2.3.4 Communications in firewall environments

JP1/AJS3 can be used in system configurations in which JP1/AJS3 - Manager, JP1/AJS3 - Agent, or JP1/AJS3 - View is connected through a firewall.

The following figure shows an example of a system configuration in which a firewall is set.

Figure 2‒18: Example of a system configuration with firewall

Organization of this subsection

(1) JP1/Base communications
(2) JP1/AJS3 communications
(3) Example of configurations that include a firewall, and their communications settings

(1) JP1/Base communications

For details about JP1/Base communications, see the JP1/Base User's Guide.

To Page Top

(2) JP1/AJS3 communications

The following explains the port numbers, IP addresses, and address translation (NAT) that can be used in JP1/AJS3 communications.

(a) Port numbers

■ JP1/AJS3 port numbers

JP1/AJS3 uses the following port numbers. In addition to these, the port numbers of JP1/Base, which must be used with JP1/AJS3, are also used.

For JP1/AJS3 port numbers, see A.1 Tables of port numbers.

■ Major system configurations and communications

This subsection describes major system configurations and communications.

Consult the following references in conjunction with the explanation given here.

References

Explanation of firewall data-passing directions in the JP1/Base User's Guide.
A.2 Directions of traffic through a firewall

Cautionary note

When using JP1 on a firewalled host, set the firewall so that data can pass through all the ports that JP1 uses for communications within the local host. This allows JP1 processes within the local host to communicate using the ports.

The following example system configuration shows the port numbers used and the direction of the communications.

Figure 2‒19: Example system configuration

JP1/AJS3 - View on HOST-V is used to connect HOST-M1.
HOST-M1 and HOST-M2 execute jobs together.
HOST-A is set as the agent of HOST-M1.
HOST-AUTH is set as the authentication server for HOST-M1.
JP1/AJS3 - Web Console on HOST-WEB is used to connect HOST-M1.
The web browser on HOST-CL is used to connect HOST-WEB.

Communications between JP1/AJS3 - View and JP1/AJS3 - Manager

The table below describes the communications between JP1/AJS3 - View and JP1/AJS3 - Manager.

This corresponds to the communications between HOST-V and HOST-M1 in the example system configuration.

Table 2‒10: Communications between JP1/AJS3 - View and JP1/AJS3 - Manager
JP1/AJS3 - View	Direction	JP1/AJS3 - Manager
(ANY)	>>	20244/tcp (jp1ajs2monitor)

Communications between JP1/AJS3 - Manager and JP1/AJS3 - Manager

The table below shows the communications between JP1/AJS3 - Manager and JP1/AJS3 - Manager.

This corresponds to the communications between HOST-M1 and HOST-M2 in the example system configuration.

Table 2‒11: Communications between JP1/AJS3 - Manager and JP1/AJS3 - Manager
JP1/AJS3 - Manager	Direction	JP1/AJS3 - Manager
(ANY)	>>	20241/tcp (jp1ajs2qman) 20242/tcp (jp1ajs2qagt) 20243/tcp (jp1ajs2qnfy) 20244/tcp (jp1ajs2monitor) 20245/tcp (jp1ajs2report) 20246/tcp (jp1ajs2eamgr) 20247/tcp (jp1ajs2eaagt) 20300/tcp (jp1ajs2qlagt) 20301/tcp (jp1ajs2qlftp) 23139/tcp (jp1ajs2chkagt) 23160/tcp (jp1ajs2gw)
20241/tcp (jp1ajs2qman) 20242/tcp (jp1ajs2qagt) 20243/tcp (jp1ajs2qnfy) 20244/tcp (jp1ajs2monitor) 20245/tcp (jp1ajs2report) 20246/tcp (jp1ajs2eamgr) 20247/tcp (jp1ajs2eaagt) 20300/tcp (jp1ajs2qlagt) 20301/tcp (jp1ajs2qlftp) 23139/tcp (jp1ajs2chkagt) 23160/tcp (jp1ajs2gw)	<<	(ANY)

Communications between JP1/AJS3 - Manager and JP1/AJS3 - Agent

The table below shows the communications between JP1/AJS3 - Manager and JP1/AJS3 - Agent.

