Job Management Partner 1/Software Distribution Description and Planning Guide

[Contents][Glossary][Index][Back][Next]

6.1.5 Using JP1/Software Distribution in a firewall environment

You can use JP1/Software Distribution in an environment that uses firewalls, without having to compromise security. For example, even if a distribution site contains a managing server within a firewall and departmental networks contain relay systems within firewalls, you can still distribute software from the managing server to the relay systems.

This section describes how to use JP1/Software Distribution in an environment that uses firewalls.

Note that if the firewall is already set up for HTTP and you are using Internet Options, the firewall settings described here are not required. However, even if you are using the Internet, the notes provided in (5) Notes on use in a firewall environment also apply. For details about Internet Options, see E. Using Internet Options to Install JP1/Software Distribution in the Setup Guide.

Organization of this subsection
(1) Supported firewalls
(2) About NAT
(3) Port numbers used in JP1/Software Distribution
(4) Settings needed when Embedded RDB is being used
(5) Notes on use in a firewall environment

(1) Supported firewalls

JP1/Software Distribution supports the following types of firewalls:

(a) Packet filtering firewall

A packet filtering firewall restricts the packages that are permitted to pass. Firewall-1 is one of the most popular firewall products of this type.

To use JP1/Software Distribution with a packet filtering firewall, you must set the IP address and port number of the node that has the firewall.

(b) Application gateway firewall

An application gateway firewall prohibits packages from passing and instead uses an application gateway to control access. Gauntlet is one of the most popular firewall products of this type.

Because a gateway controls access on the basis of the application, you must define JP1/Software Distribution to be an accessible application.

For example, in Gauntlet, you use the Virtual Private Network (VPN) facility to make JP1/Software Distribution an accessible application.

(2) About NAT

NAT is a facility for rendering intra-network addresses invisible to external networks. NAT also prevents intra-network addresses from being revealed to external networks.

There are two address translation policies:

JP1/Software Distribution supports only the fixed-address allocation policy (STATIC mode).

(3) Port numbers used in JP1/Software Distribution

When you use JP1/Software Distribution in a firewall environment, you must set port numbers in the firewall. The following table shows the port numbers used in JP1/Software Distribution.

Communication between: Port number Protocol Sender information Recipient information
Central manager and relay systems 30002
(Select udp or tcp#1)
udp Central manager: Ephemeral Relay system: 30002
Relay system: Ephemeral Central manager: 30002
tcp Central manager: Ephemeral Relay system: 30002
Relay system: 30002 Central manager: Ephemeral
30000 tcp Central manager: 30000 Relay system: Ephemeral
Relay system: Ephemeral Central manager: 30000
Relay system and clients 30002
(Select udp or tcp#1)
udp Relay system: Ephemeral Client: 30002
Client: Ephemeral Relay system: 30002
tcp Relay system: Ephemeral Client: 30002
Client: 30002 Relay system: Ephemeral
30001 tcp Relay system: 30001 Client: Ephemeral
Client: Ephemeral Relay system: 30001
Central manager and clients 30002
(Select udp or tcp#1)
udp Central manager: Ephemeral Client: 30002
Client: Ephemeral Central manager: 30002
tcp Central manager: Ephemeral Client: 30002
Client: 30002 Central manager: Ephemeral
30000 tcp Central manager: 30000 Client: Ephemeral
Client: Ephemeral Central manager: 30000
Server core facility and Remote Installation Manager#2 30001 tcp Remote Installation Manager: Ephemeral Server core facility: 30001
30000 tcp Remote Installation Manager: Ephemeral Server core facility: 30000

Note: Idle ephemeral ports are allocated automatically by TCP/IP, normally within the port number range of 1024-5000.

#1: Select either udp or tcp, depending on the JP1/Software Distribution Manager settings.

#2: Applicable when the Server core facility and Remote Installation Manager are installed on separate PCs.


(4) Settings needed when Embedded RDB is being used

If you install the Server core facility and Remote Installation Manager on separate PCs when you are using Embedded RDB, the ports listed in the following table are used to perform communications between these two components.

Table 6-2 Port numbers used for communication between the Server core facility and Remote Installation Manager (when Embedded RDB is being used)

Communication between: Port number Protocol Sender information Recipient information
Server core facility and Remote Installation Manager 30000 tcp Remote Installation Manager: Ephemeral Server core facility: 30000
30001 tcp Remote Installation Manager: Ephemeral Server core facility: 30001
30008 tcp Remote Installation Manager: Ephemeral Server core facility: 30008
Ephemeral (client connection to database) tcp Remote Installation Manager: Ephemeral Server core facility: Ephemeral
tcp Server core facility: Ephemeral Remote Installation Manager: Ephemeral

Note: Idle ephemeral ports are allocated automatically by TCP/IP, normally within the port number range of 1024 to 5000.


In an environment with a firewall, you must open a port through the firewall from the client side. It is not necessary to open a port on the originating side. The following subsections explain how to open a port through a firewall.

(a) When there is a firewall on the PC containing the Server core facility

If the PC on which the Server core facility is installed contains a firewall, the following ports must be able to pass through the firewall:

(b) When there is a firewall on the PC containing the Remote Installation Manager

If the PC on which Remote Installation Manager is installed contains a firewall, the receive ports used for database clients must be able to pass through the firewall.

The default is that the OS automatically assigns port numbers to receive ports for database clients. Note that more than 10 receive ports are used. Therefore, you must fix the range of port numbers to be used for receive ports and set up passage for them through the firewall.

To fix the range of port numbers to be used for receive ports:

  1. Terminate Remote Installation Manager and other JP1/Software Distribution applications.
  2. Use a text editor to open HiRDB.ini, which is stored in the JP1/Software Distribution Manager installation directory \NETMDBCLT.
    If the Server core facility has also been installed, HiRDB.ini is stored in installation-directory\NETMDB\CONF\emb.
  3. In PDCLTRCVPORT=, specify the range of port numbers to be used.
    Following PDCLTRCVPORT=, specify the range of port numbers to be used in the format port-number-port-number.
    For example, to specify the range 10000 to 10500 as the port numbers to be used:
    PDCLTRCVPORT=10000-10500
    If you specify nothing or 0 following PDCLTRCVPORT=, no range of port numbers to be used will be set. The default is that no range of port numbers to be used is set.
  4. Start Remote Installation Manager and other JP1/Software Distribution applications.

The following table lists the port numbers used by JP1/Software Distribution once you have completed this setup:

Communication between: Port number Protocol Sender information Recipient information
Server core facility and Remote Installation Manager Ephemeral (client connection to database) tcp Server core facility: Ephemeral Remote Installation Manager: 10000 to 10500#

#: Assumes the port number range is set to between 10000 and 10500.


Note the following points when fixing the port numbers for database clients:

(5) Notes on use in a firewall environment

Note the following points about using JP1/Software Distribution in a firewall environment: