How to Configure through a Firewall

Ports that must be permitted for CA to function

• Client Access - unlock ports 446-449, 8470-8480, 516-517
• Telnet - unlock port 23
• FTP - unlock port 21

Cause
The Service Mapper was successfully contacted on the server, but connecting to the specified application server on that server failed, probably because the host server is not running. The error code is specified.

Recovery
Verify that the host server is ready to receive connections by doing the following on the server:

1. Enter the NETSTAT command.
2. Select option 3, Work with TCP/IP connection status.
3. Search for an entry for which the Local Port is the name of the server application specified in the message. This name may be truncated for display in NETSTAT.
4. Press F14 (Display port numbers) and note what port number that server is using; also note what the state of the server is.

* If the entry exists but the port number shown is different from the one listed in the CWBCO1022 message text, then either the iSeries Access configuration for the system specifies to lookup the remote port on the PC, or the services table on the server is incorrect. Have your systems administrator verify that the entry for the specified host server is correct. See Server Connection Properties for information on configuring the connection to the server.

* If there is no such entry, or if the State listed for the entry is not Listen, the server application is not ready to accept connections; see How to Start OS/400 Host Socket Servers. You may have to stop and restart the host socket servers.
 

* If the entry exists and the state is Listen, there may be a problem related to one or more routers in your network not allowing connections to be made through them. Contact your system administrator for assistance.

See CWBCO1003 for details on the error code specified.

Suppose that you want to permit mobile users on the Internet to access your iSeries behind the Firewall using Client Access and Telnet. Since the users are mobile, their IP address is unknown.

Assume:

• 192.168.2.1 is your iSeries's IP address
• 5.5.5.5 is the public IP address that represents your iSeries on the Internet

First, use NAT to map the iSeries's real IP address to its public IP address. NAT is configured on the IBM Firewall for iSeries product by doing the following:

• From a client behind the firewall, point a web browser at the iSeries, port 2001. For example, if the iSeries is named myas400.priv.abc.com then point the web browser at http://myas400.priv.abc.com:2001
• Select the "IBM Firewall for iSeries" link
• Select "Configuration" in the left frame
• To configure the NAT settings, select "NAT" in the right frame
• Click on the "Insert" button
• Choose "MAP" from the list of actions, and then click on the OK button
• After configuring the NAT settings (as shown below), select "Configuration" in the left frame
• To configure the filter rules (settings), select "Filters" in the right frame
• After configuring the filter settings, select "Administration" in the left frame
• Select "Status" in the right frame
• Restart both NAT and Filters

If 5.5.5.5 is NOT the non-secure IP address of your Firewall, then you can do this with 1 simple NAT setting:

  MAP 192.168.2.1 0 5.5.5.5 0

If 5.5.5.5 is the non-secure IP address of your Firewall, then you will need to add the following NAT settings. In addition, your router must be configured so that all traffic destined to 5.5.5.5 with subnet mask 255.255.255.255 is routed to the non-secure IP address of your firewall.
  MAP 192.168.2.1 23 5.5.5.5 23    (For telnet)
  MAP 192.168.2.1 449 5.5.5.5 449    (Port Mapper)
  MAP 192.168.2.1 8470 5.5.5.5 8470    (Central server - Needed whenever PC5250 or Data Transfer is used)
  MAP 192.168.2.1 8471 5.5.5.5 8471    (Database server)
  MAP 192.168.2.1 8472 5.5.5.5 8472    (DataQueues server)
  MAP 192.168.2.1 8473 5.5.5.5 8473    (File server)
  MAP 192.168.2.1 8474 5.5.5.5 8474    (Print server)
  MAP 192.168.2.1 8475 5.5.5.5 8475    (Remote command server)
  MAP 192.168.2.1 8476 5.5.5.5 8476    (Signon server)
  MAP 192.168.2.1 8480 5.5.5.5 8480    (Ultimedia server)
  MAP 192.168.2.1 9480 5.5.5.5 9480    (Ultimedia server with SSL on)
  MAP 192.168.2.1 5555 5.5.5.5 5555    (Management Central server)
  MAP 192.168.2.1 5556 5.5.5.5 5556    (Management Central server with SSL on)

  MAP 192.168.2.1 446 5.5.5.5 446    (DDM server - Sometimes used by Client Access OLE DB support)
  MAP 192.168.2.1 448 5.5.5.5 448    (DDM server with SSL on)
  MAP 192.168.2.1 5110 5.5.5.5 5110    (MAPI server - Needed if these Mail APIs are being used)
  MAP 192.168.2.1 992 5.5.5.5 992    (Telnet with SSL on)
  MAP 192.168.2.1 9470 5.5.5.5 9470    (Central Server with SSL on)
  MAP 192.168.2.1 9471 5.5.5.5 9471    (Database Server with SSL on)
  MAP 192.168.2.1 9472 5.5.5.5 9472    (Dataqueues server with SSL on)
  MAP 192.168.2.1 9473 5.5.5.5 9473    (File Server with SSL on)
  MAP 192.168.2.1 9474 5.5.5.5 9474    (Print Server with SSL on)
  MAP 192.168.2.1 9475 5.5.5.5 9475    (Remote command server with SSL on)
  MAP 192.168.2.1 9476 5.5.5.5 9476    (Signon server with SSL on)

The only required ports are 8476 and 449. The other ports will only need to be opened if you are using a function that they support. Most users will want to open 23, 449, and 8470 thru 8476.

