Application Tier separated from CMS by packet filtering
If your firewall performs packet filtering, you must configure every server inside the inner firewall to respond to communications from the WCS or application server on a fixed port. This means configuring the CMS, and every other Crystal Enterprise server, with the following command line:
-requestport portnum
The argument of the -requestport command must specify a fixed port number. You can specify any free port number for portnum. If more than one server is installed on the same machine, each server on that machine must use a unique port number.
You must then configure your packet filtering firewall to pass traffic to the default CMS port (6400), and each of the communications ports you specified using -requestport.
To configure Crystal Enterprise servers on Windows
- Start the CCM.
- Stop the first server.
-
On the toolbar, click Properties.
- In the Command box, add the following option:
-requestport portnum
For the -requestport command, substitute any valid free port number for portnum. If more than one server is installed on the same machine, each server on that machine must use a unique port number.
Tip: If you want to customize the CMS so that it listens on a port other than the default, also add -port 6400 to the command line, substituting your new port number for the default value of 6400.
If you change the default port number of the CMS you must perform additional system configuration. Before changing the port number, see Changing the default server port numbers.
- Click OK to return to the CCM.
- Start the server.
- Repeat for each Crystal Enterprise server behind the firewall.
To configure other Crystal Enterprise servers on UNIX
- Run
ccm.sh.
By default the script and the ccm.config file are installed in the Crystal install directory, for example /export/home/crystal.
- Stop the server.
- Edit the
ccm.config file to insert the following command line:
-requestport portnum
For the -requestport command, substitute any valid free port number for portnum. If more than one server is installed on the same machine, each server on that machine must use a unique port number.
Tip: If you want to customize the CMS so that it listens on a port other than the default, also add -port 6400 to the command line, substituting your new port number for the default value of 6400.
If you change the default port number of the CMS you must perform additional system configuration. Before changing the port number, see Changing the default server port numbers.
- Use
ccm.sh to start the server.
- Repeat for each Crystal Enterprise server.
Specifying firewall rules when the application server is separated from the CMS by packet filtering
Stateful firewalls (packet filtering or NAT) need the following inbound access rules when there is a firewall between the Application Tier (WCS or application server) and the rest of the Crystal Enterprise servers. Note that the WCS may register listeners with any of the CE servers, so one outbound access rule is also needed.
For details of how to specify these rules, consult your firewall documentation.
The fixed port numbers specified in the chart are the port numbers you specify for the CMS and other Crystal Enterprise servers using -requestport. See Application Tier separated from CMS by packet filtering for details.
Inbound Rules
| Source
| Destination
| Action
|
|---|
| Computer
| Port
| Computer
| Port
|
|
|---|
WCS or application server
| Any
| CMS
| 6400
| Allow
|
WCS or application server
| Any
| CMS
| fixed
| Allow
|
WCS or application server
| Any
| Other Crystal Enterprise server
| fixed
| Allow
|
Any
| Any
| CMS
| Any
| Reject
|
Any
| Any
| Other Crystal Enterprise servers
| Any
| Reject
|
Note: There must be an inbound firewall rule for each Crystal Enterprise server behind the firewall. Whenever more than one server is installed on the same machine, each server on that machine must use a unique port number.
Outbound Rules
| Source
| Destination
| Action
|
|---|
| Computer
| Port
| Computer
| Port
|
|
|---|
Machines hosting Crystal Enterprise server
| Any
| WCS or application server
| Any
| Allow
|
This outbound rule is needed because the WCS may register listeners on servers behind the firewall. These listeners may initiate communication with the WCS.
Related topics