Job Management Partner 1/Integrated Management - Manager Configuration Guide

[Contents][Index][Back][Next]

7.3.1 Basic information about firewalls

Before describing the operation in a firewall environment, this subsection provides basic information about firewalls.

If you run JP1 in a network environment that includes a firewall, you must evaluate support of two of the firewall functions:

To evaluate support of these functions and to set up an environment, you must understand the method used by the firewall to control communications.

Note
The information provided here constitutes a simple overview intended to acquaint you with the basics of firewalls and does not provide sufficient detail for you to evaluate and set up an actual firewall. When you install a firewall, consult the firewall documentation as well as appropriate security documentation to evaluate and set up an environment.
Organization of this subsection
(1) Packet filtering
(2) NAT (address translation)
(3) Communication settings for a JP1 that is run in a firewall environment

(1) Packet filtering

The packet filtering function filters through the firewall the applications that can be used. It checks each communication packet that attempts to pass through the firewall and discards packets that do not satisfy the specified passage conditions, thereby blocking unauthorized communications from passing through the firewall. Only applications that are specified in the passage conditions can be used.

JP1/IM supports packet filtering.

(a) Setting packet filtering

To set packet filtering:

  1. Check the communication method, such as the port numbers used by applications.
    Check the port numbers, IP addresses, and passage directions that are set as the firewall passage conditions.
    In the case of JP1/IM, check the communication method by referencing the information provided in this chapter and in C. Port Numbers in the Job Management Partner 1/Integrated Management - Manager Overview and System Design Guide.

  2. Set the passage conditions for the firewall.
    Initially, you should prohibit all passage, then set passage conditions so that only specific applications can communicate through the firewall.
    In the case of JP1/IM, set the JP1/IM communications checked in step 1 to pass the firewall.

(b) Example of settings for JP1/IM

This subsection describes the settings for packet filtering using an example of an environment in which there is a firewall between JP1/IM - View and JP1/IM - Manager.

  1. Check JP1's communication method.
    First, check JP1's communication method, which is required for setting packet filtering. According to the information provided in Appendix C.2 Direction of communication through a firewall in the Job Management Partner 1/Integrated Management - Manager Overview and System Design Guide, the port numbers used by JP1/IM are described as shown in the table below.

    Table 7-9 Firewall passage directions

    No. Service name Port number Firewall passage direction
    1 jp1imevtcon 20115/tcp JP1/IM - View [Figure] JP1/IM - Manager (JP1/IM - Central Console)
    2 jp1imcmda 20238/tcp JP1/IM - View [Figure] JP1/IM - Manager (JP1/IM - Central Console)
    JP1/IM - Manager (JP1/IM - Central Console) [Figure] JP1/Base#1
    3 jp1imcss 20305/tcp JP1/IM - View [Figure] JP1/IM - Manager (JP1/IM - Central Scope)
    4 jp1imegs 20383/tcp There is no need to set a firewall because communication is performed only within the machine where JP1/IM - Manager is installed.
    5 jp1rmregistry 20380/tcp JP1/IM - View [Figure] JP1/IM - Rule Operation
    6 jp1rmobject 20381/tcp
    7 http 80/tcp#2 Web-based JP1/IM - View (Web browser) [Figure] HTTP server
    8 jp1imcf 20702/tcp JP1/IM - View [Figure] JP1/IM - Manager (IM Configuration Management)

    #1: This is the manager's JP1/Base.

    #2: This may depend on the HTTP server settings.


    This table assumes the following communication method:
    • Service name and Port number columns
      These are the service names and port numbers used by JP1 for communication. According to this table, port number 20115 (service name jp1imevtcon), port number 20238 (service name jp1imcmda), and port number 20305 (service name jp1imcss) are used, and TCP is used as the communication protocol for communication between JP1/IM - View and JP1/IM - Manager.
    • Firewall passage direction column
      This column shows the direction of communication when connection begins (at the time connection is established). The direction for establishing connection is required in order to limit the firewall passage direction. For example, in No. 1 in this table, connection is permitted from JP1/IM - View to JP1/IM - Manager (JP1/IM - Central Console).
    • Other
      Although it is not specified in the table, based on the information provided in the table and the TCP communication specifications, the following is true:
      Because TCP is a bi-directional communications protocol, it involves two-way communications (JP1/IM - View to JP1/IM - Manager and JP1/IM - Manager to JP1/IM - View). In the source and destination packets of TCP communications, the source IP address and destination IP address are switched.

