The BIS products make use of 4 areas of ports: BIS specific ports (port 25800 to port 27050), DCOM ports (may range from 1024 to 65535), standard ports (such as netbios ports 137, 138, 139, 445 and a windows system port (7351).
As already mentioned in chapter 2.1, DCOM uses all ports from 1024 to 65535. As opening all these ports would be inappropriate for a security sensitive environment the range of ports for DCOM services should be limited.
Settings for DCOM communication:
1 Start DComCnfg via “Start” – “Run…” – enter „DComCnfg“ and confirm with OK
2 Select “Component Services” – “Computers” – “My Computer” address workplace
3 Context menu (right mouse button) provides the properties for “My Computer”
4 Select tab „Standard Protocols“ – select „TCP/IP“ and select “Properties”
5 „Add“ communication for a port area (5000 - 5010 (TCP))
6 To apply the changes a restart of the system is required
The firewalls of the different suppliers all follow different strategies. Therefore providing a description of required steps that would suit all products would be difficult.
The following should provide all information needed to set up a third party firewall.
Allow all outbound traffic to “localhost” to ports in the specified range of ports used by BIS (25800 – 27050 (TCP))
Allow all inbound traffic coming from “localhost” to ports in the specified range of ports used by BIS (25800 – 27050 (TCP))
For communicating between the Remote- and the Login-Server the ports 25922 and 26202 (TCP) are used (inbound to the Login server, outbound on the remote server).
If the SysTracer application is used the ports 26091, 26099, 26100 and 26098 (TCP) must be opened.
Allow all outbound traffic to the partner BIS server to ports in the specified range of ports used for DCOM (5000 – 5010 (TCP))
Allow all inbound traffic coming from the partner BIS server to ports in the specified range of ports used for DCOM (5000 – 5010 (TCP))
Allow netbios traffic to and from the BIS server partner in the same fashion (ports 137 (UDP), 138 (UDP), 137-139 (TCP), 445 (TCP))
Allow all outbound traffic to the HTTP port (80 (TCP)) on localhost
Allow all outbound traffic to port 7351 (TCP, dllhost) on localhost (the port number can vary)
The ports used on the corresponding sender side is undefined, thus restricting the sender ports disables communication.
TCP/IP communication can also (or alternatively) be limited to the executables found in the installation paths of the BIS product.
|
