A.2 Directions of traffic through a firewall
The following table lists the directions of traffic through a firewall.
JP1/AJS3 supports both packet filtering and NAT (static mode) address translation methods.
- Legends:
-
->: One-way, from the left to the right
<-->: Two-way, from the left to the right, or the right to the left
- #1
-
Another program refers to a user program using the functions provided by JP1/NQSEXEC, JP1/OJE for VOS3, or JP1/AJS2. When allowing another program to receive status reports of jobs registered in JP1/AJS3 - Manager, open the job status reporting port specified for the program in the direction of Manager to another program.
For details, see the Job Management Partner 1/NQSEXEC System Administrator's Guide or Job Management Partner 1/NQSEXEC User's Guide when you use JP1/NQSEXEC. When you use JP1/OJE for VOS3, see the Job Management Partner 1/Open Job Entry Description, User's Guide and Reference, for VOS3 systems.
- #2
-
For details about setting up a firewall, see the Job Management Partner 1/Automatic Job Management System 3 - Definition Assistant Description, Operator's Guide and Reference.
- #3
-
When you activate multiple scheduler services or change the job status reporting port (jp1ajs2report by default) for the scheduler service, open the ports for these services or the changed port as performed for the jp1ajs2report port.
To allow connections over a firewall using the port numbers in the above table, set up the firewall to permit traffic via the port corresponding to the service name and ANY replies to the session established for the port corresponding to the service name. The ANY reply comes about because the OS automatically assigns numbers.
Note the following when installing JP1 products on a firewall server.
-
Internal communication is also subject to firewall control in some cases. When installing JP1/AJS3 on a server with a firewall, set up the firewall to permit communication between internal processes within the server.
-
In the case of Windows JP1/AJS3 - Manager, internal processing within the same computer dynamically uses an empty port to carry out local communication at IP address 127.0.0.1 (local host). If the firewall also regards local communication (at 127.0.0.1) as the target of access restriction, set the firewall so as to permit all communications at 127.0.0.1 in addition to the setting mentioned in step 1.
-
In the case of JP1/AJS3 - Manager, the internal processing within the same computer for, for example embedded-database processes, uses port numbers that are automatically assigned by the OS. To prevent rejection of these port numbers by a firewall, ensure that all communications within the same computer are permitted. Note that the range of port numbers automatically assigned by an OS varies according to the OS. For details, see the manuals for the applicable OSs.
-
When an option to change the startup method for Jobnet Monitor is enabled in JP1/AJS3 - View, JP1/AJS3 - View dynamically uses an empty port number during the local communications at IP address 127.0.0.1 (localhost). If the firewall restricts local communications (communications at 127.0.0.1), permit all communications at 127.0.0.1.