IBM Support

Electronic Service Agent (ESA) and Electronic Customer Support (ECS) VPN and HTTP Firewall Settings

Troubleshooting


Problem

This document provides information for properly setting the Firewall to allow Electronic Service Agent (ESA) and Electronic Customer Support (ECS) connections.

Symptom

The following is a summary of the information available in the IBM Docs - IBM i Documentation. To see the complete documentation, refer to the site by release.

IP Packet Filter Firewall

An IP packet filter firewall allows you to create a set of rules that discards or accepts traffic over a network connection. The firewall itself does not affect this traffic in any way. Because a packet filter can discard only traffic that is sent to it, the device with the packet filter has to perform IP routing or be the destination for the traffic.

A packet filter has a set of rules with accept or deny actions. When the packet filter receives a packet of information, the filter compares the packet to your preconfigured rule set. At the first match, the packet filter accepts or denies the packet of information. Most packet filters have an implicit deny all rule at the bottom of the rules file.

Packet filters usually permit or deny network traffic based on the following:

Source and destination TCP/IP addresses
Protocol (for example, TCP, UDP, or ICMP)
Source and destination ports and ICMP types and codes
Flags in the TCP header (for example, whether the packet is a connect request)
Direction (inbound or outbound)
Which physical interface the packet is traversing

All packet filters have a common problem: The trust is based on TCP/IP addresses. Although this security type is not sufficient for an entire network, this type of security is acceptable on a component level.

Most IP packet filters are stateless in that they do not remember anything about the packets they previously process. A packet filter with state can keep some information about previous traffic providing the ability to configure that only replies to requests from the internal network are allowed from the Internet. Stateless packet filters are vulnerable to spoofing because the source IP address and ACK bit in the header for the packet can be easily forged by attackers.


HTTP Settings

For those Universal Connection applications that use HTTP and HTTPs for a transport, the filter rules have to be changed to allow connections to the IBM service destinations as follows, both ports 80 & 443 are required for this type of connection:

IP filter rules IP filter values
TCP inbound traffic filter rule Allow port 80 for all service destination addresses
TCP inbound traffic filter rule Allow port 443 for all service destination addresses
TCP outbound traffic filter rule Allow port 80 for all service destination addresses
TCP outbound traffic filter rule Allow port 443 for all service destination addresses


HTTP (port 80) is used for the 'bulk' transmissions such as PTF orders and the list of IBM IP address.
HTTPS (port 443 SSL) is used for data transmission such as ESA inventory, contact information.

With current PTFs on system, would require ONLY port 443 to be open. Port 80 is no longer needed. This is only valid for EDGE configuration. See information for each release.

Note:
The DDP protocol is used to download the serviceProviderIBMLocationDefinition files and PTFs. The DDP protocol is similar to FTP with more capabilities and will need to be allowed through a site network connection on ports 80 and 443.

Environment

NOTE: Your action might be required.
Public internet IP addresses are changing for the IBM servers that support Call Home and SNDPTFORD. 
IP addresses for esupport.ibm.com and www-945.ibm.com are changing.
For IBM i, the changes affect OS versions that use LEGACY IP addresses (7.2, when not using EDGE, and older), as well as those OS versions that use EDGE (7.3 and higher).

Ensure as soon as possible that the following DNS names, IP addresses, and ports are open on your firewall.  Add firewall rules for ALL new IP addresses. Do NOT change or remove existing firewall rules. Use Host Name (DNS names) whenever possible, for EDGE: esupport.ibm.com

For more information about this topic, see Preparing customer firewalls and proxies for the upcoming infrastructure changes – Call Home, Electronic Fix Distribution document.
IBM will be changing our Call Home service Internet provisioning partner on 1 March 2024. Therefore, DNS-based clients should adjust their firewalls that enable traffic from the current IP addresses to new IP addresses. After 1 March 2024, those clients can remove the current entries.
Static IP address usage (non-DNS) for Call Home access will be deprecated 1 November 2024. This is critical to protect Call Home assets' data privacy, improve the IBM Call Home IT infrastructure security posture, avoid the chance that client systems connecting to the static IP address are tracked and targeted, and allow IBM to offer a solution that is operational nearly 100% of the time. IBM will be retiring the use of Static IP address access to IBM Call Home services on 1 November 2024, allowing clients one full year to migrate and test their DNS network configuration support. All clients that use Call Home should utilize DNS within our products or an appropriate corporate firewall/proxy server configuration to reference esupport.ibm.com and www-945.ibm.com Call Home services, instead of relying upon and configuring static IP addresses.
EDGE SERVER

Summary of actions required:

  • Enable firewall access to IP addresses before 1 March 2024:
    • 192.148.6.11 (port 443)
    • 170.225.123.67 (port 443)
    • 2620:1f7:c010:1:1:1:1:11 (port 443)  - if IPv6 connections required
  • Enable DNS or a firewall/proxy connectivity solution in place of static IP addresses before 1 November 2024.


