JP1/Software Distribution supports the following types of firewalls:

• Packet filtering
• Application gateway

(a) Packet filtering firewall

A packet filtering firewall restricts the packages that are permitted to pass. Firewall-1 is one of the most popular firewall products of this type.

To use JP1/Software Distribution with a packet filtering firewall, you must set the IP address and port number of the node that has the firewall.

(b) Application gateway firewall

An application gateway firewall prohibits packages from passing and instead uses an application gateway to control access. Gauntlet is one of the most popular firewall products of this type.

Because a gateway controls access on the basis of the application, you must define JP1/Software Distribution to be an accessible application.

For example, in Gauntlet, you use the Virtual Private Network (VPN) facility to make JP1/Software Distribution an accessible application.

NAT is a facility for rendering intra-network addresses invisible to external networks. NAT also prevents intra-network addresses from being revealed to external networks.

There are two address translation policies:

• Fixed-address allocation
• Dynamic address allocation

JP1/Software Distribution supports only the fixed-address allocation policy (STATIC mode).

When you use JP1/Software Distribution in a firewall environment, you must set port numbers in the firewall. The following table shows the port numbers used in JP1/Software Distribution.

Communication between:	Port number	Protocol	Sender information	Recipient information
Central manager and relay systems	30002 (Select udp or tcp#1)	udp	Central manager: Ephemeral	Relay system: 30002
			Relay system: Ephemeral	Central manager: 30002
		tcp	Central manager: Ephemeral	Relay system: 30002
			Relay system: 30002	Central manager: Ephemeral
	30000	tcp	Central manager: 30000	Relay system: Ephemeral
			Relay system: Ephemeral	Central manager: 30000
Relay system and clients	30002 (Select udp or tcp#1)	udp	Relay system: Ephemeral	Client: 30002
			Client: Ephemeral	Relay system: 30002
		tcp	Relay system: Ephemeral	Client: 30002
			Client: 30002	Relay system: Ephemeral
	30001	tcp	Relay system: 30001	Client: Ephemeral
			Client: Ephemeral	Relay system: 30001
Central manager and clients	30002 (Select udp or tcp#1)	udp	Central manager: Ephemeral	Client: 30002
			Client: Ephemeral	Central manager: 30002
		tcp	Central manager: Ephemeral	Client: 30002
			Client: 30002	Central manager: Ephemeral
	30000	tcp	Central manager: 30000	Client: Ephemeral
			Client: Ephemeral	Central manager: 30000
Server core facility and Remote Installation Manager#2	30001	tcp	Remote Installation Manager: Ephemeral	Server core facility: 30001
	30000	tcp	Remote Installation Manager: Ephemeral	Server core facility: 30000

Note: Idle ephemeral ports are allocated automatically by TCP/IP, normally within the port number range of 1024-5000.

#1: Select either udp or tcp, depending on the JP1/Software Distribution Manager settings.

#2: Applicable when the Server core facility and Remote Installation Manager are installed on separate PCs.

If you install the Server core facility and Remote Installation Manager on separate PCs when you are using Embedded RDB, the ports listed in the following table are used to perform communications between these two components.

Table 6-2 Port numbers used for communication between the Server core facility and Remote Installation Manager (when Embedded RDB is being used)

Communication between:	Port number	Protocol	Sender information	Recipient information
Server core facility and Remote Installation Manager	30000	tcp	Remote Installation Manager: Ephemeral	Server core facility: 30000
	30001	tcp	Remote Installation Manager: Ephemeral	Server core facility: 30001
	30008	tcp	Remote Installation Manager: Ephemeral	Server core facility: 30008
	Ephemeral (client connection to database)	tcp	Remote Installation Manager: Ephemeral	Server core facility: Ephemeral
		tcp	Server core facility: Ephemeral	Remote Installation Manager: Ephemeral

Note: Idle ephemeral ports are allocated automatically by TCP/IP, normally within the port number range of 1024 to 5000.

In an environment with a firewall, you must open a port through the firewall from the client side. It is not necessary to open a port on the originating side. The following subsections explain how to open a port through a firewall.

(a) When there is a firewall on the PC containing the Server core facility

If the PC on which the Server core facility is installed contains a firewall, the following ports must be able to pass through the firewall:

• Communications port between the Server core facility and Remote Installation Manager
  30000 and 30001.
  
• Port for database connection
  This is the port number set on the Database Environment page during setup. The default is 30008.
  
• Port for connecting a database client
  The default is that the OS assigns this port number automatically. Therefore, you must specify the settings needed to allow passage through the firewall after the port number has been assigned.
  The following shows how to fix the port number for connecting a database client:
  
  1. On Control Panel, choose Administrative Tools, then Services, and then stop the Remote Install Server service.
  2. Stop the database by executing the netmdb_stop.bat command stored in the JP1/Software Distribution Manager installation directory \BIN.
     When the netmdb_stop.bat command finishes, the system waits for an entry from the keyboard. To complete the command without requiring such a keyboard entry, execute the command by specifying /nopause in the options.
     