Also, be aware that parts of iSeries Operations Navigator, which is part of Client Access, also use port 2001 (and 2010 for SSL) to access the Web Admin server. A mapping rule like those above for the scenario when 5.5.5.5 is the non-secure IP address cannot be used for those 2 ports, since this would cause the firewall not to work (it uses those ports). If you need to use those functions of Operations Navigator from outside of the firewall, then you need to set up your network so that 5.5.5.5 is NOT the non-secure IP address of your Firewall. This means acquiring an additional publicly registered IP address that is NOT the same as the firewall's public IP address.

Then, add the following Filter settings:

###############################################################
### Both side settings
###############################################################
permit 192.168.2.1 255.255.255.255 0.0.0.0 0.0.0.0 tcp any 0 any 0 both both both f=y l=n t=0 # Permit iSeries replies

###############################################################
### Secure side settings (add filter settings only for the ports you are using (see port descriptions above)
###############################################################
permit 0.0.0.0 0.0.0.0 192.168.2.1 255.255.255.255 tcp ge 1024 eq 23 secure both outbound f=y l=n t=0 # Permit Telnet access to iSeries
permit 0.0.0.0 0.0.0.0 192.168.2.1 255.255.255.255 tcp ge 1024 eq 449 secure both outbound f=y l=n t=0 # Permit Client Access to iSeries
permit 0.0.0.0 0.0.0.0 192.168.2.1 255.255.255.255 tcp ge 1024 eq 8470 secure both outbound f=y l=n t=0 # Permit Client Access to iSeries
permit 0.0.0.0 0.0.0.0 192.168.2.1 255.255.255.255 tcp ge 1024 eq 8471 secure both outbound f=y l=n t=0 # Permit Client Access to iSeries
permit 0.0.0.0 0.0.0.0 192.168.2.1 255.255.255.255 tcp ge 1024 eq 8472 secure both outbound f=y l=n t=0 # Permit Client Access to iSeries
permit 0.0.0.0 0.0.0.0 192.168.2.1 255.255.255.255 tcp ge 1024 eq 8473 secure both outbound f=y l=n t=0 # Permit Client Access to iSeries
permit 0.0.0.0 0.0.0.0 192.168.2.1 255.255.255.255 tcp ge 1024 eq 8474 secure both outbound f=y l=n t=0 # Permit Client Access to iSeries
permit 0.0.0.0 0.0.0.0 192.168.2.1 255.255.255.255 tcp ge 1024 eq 8475 secure both outbound f=y l=n t=0 # Permit Client Access to iSeries
permit 0.0.0.0 0.0.0.0 192.168.2.1 255.255.255.255 tcp ge 1024 eq 8476 secure both outbound f=y l=n t=0 # Permit Client Access to iSeries
permit 0.0.0.0 0.0.0.0 192.168.2.1 255.255.255.255 tcp ge 1024 eq 8480 secure both outbound f=y l=n t=0 # Permit Client Access to iSeries
permit 0.0.0.0 0.0.0.0 192.168.2.1 255.255.255.255 tcp ge 1024 eq 9480 secure both outbound f=y l=n t=0 # Permit Client Access to iSeries
permit 0.0.0.0 0.0.0.0 192.168.2.1 255.255.255.255 tcp ge 1024 eq 5555 secure both outbound f=y l=n t=0 # Permit Client Access to iSeries
permit 0.0.0.0 0.0.0.0 192.168.2.1 255.255.255.255 tcp ge 1024 eq 5556 secure both outbound f=y l=n t=0 # Permit Client Access to iSeries
permit 0.0.0.0 0.0.0.0 192.168.2.1 255.255.255.255 tcp ge 1024 eq 446 secure both outbound f=y l=n t=0 # Permit Client Access to iSeries
permit 0.0.0.0 0.0.0.0 192.168.2.1 255.255.255.255 tcp ge 1024 eq 448 secure both outbound f=y l=n t=0 # Permit Client Access to iSeries
permit 0.0.0.0 0.0.0.0 192.168.2.1 255.255.255.255 tcp ge 1024 eq 5110 secure both outbound f=y l=n t=0 # Permit Client Access to iSeries
permit 0.0.0.0 0.0.0.0 192.168.2.1 255.255.255.255 tcp ge 1024 eq 992 secure both outbound f=y l=n t=0 # Permit Client Access to iSeries
permit 0.0.0.0 0.0.0.0 192.168.2.1 255.255.255.255 tcp ge 1024 eq 9470 secure both outbound f=y l=n t=0 # Permit Client Access to iSeries
permit 0.0.0.0 0.0.0.0 192.168.2.1 255.255.255.255 tcp ge 1024 eq 9471 secure both outbound f=y l=n t=0 # Permit Client Access to iSeries
permit 0.0.0.0 0.0.0.0 192.168.2.1 255.255.255.255 tcp ge 1024 eq 9472 secure both outbound f=y l=n t=0 # Permit Client Access to iSeries
permit 0.0.0.0 0.0.0.0 192.168.2.1 255.255.255.255 tcp ge 1024 eq 9473 secure both outbound f=y l=n t=0 # Permit Client Access to iSeries
permit 0.0.0.0 0.0.0.0 192.168.2.1 255.255.255.255 tcp ge 1024 eq 9474 secure both outbound f=y l=n t=0 # Permit Client Access to iSeries
permit 0.0.0.0 0.0.0.0 192.168.2.1 255.255.255.255 tcp ge 1024 eq 9475 secure both outbound f=y l=n t=0 # Permit Client Access to iSeries
permit 0.0.0.0 0.0.0.0 192.168.2.1 255.255.255.255 tcp ge 1024 eq 9476 secure both outbound f=y l=n t=0 # Permit Client Access to iSeries