1.  Home
  2. MIDRANGE-L
  3. August 2001

Re: SSL and Firewall Fun

Steve,

 I make extensive use of SSL through firewalls (mostly Cisco PIX). I
have never opened the 847x ports for the reasons you specified.  My main
complaint has been that once you import the system encryption key (and
of course have the CA SSL componant installed on the windoze box in
question) you MUST see the lock on the system (if not, open properties
on it and do TWO things: Select USE SSL and for where to look up remote
port, use STANDARD (DOing this means 449 does not need to be open in the
firewall). Then close ops nav completely and re-open.  It will work
after that.  I have noticed the 8476 port attempt occasionally but when
that happens I have determined that CA has 'forgotten' to use SSL. In
that case reselect the option for SSL (as before), close Ops Nav again,
and restart it.  Even if the lock is showing sometimes it just forgets.
The same behaviour is exibited in V5R1 with current service packs.

 Note that if you are using Management Central you may also want port
5566 open.

 - Larry

Steve Glanstein wrote:
> 
> Hello all:
> 
> I am working with a firewall that is permitting the SSL ports (9470-9) as
> well as the well known 449 and 992 ports for SSL access from the Internet.
> 
> We specifically don't permit 23 or 8470-9 because they are not encrypted.
> 
> It appears that no matter what I do with client express (V4R4 latest service
> pack) it attempts to connect initially to 8476 (which is service as-signon)
> instead of 9476 (which is as-signon-s).
> 
> Redirecting 9476 to 9476 via services won't help because the AS/400 host
> program bound to 9476 doesn't speak 8476 language!
> 
> Does anybody have any ideas? We definitely don't want to open up 8476
> because it could defeat the entire purpose of SSL by sending an unencrypted
> password via the net...
> 
> Thanks,
> 
> Steve Glanstein
> mic@aloha.com
> 
> _______________________________________________
> MIDRANGE-L mailing list
> MIDRANGE-L@midrange.com
> http://lists.midrange.com/cgi-bin/listinfo/midrange-l

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.