Hitachi

JP1 Version 12 JP1/Automatic Job Management System 3 System Design (Configuration) Guide


A.2 Directions of traffic through a firewall

The following table lists the directions of traffic through a firewall.

JP1/AJS3 supports both packet filtering and NAT (static mode) address translation methods.

Table A‒5: Directions of traffic through a firewall (JP1/AJS3)

Program name to be set

Service name

Port number

Direction of the firewall traffic

JP1/AJS3 - Manager

JP1/AJS3 - Agent

Another program#1

jp1ajs2qman

20241/tcp

Agent -> Manager

Manager <--> Manager

Manager <--> Another program#1

JP1/AJS3 - Manager

JP1/AJS3 - Agent

jp1ajs2qagt

20242/tcp

Manager -> Agent

JP1/AJS3 - Manager

JP1/AJS3 - Agent

jp1ajs2qnfy

20243/tcp

Agent -> Manager

JP1/AJS3 - Manager

JP1/AJS3 - View

JP1/AJS3 - Definition Assistant#2

jp1ajs2monitor

20244/tcp

Manager <--> Manager

JP1/AJS3 - View -> Manager

JP1/AJS3 - Definition Assistant#2 -> Manager

JP1/AJS3 - Manager

Another program#1,#3

jp1ajs2report#4

20245/tcp

Manager <--> Manager

Another program#1,#3 -> Manager

JP1/AJS3 - Manager

jp1ajs2gw

23160/tcp

The requesting manager of the host on which a jobnet connector to be connected is defined <--> Connection-destination manager to which the Jobnet connector connects

JP1/AJS3 - Manager

JP1/AJS3 - Agent

jp1ajs2eamgr

20246/tcp

Agent -> Manager

JP1/AJS3 - Manager

JP1/AJS3 - Agent

jp1ajs2eaagt

20247/tcp

Manager -> Agent

JP1/AJS3 - Manager

JP1/AJS3 - Agent#5

jp1ajs2qlagt

20300/tcp

Manager -> Agent

JP1/AJS3 - Manager

JP1/AJS3 - Agent#5

jp1ajs2qlftp

20301/tcp

Agent -> Manager

JP1/AJS3 - Manager

JP1/AJS3 - Agent

jp1ajs2chkagt

23139/tcp

Manager -> Agent

JP1/AJS3 - Manager

JP1/AJS3 - Web Console

jp1ajs3cdinetd

22250/tcp

JP1/AJS3 - Web Console -> Manager

JP1/AJS3 - Manager

JP1/AJS3 - Agent#5

jp1ajs2atmsg

22251/tcp

Relay agent (if relaying) <--> Destination agent

Relay agent (if relaying) <--> Broadcast agent

Manager (if not relaying) <--> Destination agent

Manager (if not relaying) <--> Broadcast agent

Broadcast agent <--> Destination agent

JP1/AJS3 - Manager

JP1/AJS3 - Agent#5

jp1ajs2atmsg

22251/udp

Broadcast agent <--> Destination agent

JP1/AJS3 - Web Console

Web browser

jp1ajs3web

22252/tcp

Web browser -> JP1/AJS3 - Web Console

JP1/AJS3 - Web Console

Web browser

jp1ajs3webssl

22253/tcp

Web browser -> JP1/AJS3 - Web Console

Legends:

->: One-way, from the left to the right

<-->: Two-way, from the left to the right, or the right to the left

#1

Another program refers to JP1/NQSEXEC or JP1/OJE for VOS3, which is a product intended for job cooperation.

For details, see the Job Management Partner 1/NQSEXEC System Administrator's Guide or Job Management Partner 1/NQSEXEC User's Guide when you use JP1/NQSEXEC. When you use JP1/OJE for VOS3, see the Job Management Partner 1/Open Job Entry Description, User's Guide and Reference, for VOS3 systems.

#2

For details about setting up a firewall, see the JP1/Automatic Job Management System 3 - Definition Assistant Description, Operator's Guide and Reference.

#3

Assume that the other program is to receive the status reports on the jobs registered from the other program in JP1/AJS3 - Manager. In such a case, the traffic through the job-status reporting port specified by the other program must be in the direction from JP1/AJS3 - Manager to the other program.

#4

When you activate multiple scheduler services or change the job status reporting port (jp1ajs2report by default) for the scheduler service, open the ports for these services or the changed port as performed for the jp1ajs2report port.

#5

JP1/AJS3 - Agent Minimal Edition does not use this port, and, therefore, does not require the settings for the traffic through a firewall.

To allow connections over a firewall using the port numbers in the above table, set up the firewall to permit traffic via the port corresponding to the service name and ANY replies to the session established for the port corresponding to the service name. The ANY reply comes about because the OS automatically assigns numbers.

Note the following when installing JP1 products on a firewall server.

  1. Internal communication is also subject to firewall control in some cases. When installing JP1/AJS3 on a server with a firewall, set up the firewall to permit communication between internal processes within the server.

  2. In the case of Windows JP1/AJS3 - Manager, internal processing within the same computer dynamically uses an empty port to carry out local communication at IP address 127.0.0.1 (local host). If the firewall also regards local communication (at 127.0.0.1) as the target of access restriction, set the firewall so as to permit all communications at 127.0.0.1 in addition to the setting mentioned in step 1.

  3. In the case of JP1/AJS3 - Manager, the internal processing within the same computer for, for example embedded-database processes, uses port numbers that are automatically assigned by the OS. To prevent rejection of these port numbers by a firewall, ensure that all communications within the same computer are permitted. Note that the range of port numbers automatically assigned by an OS varies according to the OS. For details, see the manuals for the applicable OSs.

  4. When an option to change the startup method for Jobnet Monitor is enabled in JP1/AJS3 - View, JP1/AJS3 - View dynamically uses an empty port number during the local communications at IP address 127.0.0.1 (localhost). If the firewall restricts local communications (communications at 127.0.0.1), permit all communications at 127.0.0.1.