This corresponds to the communications between HOST-M1 and HOST-A in the example system configuration.

Table 2‒12: Communications between JP1/AJS3 - Manager and JP1/AJS3 - Agent
JP1/AJS3 - Manager	Direction	JP1/AJS3 - Agent
(ANY)	>>	20242/tcp (jp1ajs2qagt) 20247/tcp (jp1ajs2eaagt) 20300/tcp (jp1ajs2qlagt) 23139/tcp (jp1ajs2chkagt)
20241/tcp (jp1ajs2qman) 20243/tcp (jp1ajs2qnfy) 20246/tcp (jp1ajs2eamgr) 20301/tcp (jp1ajs2qlftp)	<<	(ANY)

Communications between JP1/AJS3 - Manager and JP1/Base (authentication server)

The table below shows the communications between JP1/AJS3 - Manager and JP1/Base (authentication server).

This corresponds to the communications between HOST-M1 and HOST-AUTH in the example system configuration.

Table 2‒13: Communications between JP1/AJS3 - Manager and JP1/Base (authentication server)
JP1/AJS3 - Manager	Direction	JP1/Base
(ANY)	>>	20240/tcp (jp1bsuser)

Communications between JP1/AJS3 - Web Console and JP1/AJS3 - Manager

The table below shows the communications between JP1/AJS3 - Web Console and JP1/AJS3 - Manager.

This corresponds to the communications between HOST-WEB and HOST-M1 in the example system configuration.

Table 2‒14: Communications between JP1/AJS3 - Web Console and JP1/AJS3 - Manager
JP1/AJS3 - Web Console	Direction	JP1/AJS3 - Manager
(ANY)	>>	22250/tcp (jp1ajs3cdinetd)

Communications between JP1/AJS3 - Web Console and a web browser

The table below describes the communications between JP1/AJS3 - Web Console and a web browser.

This corresponds to the communications between HOST-WEB and HOST-CL in the example system configuration.

Table 2‒15: Communications between JP1/AJS3 - Web Console and a web browser
Web browser	Direction	JP1/AJS3 - Web Console
(ANY)	>>	22252/tcp (jp1ajs3web) 22253/tcp (jp1ajs3webssl)

Communications between JP1/AJS3 - Manager, the relay agent, the destination agent, and the broadcast agent

The following table describes the communications between JP1/AJS3 - Manager, relay agent, destination agent, and the broadcast agent when a flexible job is utilized.

Table 2‒16: Communications between JP1/AJS3 - Manager and JP1/AJS3 (relay agent)
JP1/AJS3 - Manager	Direction	JP1/AJS3 - Manager (relay agent), JP1/AJS3 - Agent (relay agent)
(ANY)	>>	20242/tcp (jp1ajs2qagt)
20241/tcp (jp1ajs2qman) 20243/tcp (jp1ajs2qnfy)	<<	(ANY)

Table 2‒17: Communications between JP1/AJS3 (relay agent) and JP1/AJS3 (destination agent)
JP1/AJS3 - Manager (relay agent), JP1/AJS3 - Agent (relay agent)	Direction	JP1/AJS3 - Manager (destination agent), JP1/AJS3 - Agent (destination agent)
(ANY)	>>	22251/tcp (jp1ajs2atmsg)
22251/tcp (jp1ajs2atmsg)	<<	(ANY)

Table 2‒18: Communications between JP1/AJS3 (relay agent) and JP1/AJS3 (broadcast agent)
JP1/AJS3 - Manager (relay agent), JP1/AJS3 - Agent (relay agent)	Direction	JP1/AJS3 - Manager (broadcast agent), JP1/AJS3 - Agent (broadcast agent)
(ANY)	>>	22251/tcp (jp1ajs2atmsg)
22251/tcp (jp1ajs2atmsg)	<<	(ANY)

