Configuring firewall ports
If you are using the configuration server-based model or the combined model, your Z and I Emulator for Web clients will need to communicate with the configuration server. To allow this through a firewall, you will need to either open the Z and I Emulator for Web Service Manager port or use the Z and I Emulator for Web configuration servlet. The Service Manager listens on port 8999 by default. You can change this default to any other available port number. For details, refer to Changing the Service Manager port in the online help. The Z and I Emulator for Web configuration servlet allows Z and I Emulator for Web clients to communicate with the configuration server across either HTTP or HTTPS. Therefore, the Service Manager port does not need to be open on the firewall. (See Figure 2.) Refer to Installing the configuration servlet and Configuring the configuration servlet in the online help for details on using the configuration servlet.
If you are using the HTML-based model, there is no requirement for Z and I Emulator for Web clients to access the configuration server, and the Service Manager port does not need to be open on the firewall. The clients will still attempt to contact the configuration server for license counting but will fail silently if the Service Manager port is not open.
In addition to the Service Manager port, make sure the firewall administrator opens any ports that are being used for functions your clients use. For example, if you have a TLS session with the Redirector on port 5000, port 5000 must be open for Telnet traffic. The following table summarizes the ports that Z and I Emulator for Web can use.
Z and I Emulator for Web Function | Ports Used |
Display emulation (3270 and VT) and 3270 Printer emulation | 23 (Telnet), 80 (HTTP), or 443 (TLS) and 8999 (config server)3 |
5250 Display and Printer emulation | 23 (Telnet) or 992 1 (TLS) or 80 (HTTP) or 443 (TLS) and 8999 (config server) 3 |
3270 file transfer | 23 (Telnet), 80 (HTTP), or 443 (TLS) and 8999 (config server)3 |
5250 file transfer - savfile | 80 (HTTP), 8999 (config server)3, 21 (FTP)4, >1024 (FTP)4, 446 (drda)4, 449 (as-svrmap)4, 8470 (as-central)1 2 4, 8473 (as-file)1 4, 8475 (as-rmtcmd)1 4, and 8476 (as-signon)1 4 |
5250 file transfer - database | 80 (HTTP), 8999 (config server)3, 446 (drda)4, 449 (as-svrmap)4, 8470 (as-central)1 2 4, 8473 (as-file)1 4, 8475 (as-rmtcmd)1 4, and 8476 (as-signon)1 4 |
5250 file transfer - stream file | 80 (HTTP), 8999 (config server)1 2 4, 449 (as-svrmap)4, 8470 (as-central)1 2 4, 8473 (as-file)1 4, and 8476 (as-signon)1 4 |
FTP | 21 (FTP), 80 (HTTP), 8999 (config server)1 2 4, and >1024 (FTP)5 |
CICS | 2006 |
Database On-Demand | 80 (HTTP), 8999 (config server)3, 449 (as-svrmap)4, 8470 (as-central)1 2 4, 8471 (as-database)1 4, and 8476 (as-signon)1 4 |
Z and I Emulator for Web clients | 23 (Telnet), 80 (HTTP), and 8999 (config server)3 |
Administration clients | 80 (HTTP) and 8999 (config server)3 |
SSH (the Secure Shell) | 22 |
Notes: | |
1 | You can change the port numbers with the command WRKSRVTBLE . The port numbers listed are the default values. |
2 | The port for as-central is used only if a codepage conversion table needs to be created dynamically (EBCDIC to/from Unicode). This is dependant on the JVM and the locale of the client. |
3 | You can change the config server port. Port 8999 is the default. |
4 | These ports do not need to be opened on the firewall if you are using IBM System i proxy server support. You will need to open the default proxy server port 3470. You can change this port. |
5 | In passive (PASV) mode, the FTP client initiates
both connections to the server, solving the problem of firewalls filtering
the incoming data port connection to the client from the server. When
opening a FTP connection, the client opens two random unprivileged
ports locally (N>1024 and N+1). The first port contacts the server
on port 21, but instead of then issuing a PORT command and allowing
the server to connect back to its data port, the client issues the
PASV command. As a result, the server then opens a random unprivileged
port (P>1024) and sends the PORT P command back to the client. The
client then initiates the connection from port N+1 to port P on the
server to transfer data.
From the server-side firewall's standpoint,
to support passive mode FTP, you need to open the following communications
ports:
|
- Use the Deployment Wizard to create HTML files that contain all configuration information. This eliminates the need to access the configuration server. When creating the HTML files, choose HTML-based model from the Configuration Model page of the Deployment Wizard.
- If you want to use the configuration server, you can configure
clients to use the configuration servlet. Refer to Configuring
the configuration servlet in the Z and I Emulator for Web online help. This
option is only available if your Web application server supports servlets.
If you use the configuration server and it is separated from your Web browser by a firewall, you will either need to open the configuration server port on the firewall or run the Z and I Emulator for Web configuration servlet. The configuration servlet allows the browser to communicate with the configuration server across standard Web protocols, such as HTTP or HTTPS. (See Figure 2.)