to display.

    '/qibm/userdata/os400/universalconnection/serviceProviderIBMLocationDefinition.txt' file described above in Option 1, the following IP addresses can be used for ECS and ESA functions.

    *Only configure port 80 & 443 IP addresses from this list. Do not include any 198.x.x.x IP addresses in the network configuration.


    IP Address TCP Port Destination
    ---------- -------- ----------- 19285 URSF_1 19285 URSF_2 443 Bulk_Data_1 443 Bulk_Data_2 21 FTP_Bulk_Data_1 80 Doc_Update_1 80 Doc_Update_2 80 Fix_Repository_1 80 Fix_Repository_2 80 Fix_Repository_3 80 Fix_Repository_4 80 Fix_Repository_5 80 Fix_Repository_6 80 Fix_Repository_7 80 Fix_Repository_8 80 Fix_Repository_9 80 Fix_Repository_10 80 Fix_Repository_11 80 Fix_Repository_12 80 Fix_Repository_13 80 Fix_Repository_14 80 Fix_Repository_15 80 Fix_Repository_16 80 Fix_Repository_17 80 Fix_Repository_18 80 Fix_Repository_19 80 Fix_Repository_20 80 Fix_Repository_21 80 Fix_Repository_22 443 Gateway_1 443 Gateway_2 443 Inventory_Report_1 443 Inventory_Report_2 443 Problem_Report_1 443 Problem_Report_2 443 Problem_Report_3 443 Problem_Report_4 443 Problem_Report_5 443 Profile_1 443 Profile_2 11111 Remote_Support_1 11111 Remote_Support_2 443 SAS_1 443 SAS_2 443 SDR_1 443 SDR_2 443 SDR_3 443 SDR_4 443 Service_Provider_1 443 Service_Provider_2 443 SP_Config_1 443 SP_Config_2 80 SP_Config_3 443 SRM_1 443 Status_Report_1 443 Status_Report_2 443 Update_Order_1 443 Update_Order_2
    Unique IPs TCP Port
    ---------- -------- 19285 19285 443 443 21    80  443    80  443 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 443 443 443 443 443 11111 11111    443  80
    Unique VPN Gateways Protocols UDP Port
    ------------------- --------- -------- ESP, UDP 500  4500 ESP, UDP 500  4500


    Attached document contains a List of IP addresses used by ECS/ESA for ports 80 and 443, sorted by IP address.
    Note: When using this option, all IP addresses must be allowed in the site firewall rules, omitting any may cause connection attempts to fail.                    

    ECS IP Addresses for port 80 443.doc

    Test the connection using the following commands to populate the IP addresses used for each application:

    • SNDPTFORD SF98xxx
      Where xxx is the version and release of the system (for example: SF98720, SF98730, SF98740).
    • GO SERVICE Option 2
      Note: To check for errors when using the Go Service options, review the audit log in Go Service, Option 14; B in the position to line field.
    • To test connectivity to IBM backend servers use below commands:
      VFYSRVCFG SERVICE(*ECS) VFYOPT(*ALL) let it complete may take a while.
      VFYSRVCFG SERVICE(*FIXREP) VFYOPT(*ALL) let it complete may take a while.
      VFYSRVCFG SERVICE(*PRBRPT) VFYOPT(*ALL) let it complete may take a while.
      VFYSRVCFG SERVICE(*SPCFG) VFYOPT(*ALL) let it complete may take a while.
      VFYSRVCFG SERVICE(*SRVAGT) VFYOPT(*ALL) let it complete may take a while.
      The VFYSRVCFG commands log to joblog:  IP address, protocol and port used along with success or failure information.
      CPIAC59: Verification was successful.
      CPIAC60: Verification was not successful.
      CPIAC61: The value does not match an existing service destination.

      For CPIAC60, assure Firewall is correctly set. ForCPIAC61, recommended PTFs for ESA and 'Delete and recreate service configuration' steps need to be followed correctly. Review Configuration Instructions for Electronic Customer Support (ECS), Electronic Service Agent (ESA) and PM Agent for V5R4 and Higher releases document.
    For this test, you should open two IBM i sessions, noted below as Session A and Session B:

    On Session A:
    1. Issue NETSTAT, Option 3
    2. Press F15, and in the Remote port range, enter the following:
    Remote port range:
    Lower value . . . . . . . . 80
    Upper value . . . . . . . . 443

    On Session B:
    1. Issue SNDPTFORD SF98xxx
    Where xxx is the version and release of the operating system (in other words, SF98720, SF98730, SF98740).

    2. While the PTF order is running on Session B, watch the IP address traffic on Session A. On a successful connection, the state or status should be established. If several IP addresses appear and leave with only Syn_Sent status, the site network is blocking the connection.

    At R710, the Verify Service Configuration command has been enhanced to do additional connection tests:
    Verify Service Configuration Enhancements

    [{"Type":"MASTER","Line of Business":{"code":"LOB08","label":"Cognitive Systems"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CGRAA2","label":"Electronic Service Agent"}],"ARM Case Number":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"All Versions"}]

    Document Information

    Modified date:
    06 August 2021