none
HIS 2006 and above Firewall Ports RRS feed

  • Question

  •  What are the TCP/UDP port requirements for HIS servers behind a
    firewall? The AD servers are not behind the same firewall, also client
    TCP/UDP ports for the HIS resources. Looking to tighten down for PCI.
     
    Stan
     
    Monday, December 6, 2010 10:57 PM

Answers

All replies

  • Hey Stan,

    The key values here are port 1478 for SnaBase, and 1477 for SnaServr.

    When SnaBase starts on the client, it will open 3 sessions

     1) Client:ephemeral_port -> Server:1478

     2) Client:1478 <- Listening

     3) Client:ephemeral_port (UPD, <- listening)

    These are the SnaBase "sponsor" conections, for controlling client-server ineractions.

     

    In addition, when an SNA session is started (eg user starts a 3270 emulator) there will be a TCP session from an ephemeral port on the client (between 1024 and 4999) to Port 1477 on the HIS server. This is the "working" session, for actual SNA data. Therefore to permit SNA connectivity, a firewall between an HIS Client and HIS Server needs to allow -

    - destination port 1478, in both directions (source port can be any port between 1024-4999)

    - destination port 1477 on the server side (source port on client may be any port between 1024-4999)

    Each HIS server in the SNA SubDomain also needs to communicate with its subdomain buddies, over port 1478.

     

    Some additional info on HIS and firewalls:

    http://msdn2.microsoft.com/en-us/library/aa771961.aspx

    http://support.microsoft.com/kb/139508


    Hope this helps. There may be extra detail you need, depending on how locked down you want the firewall to be; eg TCP or UDP? and which direction? So sing out if you need to really lock down.

    Regards

    Andrew
    --
    amclar at optusnet dot com dot au

    Friday, December 10, 2010 4:54 AM
  • I already knew this info I am looking to see if there are other port
    requirements for AD authentication etc.
     
    On 12/9/2010 8:54 PM, Andrew_McLaren wrote:
    > Hey Stan,
    >
    > The key values here are port 1478 for SnaBase, and 1477 for SnaServr.
    >
    > When SnaBase starts on the client, it will open 3 sessions
    >
    > 1) Client:ephemeral_port -> Server:1478
    >
    > 2) Client:1478 <- Listening
    >
    > 3) Client:ephemeral_port (UPD, <- listening)
    >
    > These are the SnaBase "sponsor" conections, for controlling
    > client-server ineractions.
    >
    > In addition, when an SNA session is started (eg user starts a 3270
    > emulator) there will be a TCP session from an ephemeral port on the
    > client (between 1024 and 4999) to Port 1477 on the HIS server. This is
    > the "working" session, for actual SNA data. Therefore to permit SNA
    > connectivity, a firewall between an HIS Client and HIS Server needs to
    > allow -
    >
    > - destination port 1478, in both directions (source port can be any port
    > between 1024-4999)
    >
    > - destination port 1477 on the server side (source port on client may be
    > any port between 1024-4999)
    >
    > Each HIS server in the SNA SubDomain also needs to communicate with its
    > subdomain buddies, over port 1478.
    >
    > Some additional info on HIS and firewalls:
    >
    >
    >
    >
    > Hope this helps. There may be extra detail you need, depending on how
    > locked down you want the firewall to be; eg TCP or UDP? and which
    > direction? So sing out if you need to really lock down.
    >
    > Regards
    >
    > Andrew
    > --
    > amclar at optusnet dot com dot au
    >
     
     
    Monday, December 13, 2010 8:00 PM
  • HIS will also need all the usual access to Domain Controllers, same as you'd want for any infrastructure server in an AD domain; whether HIS, SQL Server, Exchange, SCOM, BizTalk etc. See

       http://support.microsoft.com/kb/179442

     

    Furthermore, IP-DLC connections to the host will require UDP ports 12000-12004 (obviously), if the HIS server is not located in the same security zone as the host.

     

    Hope it helps

    Andrew

    --

    amclar at optusnet dot com dot au

     

    Monday, December 13, 2010 9:01 PM
  • BTW this other KB article is also good. It doesn't mention HIS specifically, but addresses many firewall issues any server will face, no matter what its function:

     

    http://support.microsoft.com/kb/832017

     

    Cheers

    Andrew

     

    Monday, December 13, 2010 9:06 PM