    *Dates on the table are subject on changes.
Host name Current IP addresses
(IPv4 and IPv6)		 New IP addresses
(IPv4 and IPv6)		 Target date *
esupport.ibm.com 129.42.21.70
2607:f0d0:3901:33:129:42:21:70		 192.148.6.11
2620:1f7:c010:1:1:1:1:11		 March 1, 2024
- New IP enabled and returned from DNS.
- Current IP disabled and no longer returned from DNS.
esupport.ibm.com 129.42.56.189
2620:0:6c4:200:129:42:56:189		 n/a
1 March 2024 - IP no longer returned from DNS, although access through static IP still allowed for non-DNS implementations.
30 June 2024 - Access through static IP disabled.
esupport.ibm.com 129.42.60.189
2620:0:6c4:200:129:42:60:189		 n/a
1 March 2024 - IP no longer returned from DNS, although access through static IP still allowed for non-DNS implementations.
30 June 2024 - Access through static IP disabled.
esupport.ibm.com n/a 170.225.123.67
Note: This IP is being enabled for "static access only" to help ease the transition from static IP access to DNS access.
1 March 2024 - Available for access through static IP only for non-DNS implementations. IP will not be returned from DNS.
1 November 2024 - Static IP access will be disabled.
LEGACY SERVER:
*Dates on the table are subject on changes.
Host name Current IP addresses
(IPv4 and IPv6)		 New IP addresses
(IPv4 and IPv6)		 Target date *
 
www-945.ibm.com 129.42.42.224
2620:0:6c2:1::1000		 192.148.6.11
2620:1f7:c010:1:1:1:1:11		 1 March 2024
- New IP enabled and returned from DNS.
- Current IP disabled and no longer returned from DNS.
www-945.ibm.com 129.42.26.224
2620:0:6c0:1::1000		 n/a 1 March 2024
- Current IP disabled and no longer returned from DNS.
www-945.ibm.com n/a 170.225.123.67
Note: This IP is being enabled for "static access only" to help ease the transition from static IP access to DNS access.
1 March 2024 - Available for access through static IP only for non-DNS implementations. IP will not be returned from DNS.
1 November 2024 - Static IP access will be disabled.

Resolving The Problem

Select your Operating System version.

Note: 
ESA has its own internal certificate to exchange with the IBM backend server, so any 'addition' by Proxy/Firewall during the communication makes it fail. If the environment has a Proxy/Firewall that is terminating the SSL connection and returning its own self-signed certificate, it is not supported.

Note:
Only Proxies that use Basic authentication are supported. Other authentication mechanisms such as NTLM and Digest are not supported.

Starting V7R3 the EDGE server is used. EDGE is a new ECC server environment (esupport.ibm.com) that provides a front-end proxy to the current ECC infrastructure.
EDGE simplifies the IT for ECC consumer products by reducing the number of customers facing IBM servers, enabling IPv6 connectivity, and providing enhanced security. Customers have fewer IBM addresses to open on their firewall. All EDGE internet traffic flows through the EDGE proxy and then fan out to various internal IBM service providers.

To summarize, Edge provides the following advantages over the current infrastructure.

  1. Fewer IP addresses for customers to configure for both ports 80 & 443
    *Dates on the table are subject on changes.
    Host name Current IP addresses
    (IPv4 and IPv6)    		 New IP addresses
    (IPv4 and IPv6)    		 Target date *
    esupport.ibm.com 129.42.21.70
    2607:f0d0:3901:33:129:42:21:70    		 192.148.6.11
    2620:1f7:c010:1:1:1:1:11    		 1 March 2024
    - New IP enabled and returned from DNS.
    - Current IP disabled and no longer returned from DNS.
    esupport.ibm.com 129.42.56.189
    2620:0:6c4:200:129:42:56:189    		 n/a
    1 March 2024 - IP no longer returned from DNS, although access through static IP still allowed for non-DNS implementations.
    30 June 2024 - Access through static IP disabled.
    esupport.ibm.com 129.42.60.189
    2620:0:6c4:200:129:42:60:189    		 n/a
    1 March 2024 - IP no longer returned from DNS, although access through static IP still allowed for non-DNS implementations.
    30 June 2024 - Access through static IP disabled.
    esupport.ibm.com n/a 170.225.123.67
    Note: This IP is being enabled for "static access only" to help ease the transition from static IP access to DNS access.
    1 March 2024 - Available for access through static IP only for non-DNS implementations. IP will not be returned from DNS.
    1 November 2024 - Static IP access will be disabled.

