When installing and running CA SOI in environments with firewalls, verify that communication among components on different servers occurs without blockage. The following sections are common firewall scenarios and the default ports that must be open to allow the product to function:
Note: All ports in this section are the default selections that are provided during installation.
Firewall between SA Manager and Connectors
Connectors may be deployed on domain managers that are in different security domains. In this case, you must open port 61616 for outbound communication between connectors and the ActiveMQ Server and port 8020 for inbound communication between connectors and the UCF Broker, which invokes inbound to connector operations on the domain manager. The UCF Broker port is only required if synchronization operations are enabled, for which only certain use cases are supported.
When there are firewalls between the SA Manager and connectors, the best practice is to install the connectors on the domain managers to minimize the number of open ports and keep them consistent. Installing connectors on the SA Manager creates different port requirements for communicating with each domain manager operating behind a firewall.
UI Server in a DMZ environment
You can deploy UI servers outside of firewalls (in DMZs) to protect the internal network while allowing availability of certain services to external clients. See the graphic in Multiple UI Servers Behind Load Balancer for an illustration of this scenario. In this scenario, the following ports must be open for communication between the UI Server and CA SOI components:
Note: A value of RP (random port) in the first Port column designates a unidirectional connection. A unidirectional connection can use any port from the server of the source component to connect to the designated port on the server of the destination component.
|
Source |
Port |
Destination |
Port |
Protocol |
|---|---|---|---|---|
|
UI Server |
RP |
SA Manager |
7090 |
HTTP |
|
UI Server |
RP |
SA Manager |
7493 |
HTTPS |
|
UI Server |
RP |
SA Store |
1433 |
JDBC |
|
SA Manager |
RP |
UI Server |
7070 |
HTTP |
|
SA Manager |
RP |
UI Server |
7403 |
HTTPS |
|
Client workstations |
RP |
UI Server |
7070 |
HTTP |
|
Client workstations |
RP |
UI Server |
7403 |
HTTPS |
|
UI Server |
RP |
CA EEM |
5250 |
HTTP |
|
UI Server |
RP |
BusinessObjects |
1433 |
ODBC |
|
UI Server |
RP |
Connectors |
61616 |
JMS |
In a dual-firewall environment, open port 7070 for inbound and outbound communication between external clients and the UI Server, as described in the table. Also open port 7090 for external access to the Administration UI, which communicates with the SA Manager.
Mobile Dashboard in a DMZ environment
You can expose only the Mobile Dashboard for client access from the Internet, to ease the port requirements in the firewall that separates the DMZ from general Internet access. Perform a standalone deployment of the Mobile Dashboard on a server inside the DMZ. Open port 7070 and 7403 across both firewalls for interface access and port 7090 on the firewall that separates the DMZ from the SA Manager and UI Server. For more information about setting up this environment, see Deploy the Mobile Dashboard on a Standalone Server.
|
Copyright © 2013 CA.
All rights reserved.
|
|