2.3.2 Working through a firewall
JP1/AJS3 can be used in system configurations in which JP1/AJS3 - Manager, JP1/AJS3 - Agent, or JP1/AJS3 - View is connected through a firewall.
For details about the communication settings when using JP1/AJS3 in an environment where a firewall is set, see 2.3.5 Example of configurations that include a firewall, and their communications settings.
The following figure shows an example of a system configuration in which a firewall is set.
|
|
![[Figure]](GRAPHICS/ZH020065.GIF)
- Organization of this subsection
(1) Firewall basics
When you use JP1 in a network environment that includes a firewall, you must consider the following two firewall functionalities:
-
Access restriction (packet filtering)
Allow only necessary communication, and prevent invalid communications.
-
Network address translation (NAT)
IP addresses are translated so that direct connections are not possible; connections are made to a network with a different address. The existence of the computer that translates IP addresses is concealed from outsiders.
To set an environment with these considerations, you must understand the method by which the firewall controls communications.
First, we will cover basic knowledge about packet filtering and NAT.
- Supplementary note
-
The explanation given here is an overview to help you understand the basics of firewalls. You must read and properly understand the firewall documentation and reference works on security before attempting to plan and make the security settings for a firewall.
(a) Packet filtering
Packet filtering restricts the communications that are allowed to pass through a firewall. By checking each of the communications packets that pass through the firewall one by one and destroying packets that do not match the predetermined data-passing conditions, invalid communications are prevented from passing through the firewall. This means that only the packets specified in the data-passing conditions will be available behind the firewall.
JP1/AJS3 supports packet filtering.
■ Setting packet filtering
To set packet filtering:
-
Investigate the method of communications (the port number that the application uses and so on).
Check the port number, IP address and data-passing direction to be set as firewall data-passing conditions.
Check the communications conditions for JP1/AJS3 by referring to the explanation in this subsection and the explanation in A. List of Port Numbers.
-
Set data-passing conditions for the firewall.
First block all data packets, and then set passing conditions to allow only specific packets to pass through the firewall.
In JP1/AJS3, specify settings that will allow JP1 communications checked using the procedure described above to pass through the firewall.
■ Example of Settings for JP1/AJS3
This example shows how to set packet filtering in an environment in which a firewall is placed between JP1/AJS3 - View and JP1/AJS3 - Manager.
- Example: Connect JP1/AJS3 - View to JP1/AJS3 - Manager through the firewall.
-
-
JP1/AJS3 - Manager is operating in a non-cluster system.
-
100.100.100.10 is set as the IP address of the computer running JP1/AJS3 - View.
-
200.200.200.20 is set as the IP address of the computer running JP1/AJS3 - Manager.
-
The default port number for JP1 is used.
Figure 2‒17: Example of setting packet filtering with JP1/AJS3 ![[Figure]](GRAPHICS/ZH020070.GIF)
-
-
Investigate the method of communications for JP1
First, find out the method of communications of JP1; this is required information for setting packet filtering. If you see (3) JP1/AJS3 communications below, you find see that the port numbers that JP1/AJS3 - View uses are explained in tables like the one below.
Table 2‒5: Communications between JP1/AJS3 - View and JP1/AJS3 - Manager JP1/AJS3 - View
Direction
JP1/AJS3 - Manager
ANY
>>
20244/tcp (jp1ajs2monitor)
This table indicates the following methods of communication:
-
JP1/AJS3 - Manager accepts connections from JP1/AJS3 - View using port number 20244. In other words, JP1/AJS3 - View is connected to port number 20244 on the JP1/AJS3 - Manager side.
-
Port number 20244 is defined with the service name jp1ajs2monitor. You can change the port number to a number other than 20244 in the environment settings.
-
The port number at the JP1/AJS3 - View side is automatically assigned by the OS as any port number that is available at the time (ANY).
-
The direction of the connection is from JP1/AJS3 - View to JP1/AJS3 - Manager. This direction setting is used when you want to restrict the direction in which data passes through the firewall, for example only permitting connections from network A to network B.
