You are viewing limited content. For full access, please sign in.

Question

Question

Ports to be opened in a Internal & DMZ server setup.

Installation and Upgrades
Updated March 24, 2021
asked on March 22, 2021

Hi there, I have a question regarding networking. I am not familiar with networking so any help would be appreciated.

In my tests using telnet, I can verify that communication from the DMZ to the Internal App server are able proceed through the following list of ports as recommended by Laserfiche's whitepaper on setting up forms in a perimeter network: 80, 443, 8168, 8268, 8170, 8181, 8732, 8736, 8738, 5048, 5049, 5051

However, using telnet from the Internal App server to the DMZ, I haven’t been able open connection to the DMZ using the ports mentioned above.

Do you know if this is meet the requirements, or should the list of ports be opened on the internal server side?

I am uncertain because from the Internal App Server, I can communicate with the SQL server on port 1433 using telnet but unable to communicate from the SQL server to the App server on port 1433.

The internal app server has LFDS, Forms & LF Server

0 0

Answer

SELECTED ANSWER
replied on March 22, 2021

Port routes are only needed in 1 direction, for the one initiating the request.

So when LFS is making a request to talk to the SQL Server on port 1433, if the route is setup so that the LFS server requests on port 1433 are routed to the SQL server, no route needs to be setup in the opposite direction.

This means if telnet can not "open a connection" (IE: the port is not routed) from the SQL server to the LFS server, that is OK. SQL isn't initiating the request for database connections, only responding.

1 0
View 1 previous reply
replied on March 22, 2021

Hi Chad, thanks so much for your response and explanation!

0 0
replied on March 23, 2021 Show version history

Hi Chad & Ray,

I'm not sure that's always the case. For example, LFDS listens on 5048 and 5049 (SSL) UDP and initiates traffic on 5055 UDP.

So yes, the ports may be one-way but they are not all the same way. I don't have the information to hand for all of the LF ports. There may be other exceptions.

The documents Default Network Ports for Laserfiche Products and Best Practices in Laserfiche Security aren't up to date (doesn't show 5055 for example), so you would need to review the documentation on individual products to be sure. Unless there is another, up-to-date document with the information.

-Ben

 

 

0 0
replied on March 23, 2021

Every service may listen on a different port, but the route to get to that port only needs to be setup in one direction between networks. You never need to create a route back for the return traffic. This is why you never need to create routes into your home network to visit websites for example.

0 0
replied on March 24, 2021 Show version history

Chad, I was making the point that it's also important to know in which direction the ports are initiated, when configuring a firewall. Especially with the example I gave, where it's not immediately obvious. The LFDS documentation says that three ports are required. However, they are not all opened/initiated from LFDS. 

I absolutely agree that a "return traffic" port is not required. And I hope no one reading my reply got that impression.

1 0

Replies

You are not allowed to reply in this post.
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...