  3. Use a text editor to open the pdsys file that is stored in the JP1/Software Distribution installation directory \NETMDB\conf.
  4. Delete # at the beginning of #set pd_service_port = 30009.
     30009 is the default port number.
     To change the port number, change the value 30009.
     
  5. Start the database by executing netmdb_start.bat stored in the JP1/Software Distribution Manager installation directory \BIN.
     When the netmdb_stop.bat command finishes, the system waits for an entry from the keyboard. To complete the command without requiring such a keyboard entry, execute the command by specifying /nopause in the options.
     
  6. On Control Panel, choose Administrative Tools, then Services, and then start the Remote Install Server service.
  The following table lists the port number used by JP1/Software Distribution once you have completed this setup:
  

  Communication between:	Port number	Protocol	Sender information	Recipient information
  Server core facility and Remote Installation Manager	Ephemeral (client connection to database)	tcp	Remote Installation Manager: Ephemeral	Server core facility: 30009#

  #: Assumes the port number is set to 30009 (default).

  
  

(b) When there is a firewall on the PC containing the Remote Installation Manager

If the PC on which Remote Installation Manager is installed contains a firewall, the receive ports used for database clients must be able to pass through the firewall.

The default is that the OS automatically assigns port numbers to receive ports for database clients. Note that more than 10 receive ports are used. Therefore, you must fix the range of port numbers to be used for receive ports and set up passage for them through the firewall.

To fix the range of port numbers to be used for receive ports:

1. Terminate Remote Installation Manager and other JP1/Software Distribution applications.
2. Use a text editor to open HiRDB.ini, which is stored in the JP1/Software Distribution Manager installation directory \NETMDBCLT.
   If the Server core facility has also been installed, HiRDB.ini is stored in installation-directory\NETMDB\CONF\emb.
   
3. In PDCLTRCVPORT=, specify the range of port numbers to be used.
   Following PDCLTRCVPORT=, specify the range of port numbers to be used in the format port-number-port-number.
   For example, to specify the range 10000 to 10500 as the port numbers to be used:
   PDCLTRCVPORT=10000-10500
   If you specify nothing or 0 following PDCLTRCVPORT=, no range of port numbers to be used will be set. The default is that no range of port numbers to be used is set.
   
4. Start Remote Installation Manager and other JP1/Software Distribution applications.

The following table lists the port numbers used by JP1/Software Distribution once you have completed this setup:

Communication between:	Port number	Protocol	Sender information	Recipient information
Server core facility and Remote Installation Manager	Ephemeral (client connection to database)	tcp	Server core facility: Ephemeral	Remote Installation Manager: 10000 to 10500#

#: Assumes the port number range is set to between 10000 and 10500.

Note the following points when fixing the port numbers for database clients:

• If there are no available port numbers in the specified range, an error results.
  If the specified range includes a port number that is used by a program other than a database client, contention may occur on assignment of port numbers. Specify an appropriate range of port numbers so that no shortage of ports occurs.
  
• Make sure that the range of port numbers you specify does not overlap the range of port numbers assigned automatically by the OS. The range of port numbers assigned by the OS varies from one OS to another.
• Provide about 20% extra port numbers from the number of ports actually required. If there is no leeway, efficiency is adversely affected due to searches for available port numbers.
• Ports available to programs that are not database clients are not available to database clients. Similarly, ports available to database clients are not available to programs that are not database clients.
  A program that requires a specified range of port numbers may not be able to start if any of its port numbers is included in your specified range.
  
• You must manage programs within the firewall so that the port numbers set for the database clients to pass through the firewall will not be used illegally by other programs.

Note the following points about using JP1/Software Distribution in a firewall environment:

• You can define fewer nodes in a firewall by placing relay systems within the firewall:
  

  Figure 6-2 Example of a configuration in which relay systems are within a firewall

  

• JP1/Software Distribution uses the host name, IP address, or host identifier as an ID key for operations (key for identifying a node). JP1/Software Distribution assigns a created job to an ID key for operations. If you use the NAT facility, addresses are translated and jobs cannot be assigned to the target clients. This is because NAT changes the IP address of JP1/Software Distribution Client (client), so the actual IP address differs from that recognized by JP1/Software Distribution Manager. Therefore, you cannot use the IP address as an ID key for operations in an environment that uses the NAT facility.
• JP1/Software Distribution's facility for automatically registering the system configuration assigns IP addresses to protocols regardless of the ID key for operations. The IP addresses assigned to protocols may be revealed. In a firewall environment, we recommend that you not use the facility for automatically registering the system configuration.
• For operations based on IP addresses, the IP addresses are assigned to protocols. However, IP addresses assigned to protocols may be revealed, so we recommend that, in a firewall environment, you not use JP1/Software Distribution based on IP addresses.