Communication Through Firewalls

Owned by Jenni Wallin
Last updated: Jun 14, 2023
4 min read

It is common that the hosts are protected by one or more firewalls. In order for the communication between the various components of the system to work, you may need to update your firewall settings.

Servers Located Behind a Firewall

In , it is always the client that establishes a connection to the Platform. Once a connection has been established, it is used as a two-way communication channel; the Platform never needs to open an outgoing connection. Typically, the Platform has the server role in the system, while mzsh, Desktops, ECs and web browsers act as clients.

The common property  pico.rcp.platform.port specifies a port used by pico instances to communicate with Platform. The default value is 6790 in a standard installation. Use the following command to retrieve the value of this property:

mzsh topo get topo://val:common.pico.rcp.platform.port

The common property pico.synchronizer.port specifies a port used for synchronization. The default value is 6791 in a standard installation. Use the following command to retrieve the value of this property:

 mzsh topo get topo://val:common.pico.synchronizer.port

The Platform property mz.wi.port  specifies a port used to communicate with the Platform Web Interface. The default value is 9000 in a standard installation. Use the following command to retrieve the value of this property from the Platform Container:

mzsh topo get topo://container:<container>/pico:platform/val:mz.wi.port

The property  ec.httpd.port specifies a port used to communicate with an EC Web Interface. The default value is 9090 in a standard ec-template. Use the following command to retrieve the value of this property for all ECs in a container:

mzsh topo get --format data-only topo://container:<container>/pico:.*/val:config.properties.ec.httpd.port

The port ranges used to communicate with SCs are specified by the property mz.servicehost.port.range. This property is also applicable to the Platform since it may also run services. Use the following command to retrieve the value of this property for the Platform and all SCs in a container:

mzsh topo get --format data-only topo://container:<container>/pico:.*/val:config.properties.mz.servicehost.port.range

By default, the Platform uses the port range 5451-5500.

The SC psc1 is installed together with Platform Container. By default, this SC uses the port range 5801-5850.

You can manage pico instances in one container from another by enabling remote access, using the mzsh command topo setupremote. SSH is used by the pico instances for remote access and the default port used by this protocol is 22. For further information about setting up remote access and how to configure the SSH port, see Remote Access to Containers.

Firewall setup

Inter Workflow Communication

The server port used for Inter Workflow communication, when one EC contacts another EC, is specified by the EC property pico.rcp.server.port. If no port is set, a dynamic port will be used and the port number will change each time the EC is restarted. To let the firewall allow a connect operation, the  property pico.rcp.server.port has to be set to the same port number as the specific port opened by the firewall.

Example

EC1 on Host1 is configured with "RCPPort1", and EC2 on Host2 with "RCPPort2".

To allow EC1 to open a connection to contact an Inter Workflow storage on EC2, EC1 will make a TCP connect from Host1 to Host2 on port "RCPPort2".

In this case, "RCPPort2" has to be allowed by the firewall.

Database Communication

For performance reasons, Audit information is logged directly from an EC to the database.

If the system is unable to log Audit information directly from the EC, Audit will instead be performed through the Platform. This might happen if an external EC is unable to connect to the database in case of, for example, a network failure or if the EC has problems to connect through a firewall. To avoid this, configure the firewall so that the EC can communicate directly with the Audit database.

For information on how to setup the Audit Profile, refer to 8.3 Audit Profile in the Desktop user's guide.

Firewall Setup

Listed below are the actions that should be taken to allow communication between hosts in the system. It is assumed that the standard installation ports are used. If the default ports have been changed, replace the port numbers with the ones you are using.

  • To allow mzsh, Desktops and ECs to communicate with the Platform, incoming data to, and outgoing data from port 6790 in the Platform Container must be allowed.

  • To allow the Platform Web Interface be accessed from outside the firewall and for STR synchronization, incoming data to, and outgoing data from the Platform's port 9000 must be allowed.

  • To allow other types of synchronization between the Platform and pico instances, incoming data to, and outgoing data from port 6791 in the Platform Container must be allowed.
  • To allow the EC Web Interface to be accessed from outside the firewall, incoming data to, and outgoing data from the EC's port 9090 must be allowed.

  • To allow services on the Platform and the SC psc1 to be accessed from outside the firewall, incoming data to, and outgoing data from the following port ranges must be allowed:

    • 5451-5500
    • 5801-5850
  • To allow remote access to Execution Containers, outgoing data must be allowed on port 22.