TCP/IP Port Restrictions

Resolving The Problem

TCP/IP Port Restrictions are a method to reserve a specific port or port range to be used by a user, or
group of users. A common misunderstanding is that port restrictions define a user (or group of users) to
be denied access to an application. That is the exact opposite of the port restrictions' functionality. Generally
speaking, the port restrictions are used with custom applications as opposed to IBM applications.

This is due to IBM applications initializing and listening on their TCP/IP port with IBM profiles:
(QTCP, QUSER,QPGMR, and so on).

If a port restriction were put in place for an IBM application, and the user defined in the port restriction was an
end user versus the IBM profile needed to start the application, that application would fail to start.

The most common error seen in this example would be:

Message ID . . . . . . :   TCP7701       Severity . . . . . . . :   40      
Message type . . . . . :   Diagnostic                                        
Date sent  . . . . . . :   mm/dd/yy      Time sent  . . . . . . :   hh:mm:ss
                                                                             
Message . . . . :   XYZ server unable to establish connection.            
Cause . . . . . :   The XYZ server program could not establish the TCP port
  for the required connection.                                              
Technical description . . . . . . . . :   The XYZ server program issued the
  socket call bind, which failed with an errno value of 3401.              

Administrators have other options to secure TCP/IP applications. Those options include, but are not limited
to:

1. The use of Application Administration (found within System i Navigator)
2. Exit Point Programming
3. Third-Party Security Applications