Communication Through Firewalls
It is common that the hosts are protected by one or more firewalls. In order for the communication between the various components of the system to work, you may need to update your firewall settings.
Servers Located Behind a Firewall
In , it is always the client that establishes a connection to the Platform. Once a connection has been established, it is used as a two-way communication channel; the Platform never needs to open an outgoing connection. Typically, the Platform has the server role in the system, while mzsh
, Desktops, ECs and web browsers act as clients.
The common property pico.rcp.platform.port
specifies a port used by pico instances to communicate with Platform. The default value is 6790
in a standard installation. Use the following command to retrieve the value of this property:
mzsh topo get topo://val:common.pico.rcp.platform.port
The common property pico.synchronizer.port
specifies a port used for synchronization. The default value is 6791
in a standard installation. Use the following command to retrieve the value of this property:
mzsh topo get topo://val:common.pico.synchronizer.port
The Platform property mz.wi.port
specifies a port used to communicate with the Platform Web Interface. The default value is 9000
in a standard installation. Use the following command to retrieve the value of this property from the Platform Container:
mzsh topo get topo://container:<container>/pico:platform/val:mz.wi.port
The property ec.httpd.port
specifies a port used to communicate with an EC Web Interface. The default value is 9090
in a standard ec-template
. Use the following command to retrieve the value of this property for all ECs in a container:
mzsh topo get --format data-only topo://container:<container>/pico:.*/val:config.properties.ec.httpd.port
The port ranges used to communicate with SCs are specified by the property mz.servicehost.port.range
. This property is also applicable to the Platform since it may also run services. Use the following command to retrieve the value of this property for the Platform and all SCs in a container:
mzsh topo get --format data-only topo://container:<container>/pico:.*/val:config.properties.mz.servicehost.port.range
By default, the Platform uses the port range 5451-5500.
The SC psc1 is installed together with Platform Container. By default, this SC uses the port range 5801-5850.
You can manage pico instances in one container from another by enabling remote access, using the mzsh command topo setupremote.
SSH is used by the pico instances for remote access and the default port used by this protocol is 22. For further information about setting up remote access and how to configure the SSH port, see Remote Access to Containers.
Firewall setup
Inter Workflow Communication
The server port used for Inter Workflow communication, when one EC contacts another EC, is specified by the EC property pico.rcp.server.port
. If no port is set, a dynamic port will be used and the port number will change each time the EC is restarted. To let the firewall allow a connect operation, the property pico.rcp.server.port
has to be set to the same port number as the specific port opened by the firewall.
Example
EC1 on Host1 is configured with "RCPPort1"
, and EC2 on Host2 with "RCPPort2"
.
To allow EC1 to open a connection to contact an Inter Workflow storage on EC2, EC1 will make a TCP connect from Host1 to Host2 on port "RCPPort2".
In this case, "RCPPort2" has to be allowed by the firewall.
Database Communication
For performance reasons, Audit information is logged directly from an EC to the database.
If the system is unable to log Audit information directly from the EC, Audit will instead be performed through the Platform. This might happen if an external EC is unable to connect to the database in case of, for example, a network failure or if the EC has problems to connect through a firewall. To avoid this, configure the firewall so that the EC can communicate directly with the Audit database.
For information on how to setup the Audit Profile, refer to /wiki/spaces/MD82/pages/3771258 in the Desktop user's guide.
Firewall Setup
Listed below are the actions that should be taken to allow communication between hosts in the system. It is assumed that the standard installation ports are used. If the default ports have been changed, replace the port numbers with the ones you are using.
- To allow
mzsh
, Desktops and ECs to communicate with the Platform, incoming data to, and outgoing data from port6790
in the Platform Container must be allowed. To allow the Platform Web Interface to be accessed from outside the firewall and for STR synchronization, incoming data to, and outgoing data from the Platform's port
9000
must be allowed.- To allow other types of synchronization between the Platform and pico instances, incoming data to, and outgoing data from port
6791
in the Platform Container must be allowed. - To allow the EC Web Interface to be accessed from outside the firewall, incoming data to, and outgoing data from the EC's port
9090
must be allowed. - To allow remote access to Execution Containers, outgoing data must be allowed on port 22.