    Edge replaces IP addresses needed for Service Providers, Download Servers, Upload Servers and CCF, but not FTP.

    Summary of actions required:

    Enable firewall access to IP addresses before 1 March 2024:
    • 192.148.6.11 (port 443)
    • 170.225.123.67 (port 443)
    • 2620:1f7:c010:1:1:1:1:11 (port 443)  - if IPv6 connections required
    Enable DNS or a firewall/proxy connectivity solution in place of static IP addresses before 1 November 2024.
     


    Note: Having PTF SI68172 on system would require ONLY port 443 to be open. Port 80 is no needed anymore.


    IP addresses are subject to change. Recommended, use Host Name (DNS names) whenever possible, for EDGE: esupport.ibm.com
     

  2. IPv6 connectivity for both ports 80 & 443. The Edge server allows IPv6 connections from the client. Not all legacy servers support IPv6 connections.
     
  3. Edge is the platform for security enhancements such as NIST 800-131a and NSA Suite B enablement.

EDGE server is enabled by default. 

By default, V7R2 uses LEGACY servers to connect for ECS/ESA. Information is listed in LEGACY Server IP addresses tab.
    By modifying a configuration file, it's possible to use the EDGE server. Be aware that Firewall rules changes are required. See more information and details on V7R3 AND HIGHER section.
     
    To enable this, follow the next steps: 
     
    1. PTFs SI64358 and SI69059 HAVE TO be on system before change anything. Otherwise, it won't work.
       
    2. EDTF STMF('/qibm/proddata/os400/universalconnection/eccConnect.properties') 
      Include the following lines. Some are edits of existing lines, others might be new lines:
       
      _IBM.SP_UPDATE_INIT = NO     
      _IBM.SP_LOCATION_URL = https://esupport.ibm.com/eccedge/gateway/services/projects/ecc/serviceProviderIBMV2.gzip
      PREFER_EDGE = ALL
      DEFAULT_DATAURI_TYPE = INDIRECT
       
      Or could use the eccConnect.properties file attached and replace the one located in '/qibm/proddata/os400/universalconnection' in your system. Assure to rename the existing one before replacing it. 
      eccConnect.properties
       
    3. Once file is replaced, you will need to re-create the service configuration. Follow the steps from the Configuration Instructions for Electronic Customer Support (ECS) and Electronic Service Agent (ESA) for IBM i document.
    Note: Having PTF SI76398 on system would require ONLY port 443 to be open. Port 80 is no longer needed. This is only valid for EDGE configuration.

    EDGE server is not supported for these releases, need to use LEGACY servers.
    Review the information in the LEGACY Server IP addresses tab. 

    To find the exact IBM Service Destination addresses that might be used for HTTP and HTTPS traffic, the service provider location definition files can be browsed.

    The files available for this on the system are at: '/qibm/userdata/os400/universalconnection'

    Notes:
    1. For each option, type WRKLNK, followed by the full path. This goes directly to the noted file.
    2. If using WRKLNK, taking Option 5 through the path and by using F22 on the file shows the full name.

    Option 1: '/qibm/userdata/os400/universalconnection/serviceProviderIBMLocationDefinition.txt'

    Note: This file is written in a more readable format than the file noted in Option 2.

    A complete listing of this file is available below. In addition, a document is available for ports 80 & 443 sorted by IP address. 
    When using this option, all IP addresses have to be allowed in the site firewall rules, omitting any might cause connection attempts to fail. Review LEGACY Server IP addresses tab.


    Option 2:
    '/qibm/userdata/os400/universalconnection/serviceProviderIBMLocationDefinition.xml'

    If the above file is not found, the main file (containing addresses for all worldwide locations) can be found at one of the following:

    '/qibm/userdata/os400/universalconnection/serviceProviderIBM.xml'
    '/qibm/proddata/os400/universalconnection/serviceProviderIBM.xml'

    Any of these files can be browsed with the DSPF command.