Table 2‒19: Communications between JP1/AJS3 (broadcast agent) and JP1/AJS3 (destination agent)
JP1/AJS3 - Manager (broadcast agent), JP1/AJS3 - Agent (broadcast agent)	Direction	JP1/AJS3 - Manager (destination agent), JP1/AJS3 - Agent (destination agent)
(ANY)	>>	22251/tcp (jp1ajs2atmsg)
22251/tcp (jp1ajs2atmsg)	<<	(ANY)
(ANY)	>>	22251/udp (jp1ajs2atmsg)
22251/udp (jp1ajs2atmsg)	<<	(ANY)

Communications between JP1/AJS3 and a mail server

The following table describes the communications between JP1/AJS3 and a mail server for mail system linkage without using Outlook.

Table 2‒20: Communications between JP1/AJS3 and a mail server
JP1/AJS3	Direction	Mail server
(ANY)	>>	25/tcp(smtp)
(ANY)	>>	110/tcp(pop3)
(ANY)	>>	587/tcp(Submission Port)

Communications between JP1/AJS3 - Manager and other programs

The following table describes the communications in a different configuration in which other programs (JP1/NQSEXEC and JP1/OJE for VOS3, which are the programs for job cooperation) are utilized.

Table 2‒21: Communications between JP1/AJS3 - Manager and other programs
JP1/AJS3 - Manager	Direction	Other program
(ANY)	>>	20241/tcp (jp1ajs2qman)
20241/tcp (jp1ajs2qman) 20245/tcp (jp1ajs2report)	<<	(ANY)

Cautionary note: Assume that the other program is to receive the status reports on the jobs registered from the other program in JP1/AJS3 - Manager. In such a case, the traffic through the job-status reporting port specified by the other program must be in the direction from JP1/AJS3 - Manager to the other program.

(b) IP address

JP1/AJS3 uses the same IP addresses as JP1/Base. For details, see the JP1/Base User's Guide.

To ensure compatibility among versions, you can select whether the sending side IP address used when executing event jobs corresponds to the sending side IP address or the receiving side IP address used by JP1/Base.

(c) Address translation (NAT)

JP1/AJS3 supports static mode network address translation (NAT).

Cautionary notes

If NAT is used for communication between the agent and the manager, the definition pre-check function cannot correctly check item that category is execution agent name.
The execution order control function (jobnet connector) between scheduler services and within the same host cannot be used via NAT.

To Page Top

(3) Example of configurations that include a firewall, and their communications settings

This subsection describes examples of configurations for cluster and non-cluster operation in environments that include a firewall, and their communication settings.

(a) Example configuration with a firewall for non-cluster operation, and its communications settings

The following explains a configuration for non-cluster operation in a firewall environment, and the communication settings. The following figure shows a configuration example.

Figure 2‒20: Example of a configuration for setting a firewall in a non-cluster system

The firewall is configured so that data passes through it between hostX and hostA. In this system configuration, there is no need to make any special settings in JP1/AJS3 in addition to the settings for the firewall.

(b) Example configuration with a firewall for cluster operation, and its communications settings

The following explains a configuration and communication settings for cluster operation in a firewall environment. The following figure shows a configuration example.

Figure 2‒21: Example of a configuration for setting a firewall in a cluster system

When the firewall is configured so that data passes through it both between hostX and hostA, and between hostL and hostA, as in (a) Example configuration with a firewall for non-cluster operation, and its communications settings above, you do not have to make any special settings in JP1/AJS3.

In a system based entirely on logical hosts with no physical host services, if a firewall is set up only between hostL and hostA, you must set IP bind as the sending method. For details about how to set IP bind, see the chapter about communication settings in the JP1/Base User's Guide.

Cautionary note: If a firewall has not been set to allow communication between hostX (physical host) and hostA, data cannot pass through the firewall when a queueless job is executed. If you are using queueless jobs, set the environment so that data from the physical host can pass through the firewall.

To Page Top