-
The protocol is TCP.
-
TCP involves bi-directional communication, and there are outward (JP1/AJS3 - View >> JP1/AJS3 - Manager) and return (JP1/AJS3 - View << JP1/AJS3 - Manager) communications. The outward and return communication packets are designated by the terms Source and Destination.
The available IP addresses depend on the communication settings in JP1/Base. For details, see the Job Management Partner 1/Base User's Guide.
-
-
Set packet filtering.
Based on the checked method of communications between JP1/AJS3 - View and JP1/AJS3 - Manager, configure the system so that only these communications can pass through the firewall.
The following table shows the data-passing conditions for packet filtering.
This table shows the conditions for checking packets and the control if there is a match with the conditions. The Control column indicates whether passage through the firewall is accepted or rejected.
Set the packet filtering of the firewall in accordance with the filtering conditions in this table.
The details of the setting method differ for individual firewalls. See the documentation for your firewall.
(b) NAT (Network Address Translator)
NAT translates private IP addresses to global IP addresses and vice versa. Translating the addresses conceals the private addresses from outsiders, increasing the internal security of the computer.
In addition to its use in firewalls, the NAT functionality is also used with routers.
JP1/Base and JP1/AJS3 support NAT in static mode (addresses are translated according to predetermined rules). The following description applies to address translation in static mode only.
Note that JP1/Base and JP1/AJS3 can be used only in an environment in which a unique host name or IP address can be resolved from the host name used for communication. Therefore, JP1/Base and JP1/AJS3 do not support NAT in the dynamic mode (an available number is dynamically assigned to set or change the rules automatically) or NAPT (IP Masquerade, NAT+) that includes the port-translation functionality.
■ Setting NAT
To set NAT:
-
Check the IP address to be used.
First, check the IP address that the application uses. This is simple when dealing with a computer that only uses one IP address, but if multiple network adaptors are used (meaning that there is more than one IP address), or if a logical IP address is used in a cluster system, the IP address used differs depending on the application.
In the case of JP1/AJS3, the IP address used in a non-cluster system will be different from that in a cluster system with a logical host setting. For details, see the Job Management Partner 1/Base User's Guide.
-
Determine and set the address translation rules.
Once you have checked the IP address that the application uses, decide the IP address after translation.
When you have decided the address translation rules, set them for NAT.
■ Example setting with JP1/AJS3
The following explains NAT setting for JP1 in a configuration with a firewall between JP1/AJS3 - View and JP1/AJS3 - Manager.
- Example: Connecting from JP1/AJS3 - View to a JP1/AJS3 - Manager host with a translated address
-
-
JP1/AJS3 - Manager operates in a non-cluster system.
-
100.100.100.10 is set as the IP address of the JP1/AJS3 - View computer .
-
150.150.150.15 is set as the IP address of the JP1/AJS3 - Manager computer .
The IP address of this JP1/AJS3 - Manager is translated to 200.200.200.20.
After translation, JP1/AJS3 - View connects to 200.200.200.20.
-
|
|
![[Figure]](GRAPHICS/ZH020075.GIF)
-
Check the IP address to be used.
Check the IP address used by JP1. This information is required for setting NAT.
Since the system in this example is non-cluster, communications are conducted using an IP address that corresponds to the host name (result of the hostname command).
-
Determine and set the address translation rule.
Decide the translation rule for translating the IP address of the JP1/AJS3 - Manager computer from 150.150.150.15 to 200.200.200.20 using NAT.
This table shows the correspondence between the source packet and the packet after address translation.
Define this address translation rule in the NAT setting for the firewall.
The precise details of the setting method will differ depending on the firewall and router. See the documentation for the products you are using.
Now, JP1/AJS3 - View does not access the actual address of the computer where JP1/AJS3 - Manager is installed (150.150.150.15) but the address after translation (200.200.200.20).
From JP1/AJS3 - View, it appears as if a JP1/AJS3 - Manager host with the IP address 200.200.200.20 is being accessed.
