On 04-Dec-2013 13:21 -0800, Jeff Crosby wrote:
<<SNIP>>
We have a new firewall and I began wondering what port(s) were used
for these. In this manual:
http://pic.dhe.ibm.com/infocenter/iseries/v7r1m0/topic/rzaji/rzaji.pdf
it says use VFYSRVCFG to check. That does not work for me. The job
message queue wraps. And wraps. And wraps.
Any errors logged? Perhaps a fast exception loop; the same message
repeatedly? No apparent matching error description there, but the
command name is listed in one of the PTFs of each list below, but that
is on C2115710:
<www.ibm.com/support/docview.wss?uid=nas10f566401d222c98a86257714007c5d80>
_i Recommended Fixes for Electronic Services for Release 7.1 i_
<www.ibm.com/support/docview.wss?uid=nas17b124b45e2a7eafb862577140079cc9a>
_i Recommended Fixes for ECS for Release 7.1 i_
So I found, in this same manual, that this file:
/qibm/userdata/os400/universalconnection/serviceProviderIBM.xml
contains the port. I found a line that says port 19285. Can anyone
confirm?
Supposedly the following document has the information that is quoted
in snippets beneath... but seems the IBM support portal or my access is
broken presently [that issue cleared up since last night], so I got a
cached copy; note that a slightly different file name is noted there,
than shown above:
www.ibm.com/support/docview.wss?uid=nas8N1018980
IBM i Electronic Service Agent
Software version: 5.3.0, 5.4.0, 6.1.0, 7.1.0
Reference #: N1018980 Modified date: 2013-07-26
Title: Electronic Service Agent (ESA) and Electronic Customer Support
(ECS) VPN and HTTP Firewall Settings
Technote (troubleshooting)
"Problem(Abstract)
This document provides information for properly setting the firewall to
allow Virtual Private Network (VPN) and HTTP ESA (IBM Electronic Service
Agent) and ECS connections.
...
_Determine the IBM Service Destination Addresses_
To find the exact IBM Service Destination addresses that might be used
for HTTP and HTTPs traffic, the service provider location definition
files can be browsed.
The files available for this on the system are located at:
WRKLNK '/qibm/userdata/os400/universalconnection'
Notes:
1. For each option, type WRKLNK, followed by the full path. This will go
directly to the noted file.
2. If using WRKLNK, taking Option 5 through the path and using F22 on
the file will show the full name.
Option 1:
'/qibm/userdata/os400/universalconnection/serviceProviderIBMLocationDefinition.txt'
Note: This file is written in a more readable format than the file noted
in Option 2.
This option is only available if a client installs PTFs SI34505 (V5R4)
or SI34552 (V6R1). These PTFs are noted as required, so all systems
should have this option.
+ Example
Option 2:
'/qibm/userdata/os400/universalconnection/serviceProviderIBMLocationDefinition.xml'
...
Complete example of WRKLNK
'/qibm/userdata/os400/universalconnection/serviceProviderIBMLocationDefinition.txt
file described above in Option 1, the following IP addresses can be
utilized for ECS and ESA functions:
Configuration Date: 2012-05-02
IP Address TCP Port Destination
---------- -------- -----------
198.74.67.240 19285 URSF_1
198.74.71.240 19285 URSF_2
170.225.15.41 443 Bulk_Data_1
192.109.81.20 443 Bulk_Data_2
129.42.160.48 80 Doc_Update_1
207.25.252.200 80 Doc_Update_2
170.225.15.107 80 Fix_Repository_1
... ... ...
207.25.252.197 443 Gateway_1
129.42.160.51 443 Gateway_2
207.25.252.197 443 Inventory_Report_1
129.42.160.51 443 Inventory_Report_2
129.42.26.224 443 Problem_Report_1
... ... ...
...
Attached document contains a List of IP addresses used by ECS/ESA for
ports 80 and 443, sorted by IP address.
Note: When using this option, all IP addresses must be allowed in the
site firewall rules, omitting any may cause connection attempts to fail.
_ECS IP Addresses for port 80 443.doc_
<
http://www.ibm.com/support/docview.wss?uid=nas8N1018980&aid=5>
For information about VPN security, refer to the InfoCenter by release:
...
Electronic Service Agent (ESA) security information:
http://www.ibm.com/support/esa/security.htm
...
Note: If a Remote or Multi-hop or Multihop connection is being used
(RMTSYS) in CRTSRVCFG, port 1701 must be open for UDP communication
between the source and remote servers. If a HTTP proxy is being used,
the default port for *IBMSVR is port 5026
...
At R710, the Verify Service Configuration command has been enhanced to
do additional connection tests:
Document N1010854 , Verify Service Configuration Enhancements:
<
http://www.ibm.com/support/docview.wss?uid=nas8N1010854>
Verify Service Configuration Enhancements
Historical Number: KB 419109186"
Before finding the above document, which may be what is required, I
was originally going to respond with the following:
The port configuration may depend on what was specified on the Change
Service Configuration (CHGSRVCFG) or the Create Service Configuration
(CRTSRVCFG) command? See the Proxy server (PROXY) parameter and the
Connection point proxy (CNNPNTPRX) for the "Port number" on each. The
default is the special value *IBMSVR, but a specific number can be
specified 1-65535.
*IBMSVR
The Service and Support proxy server will accept connections using
the default port.
1-65535
Specifies the port number on which the Service and Support proxy
server will accept connections.
As an Amazon Associate we earn from qualifying purchases.