This document describes the function of TCP/IP Port Restrictions
Resolving The Problem
TCP/IP Port Restrictions are a method to reserve a specific port or port range to be used by a user, or
group of users. A common misunderstanding is that port restrictions define a user (or group of users) to
be denied access to an application. That is the exact opposite of the port restrictions' functionality. Generally
speaking, the port restrictions are used with custom applications as opposed to IBM applications.
This is due to IBM applications initializing and listening on their TCP/IP port with IBM profiles:
(QTCP, QUSER,QPGMR, and so on).
If a port restriction were put in place for an IBM application, and the user defined in the port restriction was an
end user versus the IBM profile needed to start the application, that application would fail to start.
The most common error seen in this example would be:
Message ID . . . . . . : TCP7701 Severity . . . . . . . : 40
Message type . . . . . : Diagnostic
Date sent . . . . . . : mm/dd/yy Time sent . . . . . . : hh:mm:ss
Message . . . . : XYZ server unable to establish connection.
Cause . . . . . : The XYZ server program could not establish the TCP port
for the required connection.
Technical description . . . . . . . . : The XYZ server program issued the
socket call bind, which failed with an errno value of 3401.
Administrators have other options to secure TCP/IP applications. Those options include, but are not limited
- The use of Application Administration (found within System i Navigator)
- Exit Point Programming
- Third-Party Security Applications
If port restrictions are incorrectly used, it may be necessary to remove the port restriction and restart the
For further information regarding TCP/IP Port Restrictions, see the System i Information Center at the
18 December 2019