(c) Communication settings for using JP1 in a firewall environment
When using a network environment that goes through a firewall, consider the effects of setting "IP bind" as the JP1 communication method for setting multiple LAN connections.
To use JP1 in an environment with a firewall, you must set conditions for packet filtering and NAT in accordance with the IP address and port number, as explained previously. For that reason, use the IP bind method determined by the JP1 settings to clearly establish the JP1 IP addresses.
For example, when JP1 runs in a cluster system or on a server connected to multiple LANs, because the IP address is determined by the OS, an unintended IP address might be used. You can remedy this situation by setting the IP bind method as the JP1 communications method so that communications use the IP address specified in the JP1 environment settings.
(2) JP1/Base communications
For details about JP1/Base communications, see the Job Management Partner 1/Base User's Guide.
(3) JP1/AJS3 communications
The following explains the port numbers, IP addresses, and address translation (NAT) that can be used in JP1/AJS3 communications.
(a) Port numbers
■ JP1/AJS3 port numbers
JP1/AJS3 uses the following port numbers. In addition to these, the port numbers of JP1/Base, which must be used with JP1/AJS3, are also used.
For JP1/AJS3 port numbers, see A.1 Tables of port numbers.
■ Major system configurations and communications
The following explains the port numbers and communications directions used in major system configurations.
Consult the following references in conjunction with the explanation given here.
- References
-
-
Explanation of firewall data-passing directions in the Job Management Partner 1/Base User's Guide.
-
- Cautionary note
-
When using JP1 on a firewalled host, set the firewall so that data can pass through all the ports that JP1 uses for communications within the local host. This allows JP1 processes within the local host to communicate using the ports.
Figure 2‒19: Example system configuration ![[Figure]](GRAPHICS/ZH020080.GIF)
-
JP1/AJS3 - View on HOST-V is used to connect HOST-M1.
-
HOST-M1 and HOST-M2 execute jobs together.
-
HOST-A is set as the agent of HOST-M1.
-
HOST-AUTH is set as the authentication server for HOST-M1.
|
JP1/AJS3 - View |
Direction |
JP1/AJS3 - Manager |
|---|---|---|
|
(ANY) |
>> |
20244/tcp (jp1ajs2monitor) |
(These correspond to HOST-V and HOST-M1 in the example system configuration.)
(These correspond to HOST-M1 and HOST-M2 in the example system configuration)
This is the communications between JP1/AJS3 - Manager and JP1/AJS3 - Manager.
(These correspond to HOST-M1 and HOST-A in the example system configuration)
|
JP1/AJS3 - Manager |
Direction |
JP1/Base |
|---|---|---|
|
(ANY) |
>> |
20240/tcp (jp1bsuser) |
(These correspond to HOST-M1 and HOST-AUTH in the example system configuration)
The following table describes the communications between JP1/AJS3 and a mail server for mail system linkage without using Outlook.
|
JP1/AJS3 |
Direction |
Mail server |
|---|---|---|
|
(ANY) |
>> |
25/tcp(smtp) |
|
(ANY) |
>> |
110/tcp(pop3) |
|
(ANY) |
>> |
587/tcp(Submission Port) |
The communications used in other configurations that use other programs are indicated in the table below.
Other program here means user programs that use the functions of JP1/NQSEXEC and JP1/OJE for VOS3.
The following two tables describe the communications to be performed when JP1/AJS3 Console is used.
|
JP1/AJS3 Console View |
Direction |
JP1/AJS3 Console Manager |
|---|---|---|
|
(ANY) |
>> |
22275/tcp (jp1ajs2cm) |
|
JP1/AJS3 Console Manager |
Direction |
JP1/AJS3 Console Agent |
|---|---|---|
|
(ANY) |
>> |
22276/tcp (jp1ajs2ca) |
(b) IP address
JP1/AJS3 uses the same IP addresses as JP1/Base. For details, see the Job Management Partner 1/Base User's Guide.
To ensure compatibility among versions, you can select whether the sending side IP address used when executing event jobs corresponds to the sending side IP address or the receiving side IP address used by JP1/Base.