Specifying firewall rules when the application tier is separated from the CMS by NAT

Stateful firewalls (packet filtering or NAT) need inbound access rules when there is a firewall between the Application Tier (application server running the Crystal Enterprise Java SDK or the WCS) and the other Crystal Enterprise servers. One outbound rule is also needed because the WCS may register listeners on the servers behind the firewall. These listeners may initiate communication with the WCS.

For details of how to specify these rules, consult your firewall documentation.

The fixed port numbers specified in the chart are the port numbers you specify for servers using -requestport. See Configuring the CMS, and Configuring the Crystal Enterprise servers behind the firewall for details.

Inbound Rules

Source		Destination		Action
Computer	Port	Computer	Port
WCS or application server	Any	CMS	6400	Allow
WCS or application server	Any	CMS	fixed	Allow
WCS or application server	Any	Other Crystal Enterprise server	fixed	Allow
Any	Any	CMS	Any	Reject
Any	Any	Other Crystal Enterprise Server	Any	Reject

Note:    There must be one inbound firewall rule for each Crystal Enterprise server behind the firewall. Whenever more than one server is installed on the same machine, each server on that machine must use a unique port number.

Outbound Rules

Source		Destination		Action
Computer	Port	Computer	Port
Machines hosting Crystal Enterprise server	Any	WCS or application server	Any	Allow

This outbound rule is needed because the WCS may register listeners on servers behind the firewall. These listeners may initiate communication with the WCS.

Related topics

• Configuring the CMS
• Configuring the Crystal Enterprise servers behind the firewall
• Configuring the hosts file of Crystal Enterprise servers