Configuring firewall ports

If you are using the configuration server-based model or the combined model, your Z and I Emulator for Web clients will need to communicate with the configuration server. To allow this through a firewall, you will need to either open the Z and I Emulator for Web Service Manager port or use the Z and I Emulator for Web configuration servlet. The Service Manager listens on port 8999 by default. You can change this default to any other available port number. For details, refer to Changing the Service Manager port in the online help. The Z and I Emulator for Web configuration servlet allows Z and I Emulator for Web clients to communicate with the configuration server across either HTTP or HTTPS. Therefore, the Service Manager port does not need to be open on the firewall. (See Figure 2.) Refer to Installing the configuration servlet and Configuring the configuration servlet in the online help for details on using the configuration servlet.

If you are using the HTML-based model, there is no requirement for Z and I Emulator for Web clients to access the configuration server, and the Service Manager port does not need to be open on the firewall. The clients will still attempt to contact the configuration server for license counting but will fail silently if the Service Manager port is not open.

Start of changeIn addition to the Service Manager port, make sure the firewall administrator opens any ports that are being used for functions your clients use. For example, if you have a TLS session with the Redirector on port 5000, port 5000 must be open for Telnet traffic. The following table summarizes the ports that Z and I Emulator for Web can use.End of change

Table 1. Z and I Emulator for Web functions and the ports they use
Z and I Emulator for Web Function Ports Used
Display emulation (3270 and VT) and 3270 Printer emulation Start of change23 (Telnet), 80 (HTTP), or 443 (TLS) and 8999 (config server)3End of change
5250 Display and Printer emulation Start of change23 (Telnet) or 992 1 (TLS) or 80 (HTTP) or 443 (TLS) and 8999 (config server) 3End of change
3270 file transfer Start of change23 (Telnet), 80 (HTTP), or 443 (TLS) and 8999 (config server)3End of change
5250 file transfer - savfile 80 (HTTP), 8999 (config server)3, 21 (FTP)4, >1024 (FTP)4, 446 (drda)4, 449 (as-svrmap)4, 8470 (as-central)1 2 4, 8473 (as-file)1 4, 8475 (as-rmtcmd)1 4, and 8476 (as-signon)1 4
5250 file transfer - database 80 (HTTP), 8999 (config server)3, 446 (drda)4, 449 (as-svrmap)4, 8470 (as-central)1 2 4, 8473 (as-file)1 4, 8475 (as-rmtcmd)1 4, and 8476 (as-signon)1 4
5250 file transfer - stream file 80 (HTTP), 8999 (config server)1 2 4, 449 (as-svrmap)4, 8470 (as-central)1 2 4, 8473 (as-file)1 4, and 8476 (as-signon)1 4
FTP 21 (FTP), 80 (HTTP), 8999 (config server)1 2 4, and >1024 (FTP)5
CICS 2006
Database On-Demand 80 (HTTP), 8999 (config server)3, 449 (as-svrmap)4, 8470 (as-central)1 2 4, 8471 (as-database)1 4, and 8476 (as-signon)1 4
Z and I Emulator for Web clients 23 (Telnet), 80 (HTTP), and 8999 (config server)3
Administration clients 80 (HTTP) and 8999 (config server)3
SSH (the Secure Shell) 22
Table 2. Notes
Notes:  
1 You can change the port numbers with the command WRKSRVTBLE . The port numbers listed are the default values.
2 The port for as-central is used only if a codepage conversion table needs to be created dynamically (EBCDIC to/from Unicode). This is dependant on the JVM and the locale of the client.
3 You can change the config server port. Port 8999 is the default.
4 These ports do not need to be opened on the firewall if you are using IBM System i proxy server support. You will need to open the default proxy server port 3470. You can change this port.
5 In passive (PASV) mode, the FTP client initiates both connections to the server, solving the problem of firewalls filtering the incoming data port connection to the client from the server. When opening a FTP connection, the client opens two random unprivileged ports locally (N>1024 and N+1). The first port contacts the server on port 21, but instead of then issuing a PORT command and allowing the server to connect back to its data port, the client issues the PASV command. As a result, the server then opens a random unprivileged port (P>1024) and sends the PORT P command back to the client. The client then initiates the connection from port N+1 to port P on the server to transfer data.
From the server-side firewall's standpoint, to support passive mode FTP, you need to open the following communications ports:
  • Port 21 of the FTP server from anywhere (client initiates connection)
  • Port 21 of the FTP to remote ports >1024 (server responds to client's control port)
  • Ports of the FTP server >1024 from anywhere (client initiates data connection to random port specified by server)
  • Port of the FTP server >1024 to remote ports >1024 (server sends ACKs (and data) to client's data port)
If you do not want to open port 8999 on the firewall, you can still allow users to access Z and I Emulator for Web. There are two options:
  • Use the Deployment Wizard to create HTML files that contain all configuration information. This eliminates the need to access the configuration server. When creating the HTML files, choose HTML-based model from the Configuration Model page of the Deployment Wizard.
  • If you want to use the configuration server, you can configure clients to use the configuration servlet. Refer to Configuring the configuration servlet in the Z and I Emulator for Web online help. This option is only available if your Web application server supports servlets.

    If you use the configuration server and it is separated from your Web browser by a firewall, you will either need to open the configuration server port on the firewall or run the Z and I Emulator for Web configuration servlet. The configuration servlet allows the browser to communicate with the configuration server across standard Web protocols, such as HTTP or HTTPS. (See Figure 2.)