    Example:
    DSPF STMF('/qibm/userdata/os400/universalconnection/')
    Type 5 to display.

    '/qibm/userdata/os400/universalconnection/serviceProviderIBMLocationDefinition.txt' file described in Option 1, the following IP addresses can be used for ECS and ESA functions.

    Configure only ports 80 & 443 IP addresses from this list. Do not include any 198.x.x.x IP addresses in the network configuration.

     

    NOTE: Your action might be required. Infrastructure improvements to electronic fix distribution and Call Home were implemented. IP and hostnames. New connections are required. You have to configure your firewall and proxy server if you have a firewall in your network, or if your machine uses a proxy server to access the internet.
    In March 2023, changes were made. See IBM Electronic support gateway servers ip address changes document.
    In 2022, changes were made. See preparing firewalls and proxies document.

    Highlighted are the hosts and IP addresses changed. 
    IP address TCP Port Destination Host Name Notes
    198.74.67.240 19285 URSF_1
    198.74.71.240 19285 URSF_2
    170.225.126.56 443 Bulk_Data_1 www6.software.ibm.com
    192.109.81.20 443 Bulk_Data_2 www.ecurep.ibm.com
    170.225.126.22 21 FTP_Bulk_Data_1 testcase.boulder.ibm.com
    129.42.160.48 80/443 Doc_Update_1
    207.25.252.200 80/443 Doc_Update_2
    170.225.126.43 80/443 Fix_Repository_1 download4.boulder.ibm.com
    129.35.224.107 80/443 Fix_Repository_2 download4.mul.ie.ibm.com
    170.225.126.42 80/443 Fix_Repository_3 download2.boulder.ibm.com
    170.225.119.166 443 Fix_Repository_4 delivery04-bld.dhe.ibm.com Dublin Server
    170.225.126.45 80/443 Fix_Repository_4 delivery04-bld.dhe.ibm.com
    170.225.119.169 443 Fix_Repository_5 delivery04-mul.dhe.ibm.com Dublin Server
    170.225.126.46 80/443 Fix_Repository_5 delivery04-mul.dhe.ibm.com
    170.225.119.167 443 Fix_Repository_6 delivery04.dhe.ibm.com Dublin Server
    170.225.126.44 80/443 Fix_Repository_6 delivery04.dhe.ibm.com
    170.225.126.24 80/443 Fix_Repository_7 download3.boulder.ibm.com
    129.35.224.114 80 Fix_Repository_8 download3.mul.ie.ibm.com
    170.225.119.162 443 Fix_Repository_9 delivery03-bld.dhe.ibm.com Dublin Server
    170.225.126.39 80/443 Fix_Repository_9 delivery03-bld.dhe.ibm.com
    170.225.119.163 443 Fix_Repository_10 delivery03-mul.dhe.ibm.com Dublin Server
    170.225.126.40 80/443 Fix_Repository_10 delivery03-mul.dhe.ibm.com
    170.225.119.156 443 Fix_Repository_11 delivery01-bld.dhe.ibm.com Dublin Server
    170.225.126.67 443 Fix_Repository_11 delivery01-bld.dhe.ibm.com
    170.225.119.157 443 Fix_Repository_12 delivery01-mul.dhe.ibm.com Dublin Server
    170.225.126.40 80/443 Fix_Repository_12 delivery01-mul.dhe.ibm.com
    170.225.15.124 80/443 Fix_Repository_13 dsw.boulder.ibm.com
    129.35.224.124 80/443 Fix_Repository_14 dsw.mul.ie.ibm.com
    170.225.15.108 80/443 Fix_Repository_15 dsw-bld.dhe.ibm.com
    129.35.224.108 80/443 Fix_Repository_16 dsw-bld.dhe.ibm.com
    129.35.224.109 80/443 Fix_Repository_17 dsw-mul.dhe.ibm.com
    170.225.15.109 80/443 Fix_Repository_18 dsw-mul.dhe.ibm.com
    129.35.224.110 80/443 Fix_Repository_19 dsw.dhe.ibm.com
    170.225.15.110 80/443 Fix_Repository_20 dsw.dhe.ibm.com
    170.225.122.67 443 Gateway_1 eccgw01.boulder.ibm.com
    170.225.123.67 443 Gateway_2 eccgw02.rochester.ibm.com
    170.225.122.67 443 Inventory_Report_1 eccgw01.boulder.ibm.com
    170.225.123.67 443 Inventory_Report_2 eccgw02.rochester.ibm.com
    129.42.26.224 443 Problem_Report_1 www-945.ibm.com 1 March 2024
    - Current IP disabled and no longer returned from DNS.
    129.42.50.224 443 Problem_Report_2 www-945.ibm.com 1 March 2024
    - Current IP disabled and no longer returned from DNS.
    129.42.42.224 443 Problem_Report_3 www-945.ibm.com 1 March 2024
    - New IP 192.148.6.11 enabled and returned from DNS.
    - Current IP disabled and no longer returned from DNS.
    129.42.26.224 443 Problem_Report_4 www-945.ibm.com 1 March 2024
    - Current IP disabled and no longer returned from DNS.
    129.42.34.224 443 Problem_Report_5 www-945.ibm.com 1 March 2024
    - Current IP disabled and no longer returned from DNS.
    170.225.122.67 443 Profile_1 eccgw01.boulder.ibm.com
    170.225.123.67 443 Profile_2 eccgw02.rochester.ibm.com
    129.42.160.48 443 SAS_1
    207.25.252.200 443 SAS_2
    207.25.252.200 443 SDR_1
    129.42.160.48 443 SDR_2
    129.42.160.48 443 SDR_3
    207.25.252.200 443 SDR_4
    207.25.252.197 443 Service_Provider_1 eccgw01.boulder.ibm.com TBD - IP is changing to 170.225.123.67
    129.42.160.51 443 Service_Provider_2 eccgw02.rochester.ibm.com TBD - IP is changing to 170.225.122.67
    204.146.30.17 443 SP_Config_1 www-03.ibm.com
    204.146.30.17 80 SP_Config_2 www-03.ibm.com
    204.146.30.17 443 SRM_1 www-03.ibm.com
    170.225.122.67 443 Status_Report_1 eccgw01.boulder.ibm.com
    170.225.123.67 443 Status_Report_2 eccgw02.rochester.ibm.com
    170.225.122.67 443 Update_Order_1 eccgw01.boulder.ibm.com
    170.225.123.67 443 Update_Order_2 eccgw02.rochester.ibm.com
    170.225.123.67 www-945.ibm.com
    Note: This IP is being enabled for "static access only" to help ease the transition from static IP access to DNS access.
    1 March 2024 - Available for access through static IP only for non-DNS implementations. IP will not be returned from DNS.
    1 November 2024 - Static IP access will be disabled.

