Job Management Partner 1/Software Distribution Description and Planning Guide
You can use JP1/Software Distribution in an environment that uses firewalls, without having to compromise security. For example, even if a distribution site contains a managing server within a firewall and departmental networks contain relay systems within firewalls, you can still distribute software from the managing server to the relay systems.
This section describes how to use JP1/Software Distribution in an environment that uses firewalls.
Note that if the firewall is already set up for HTTP and you are using Internet Options, the firewall settings described here are not required. However, even if you are using the Internet, the notes provided in (5) Notes on use in a firewall environment also apply. For details about Internet Options, see E. Using Internet Options to Install JP1/Software Distribution in the Setup Guide.
JP1/Software Distribution supports the following types of firewalls:
A packet filtering firewall restricts the packages that are permitted to pass. Firewall-1 is one of the most popular firewall products of this type.
To use JP1/Software Distribution with a packet filtering firewall, you must set the IP address and port number of the node that has the firewall.
An application gateway firewall prohibits packages from passing and instead uses an application gateway to control access. Gauntlet is one of the most popular firewall products of this type.
Because a gateway controls access on the basis of the application, you must define JP1/Software Distribution to be an accessible application.
For example, in Gauntlet, you use the Virtual Private Network (VPN) facility to make JP1/Software Distribution an accessible application.
NAT is a facility for rendering intra-network addresses invisible to external networks. NAT also prevents intra-network addresses from being revealed to external networks.
There are two address translation policies:
JP1/Software Distribution supports only the fixed-address allocation policy (STATIC mode).
When you use JP1/Software Distribution in a firewall environment, you must set port numbers in the firewall. The following table shows the port numbers used in JP1/Software Distribution.
Communication between: | Port number | Protocol | Sender information | Recipient information |
---|---|---|---|---|
Central manager and relay systems | 30002 (Select udp or tcp#1) |
udp | Central manager: Ephemeral | Relay system: 30002 |
Relay system: Ephemeral | Central manager: 30002 | |||
tcp | Central manager: Ephemeral | Relay system: 30002 | ||
Relay system: 30002 | Central manager: Ephemeral | |||
30000 | tcp | Central manager: 30000 | Relay system: Ephemeral | |
Relay system: Ephemeral | Central manager: 30000 | |||
Relay system and clients | 30002 (Select udp or tcp#1) |
udp | Relay system: Ephemeral | Client: 30002 |
Client: Ephemeral | Relay system: 30002 | |||
tcp | Relay system: Ephemeral | Client: 30002 | ||
Client: 30002 | Relay system: Ephemeral | |||
30001 | tcp | Relay system: 30001 | Client: Ephemeral | |
Client: Ephemeral | Relay system: 30001 | |||
Central manager and clients | 30002 (Select udp or tcp#1) |
udp | Central manager: Ephemeral | Client: 30002 |
Client: Ephemeral | Central manager: 30002 | |||
tcp | Central manager: Ephemeral | Client: 30002 | ||
Client: 30002 | Central manager: Ephemeral | |||
30000 | tcp | Central manager: 30000 | Client: Ephemeral | |
Client: Ephemeral | Central manager: 30000 | |||
Server core facility and Remote Installation Manager#2 | 30001 | tcp | Remote Installation Manager: Ephemeral | Server core facility: 30001 |
30000 | tcp | Remote Installation Manager: Ephemeral | Server core facility: 30000 |
Note: Idle ephemeral ports are allocated automatically by TCP/IP, normally within the port number range of 1024-5000.
#1: Select either udp or tcp, depending on the JP1/Software Distribution Manager settings.
#2: Applicable when the Server core facility and Remote Installation Manager are installed on separate PCs.
If you install the Server core facility and Remote Installation Manager on separate PCs when you are using Embedded RDB, the ports listed in the following table are used to perform communications between these two components.
Table 6-2 Port numbers used for communication between the Server core facility and Remote Installation Manager (when Embedded RDB is being used)
Communication between: | Port number | Protocol | Sender information | Recipient information |
---|---|---|---|---|
Server core facility and Remote Installation Manager | 30000 | tcp | Remote Installation Manager: Ephemeral | Server core facility: 30000 |
30001 | tcp | Remote Installation Manager: Ephemeral | Server core facility: 30001 | |
30008 | tcp | Remote Installation Manager: Ephemeral | Server core facility: 30008 | |
Ephemeral (client connection to database) | tcp | Remote Installation Manager: Ephemeral | Server core facility: Ephemeral | |
tcp | Server core facility: Ephemeral | Remote Installation Manager: Ephemeral |
Note: Idle ephemeral ports are allocated automatically by TCP/IP, normally within the port number range of 1024 to 5000.
In an environment with a firewall, you must open a port through the firewall from the client side. It is not necessary to open a port on the originating side. The following subsections explain how to open a port through a firewall.
If the PC on which the Server core facility is installed contains a firewall, the following ports must be able to pass through the firewall:
Communication between: | Port number | Protocol | Sender information | Recipient information |
---|---|---|---|---|
Server core facility and Remote Installation Manager | Ephemeral (client connection to database) | tcp | Remote Installation Manager: Ephemeral | Server core facility: 30009# |
#: Assumes the port number is set to 30009 (default).
If the PC on which Remote Installation Manager is installed contains a firewall, the receive ports used for database clients must be able to pass through the firewall.
The default is that the OS automatically assigns port numbers to receive ports for database clients. Note that more than 10 receive ports are used. Therefore, you must fix the range of port numbers to be used for receive ports and set up passage for them through the firewall.
To fix the range of port numbers to be used for receive ports:
The following table lists the port numbers used by JP1/Software Distribution once you have completed this setup:
Communication between: | Port number | Protocol | Sender information | Recipient information |
---|---|---|---|---|
Server core facility and Remote Installation Manager | Ephemeral (client connection to database) | tcp | Server core facility: Ephemeral | Remote Installation Manager: 10000 to 10500# |
#: Assumes the port number range is set to between 10000 and 10500.
Note the following points when fixing the port numbers for database clients:
Note the following points about using JP1/Software Distribution in a firewall environment:
Figure 6-2 Example of a configuration in which relay systems are within a firewall
All Rights Reserved. Copyright (C) 2009, 2013, Hitachi, Ltd.
Copyright, patent, trademark, and other intellectual property rights related to the "TMEng.dll" file are owned exclusively by Trend Micro Incorporated.