Did this article resolve your question/issue?



Which ports needs to be open on a firewall between a remote client and the database?

« Go Back


TitleWhich ports needs to be open on a firewall between a remote client and the database?
URL NameP98541
Article Number000152318
EnvironmentProduct: Progress OpenEdge
Version: All supported versions
OS: All supported platforms
Question/Problem Description
Which ports needs to be open on a Firewall between a remote client and the database?
How to configure a Firewall between a remote ABL client and the Progress database?
Which ports need to be opened for a SQL/JDBC/ODBC client to connect to the OpenEdge Database through a firewall?
Steps to Reproduce
Clarifying Information
Error Message
Defect Number
Enhancement Number
Firewalls are implemented by Network Administrators typically to block access to certain network ports in order to prevent unauthorized network access to a machine. It is necessary to open access to ports through the firewall because client-server connections to the database use TCP ports to communicate with remote clients.

This Article is for information purposes only. Progress Technical Support neither supports nor is qualified to make specific recommendations for a particular firewall setup and Progress has neither specifically tested nor certified any firewall implementation with it's products.

Knowledge of how Progress uses TCP ports will allow an experienced Network Administrator to configure a firewall for use with the Progress Database environment. 

0. How do remote clients connect to the Progress Database?

The sequence of events when a remote client connects (three-way-handshake):
  1. A Client connects to the database Login Broker Listening Port (-S)
  2. The Broker spawns a Remote Server on demand in the -minport -maxport range, redirects the client to the Server Listening Port, increments the reservation count for the server (-Ma)
  3. The Client connects to the Remote Server Listening Port

1.  The Database Login Broker Port

The first communication that takes place between the remote client and the database is to the Login Broker Listening Port
  • This Broker Port is defined at database multi-user startup with the "-S <servicename / TCP portnumber>" parameter. 
  • When the "<servicename>" is used, it is assigned to a specific port in the etc\services file on the system. 
  • From Progress 9.x onwards, a free portnumber can be used directly for the -S parameter instead of the servicename. 
  • When the database is managed by the AdminServer, the Broker port is defined in the file under the Section:
  • This Login Broker Listening Port must be opened on the Firewall for communication between the remote client and the database Login Broker.
  • Secondary Login Brokers (-m3) can be started against a database to serve different remote client connection requirements, in which case more than one Broker Port needs to be opened on the Firewall.

2.  The Remote Server Listening Port

Remote Servers are process-spawned by the Login Broker to service remote client connections. 
  • The "maximum number of servers" that can be spawned is defined by the -Mn database startup parameter when the Broker is started multi-user (-Mn = 4 by default when unspecified). 
  • The actual number of Remote Servers that can be started per Login Broker is defined by the "maximum servers per broker type" -Mpb database startup parameter. (-Mn = -Mpb by default when unspecified).
  • Each Remote Server is assigned a port when it is initially spawned by the Login Broker. 
  • By default, the Login Broker uses the first available port in the 1025-2000 range on UNIX (3000-5000 for Windows). 
  • Since Progress 8.2 and later, the range of available Remote Server ports can be specified with the -minport and -maxport database startup parameters. Refer to Article  Why define specific minport maxport ranges?  
  • When the database is managed by the AdminServer, the Remote Server ports are defined in the file under the Section:
  • Strictly this range only needs to include the -Mn (maxservers) or more specifically the -Mpb (maximum servers per broker).
  • Limiting the Remote Server port range will result in fewer ports that need to be opened bi-directional on the Firewall, and therefore more secure. Enough ports in the correct range need to be opened on the Firewall between the remote client and database server and back again so that each Remote Server has an available bi-directional port to Listen on. 
  • Since these ports are allocated dynamically by the database Broker, finding the first available port starting from the -minport to the -maxport. If this range is larger than the open port range on the Firewall, a port could be allocated to a Remote Server that is not open on the Firewall resulting in Pending Connections as the three-way handshake cannot complete until the Firewall times out the socket. Refer to Article  What is the -PendConnTime parameter?  
In Summary:

The ports that need to be opened on the firewall for client-server connection and communication to the database are:
  1. The Service Name (-S) xxxx between the client and the database server
  2. The -minport yyyy -maxport zzzz port range bi-directional between the database server and the client
Most firewalls allow exclusions to be defined for specific executable names, which reduces having to maintain the needed port exclusions but opens the ports to all servers. If exclusion is made based on executable name, then the common executable names for the two primary listeners are: _mprosrv and _sqlsrv2

  • A database called "db1" is running on machine "host1".
  • Progress ABL clients are running on PCs that need to connect remotely to the database on "host1". 
  • The firewall is between host1 and the client PCs:
host1 | Firewall | PC clients
  • The database Broker is started with the following database startup parameters:
$   proserve db1 -S 2051 -Mn 6 -Mpb 6 -minport 10000 -maxport 10005
- or -
$   proserve db1 -S db1sv -Mn 6 -Mpb 6 -minport 10000 -maxport 10005

When the service name is used, the Broker Port assigned to service "db1sv" needs to be defined in the services file and opened in the firewall: 

db1sv 2051/TCP
  • The Broker Port is 2051
  • The -Mn parameter allows up to 6 remote servers to be spawned that each need an available port. 
  • Assuming that no other processes on the system use the same ports, these remote server processes listen on ports 10000 to 10005
  • The firewall must be configured to allow the clients to access port 2051 and ports 10000 to 10005 bi-directional.
If firewall definition is based on process image name, the exception will differ between versions.
Prior to 12.0, exception is needed for _sqlsrv2 and _mprosrv 
From 12.0, exception is needed for _sqlsrv2, _mprosrv and _mtprosrv
Last Modified Date11/20/2020 7:18 AM
Disclaimer The origins of the information on this site may be internal or external to Progress Software Corporation (“Progress”). Progress Software Corporation makes all reasonable efforts to verify this information. However, the information provided is for your information only. Progress Software Corporation makes no explicit or implied claims to the validity of this information.

Any sample code provided on this site is not supported under any Progress support program or service. The sample code is provided on an "AS IS" basis. Progress makes no warranties, express or implied, and disclaims all implied warranties including, without limitation, the implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample code is borne by the user. In no event shall Progress, its employees, or anyone else involved in the creation, production, or delivery of the code be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample code, even if Progress has been advised of the possibility of such damages.