  2. Set packet filtering.
    Based on the direction of communication between JP1/IM - View and JP1/IM - Manager, set packet filtering in such a manner that only communications in the correct direction can pass through the firewall.
    The passage conditions for packet filtering are as follows:

    Example: Filtering condition: For JP1/IM - View and JP1/IM - Manager

    Table 7-10 Passage conditions for packet filtering

    No. Source address Destination address Protocol Source port Destination port Control
    1 192.168.19.37 172.16.100.24 TCP (ANY) 20115 accept
    2 192.168.19.37 172.16.100.24 TCP (ANY) 20238 accept
    3 192.168.19.37 172.16.100.24 TCP (ANY) 20305 accept
    4 172.16.100.24 192.168.19.37 TCP 20115 (ANY) accept
    5 172.16.100.24 192.168.19.37 TCP 20238 (ANY) accept
    6 172.16.100.24 192.168.19.37 TCP 20305 (ANY) accept
    7 (ANY) (ANY) (ANY) (ANY) (ANY) reject
    This table shows the conditions for checking packets and the control to be applied when the conditions are satisfied.
    The Control column specifies whether the firewall permits (accept) or blocks (reject) the passage of packets. (ANY) means that any available port number assigned by the OS is to be used.
    Set packet filtering for a firewall according to the filtering conditions shown in this table.
    Note that the detailed setting method depends on the firewall; see your firewall documentation.

(2) NAT (address translation)

NAT (Network Address Translator) is a function for translating between private IP addresses and global IP addresses. By translating addresses, you can hide the private addresses from the outside, thereby improving internal machine security. NAT may be provided as a router function as well as a firewall function.

JP1 supports only static-mode NAT (method for translating addresses according to predefined rules).

(a) Setting NAT

To set NAT:

  1. Check the IP addresses to be used.
    First, check the IP addresses used by the applications. It is simple if a machine uses only one IP address. If there are multiple network adapters (using multiple IP addresses), or a logical IP address is used in a cluster system, the IP addresses to be used depend on the application.
    In the case of JP1/IM, the IP addresses to be used depend on the settings, such as when communication settings are specified in JP1/Base, or a logical IP address is used for cluster operation.

  2. Evaluate and set the address translation rules.
    After you have checked the IP addresses used by the applications, determine the IP addresses obtained after translation.
    Once you have determined rules for address change, set them in NAT.

(b) Example of settings for JP1/IM

This subsection describes the NAT settings based on an example of an environment in which there is a firewall between JP1/IM - View and JP1/IM - Manager.

Note: This is an example of address translation by NAT. Other translation methods are also available.

To set NAT:

  1. Check the IP address to be used.
    First, check the IP addresses used by JP1, which is required in order to set NAT.
    This example uses the IP address that corresponds to the host name (result of hostname).

  2. Evaluate and set the address translation rule.
    Define the translation rule in such a manner that the IP address of the JP1/IM - Manager machine is translated from 172.16.100.24 to 192.168.100.24 by NAT.

    Example: Address translation rule: Translating from 172.16.100.24 to 192.168.100.24

    Table 7-11 Address translation rule

    No. Source address Destination address Source address (translated) Destination address (translated)
    1 (ANY) 192.168.100.24 (ANY) 172.16.100.24
    2 172.16.100.24 (ANY) 192.168.100.24 (ANY)
    This table shows the correspondence between the source packet and the (translated) packet obtained after address translation.
    Define this address translation rule in the NAT settings for the firewall.
    Note that the detailed setting method depends on the firewall and router; see your product documentation.

JP1/IM - View accesses the address obtained after address translation (192.168.100.24), not the actual address of the JP1/IM - Manager machine (172.16.100.24).

Therefore, to JP1/IM - View, it appears that access is to the JP1/IM - Manager host whose address is 192.168.100.24.

(3) Communication settings for a JP1 that is run in a firewall environment

If you run JP1 in a network environment that includes a firewall, consider setting the JP1 communication method to the IP binding method and the effects of multi-LAN connection settings.

To run JP1 in a firewall environment, you must set IP address and port number conditions in packet filtering and NAT as discussed above.

The IP addresses used by JP1 must be clear. Therefore, the IP binding method that determines JP1's IP addresses by the JP1 settings is suitable.

For example, in a configuration in which the server that executes JP1 is connected to multiple LANs or in a cluster system configuration, the IP address to be used may be determined by the OS, resulting in an unintended IP address. In such a case, if you set JP1's communication method to the IP binding method, the IP address specified in the JP1 environment settings is always used for communication.

[Contents][Back][Next]

[Trademarks]

All Rights Reserved. Copyright (C) 2009, Hitachi, Ltd.