Firewalls are implemented by Network Administrators typically to block access to certain network ports in order to prevent unauthorized network access to a machine. It is necessary to open access to ports through the firewall because client-server
connections to the database use TCP ports to communicate with remote clients.
This Article is for information purposes only. Progress Technical Support neither supports nor is qualified to make specific recommendations for a particular firewall setup and Progress has neither specifically tested nor certified any firewall implementation with it's products.
Knowledge of how Progress uses TCP ports will allow an experienced Network Administrator to configure a firewall for use with the Progress Database environment. 0. How do remote clients connect to the Progress Database?
The sequence of events when a remote client connects (three-way-handshake
1. The Database Login Broker Port
- A Client connects to the database Login Broker Listening Port (-S)
- The Broker spawns a Remote Server on demand in the -minport -maxport range, redirects the client to the Server Listening Port, increments the reservation count for the server (-Ma)
- The Client connects to the Remote Server Listening Port
The first communication that takes place between the remote client and the database is to the Login Broker Listening Port
- This Broker Port is defined at database multi-user startup with the "-S <servicename / TCP portnumber>" parameter.
- When the "<servicename>" is used, it is assigned to a specific port in the etc\services file on the system.
- From Progress 9.x onwards, a free portnumber can be used directly for the -S parameter instead of the servicename.
- When the database is managed by the AdminServer, the Broker port is defined in the conmgr.properties file under the Section:
2. The Remote Server Listening Port
- This Login Broker Listening Port must be opened on the Firewall for communication between the remote client and the database Login Broker.
- Secondary Login Brokers (-m3) can be started against a database to serve different remote client connection requirements, in which case more than one Broker Port needs to be opened on the Firewall.
Remote Servers are process-spawned by the Login Broker to service remote client connections.
- The "maximum number of servers" that can be spawned is defined by the -Mn database startup parameter when the Broker is started multi-user (-Mn = 4 by default when unspecified).
- The actual number of Remote Servers that can be started per Login Broker is defined by the "maximum servers per broker type" -Mpb database startup parameter. (-Mn = -Mpb by default when unspecified).
- Each Remote Server is assigned a port when it is initially spawned by the Login Broker.
- By default, the Login Broker uses the first available port in the 1025-2000 range on UNIX (3000-5000 for Windows).
- Since Progress 8.2 and later, the range of available Remote Server ports can be specified with the -minport and -maxport database startup parameters. Refer to Article 000012081, Why define specific minport maxport ranges?
- When the database is managed by the AdminServer, the Remote Server ports are defined in the conmgr.properties file under the Section:
- Strictly this range only needs to include the -Mn (maxservers) or more specifically the -Mpb (maximum servers per broker).
- Limiting the Remote Server port range will result in fewer ports that need to be opened bi-directional on the Firewall, and therefore more secure. Enough ports in the correct range need to be opened on the Firewall between the remote client and database server and back again so that each Remote Server has an available bi-directional port to Listen on.
- Since these ports are allocated dynamically by the database Broker, finding the first available port starting from the -minport to the -maxport. If this range is larger than the open port range on the Firewall, a port could be allocated to a Remote Server that is not open on the Firewall resulting in Pending Connections as the three-way handshake cannot complete until the Firewall times out the socket. Refer to Article 000010603, What is the -PendConnTime parameter?
The ports that need to be opened on the firewall for client-server connection and communication to the database are:
- The Service Name (-S) xxxx between the client and the database server
- The -minport yyyy -maxport zzzz port range bi-directional between the database server and the client
Most firewalls allow exclusions to be defined for specific executable names, which reduces having to maintain the needed port exclusions but opens the ports to all servers. If exclusion is made based on executable name, then the common executable names for the two primary listeners are: _mprosrv
- A database called "db1" is running on machine "host1".
- Progress ABL clients are running on PCs that need to connect remotely to the database on "host1".
- The firewall is between host1 and the client PCs:
host1 | Firewall | PC clients
- The database Broker is started with the following database startup parameters:
$ proserve db1 -S 2051 -Mn 6 -Mpb 6 -minport 10000 -maxport 10005
- or -
$ proserve db1 -S db1sv -Mn 6 -Mpb 6 -minport 10000 -maxport 10005
When the service name is used, the Broker Port assigned to service "db1sv" needs to be defined in the services file and opened in the firewall:
- The Broker Port is 2051.
- The -Mn parameter allows up to 6 remote servers to be spawned that each need an available port.
- Assuming that no other processes on the system use the same ports, these remote server processes listen on ports 10000 to 10005.
- The firewall must be configured to allow the clients to access port 2051 and ports 10000 to 10005 bi-directional.
If firewall definition is based on process image name, the exception will differ between versions.
Prior to 12.0, exception is needed for _sqlsrv2 and _mprosrv
From 12.0, exception is needed for _sqlsrv2, _mprosrv and _mtprosrv