       

    Unique IPs       TCP Port
----------       --------
198.74.67.240    19285  
198.74.71.240    19285  
170.225.126.56   443  
192.109.81.20    443  
170.225.126.22   21  
129.42.160.48    443  
207.25.252.200   443  
170.225.126.43   443  
129.35.224.107   443  
170.225.126.42   443  
170.225.126.45   443  
170.225.126.46   443  
170.225.126.44   443  
170.225.126.24   443  
129.35.224.114   443  
170.225.126.39   443  
170.225.126.40   443  
170.225.126.67   443  
170.225.15.124   443  
129.35.224.124   443  
170.225.15.108   443  
129.35.224.108   443  
129.35.224.109   443  
170.225.15.109   443  
129.35.224.110   443  
170.225.15.110   443  
170.225.122.67   443  
170.225.123.67   443  
129.42.26.224    443  
129.42.50.224    443  
129.42.42.224    443  
198.74.71.235    11111  
198.74.67.235    11111  
204.146.30.17    443  80  


Unique VPN Gateways   Protocols   UDP Port
-------------------   ---------   --------
207.25.252.196        ESP, UDP    500  4500  
129.42.160.16         ESP, UDP    500  4500



    Note: When using this option, all IP addresses have to be allowed in the site firewall rules, omitting any might cause connection attempts to fail.                   

     

    Test the connection by using the following commands to populate the IP addresses used for each application:

    • SNDPTFORD SF98xxx
      Where xxx is the version and release of the system (for example: SF98720, SF98730, SF98740).
    • SNDSRVRQS *TEST
    • VFYSRVAGT TYPE(*TSTPRB)
    • GO SERVICE Option 2
      Note: To check for errors when using the Go Service options, review the audit log by Go Service, Option 14; B in the position to line field.
    • To test connectivity to IBM backend servers use below commands:
      VFYSRVCFG SERVICE(*ECS) VFYOPT(*ALL) 
      Lets it complete, can take a while.
      VFYSRVCFG SERVICE(*FIXREP) VFYOPT(*ALL)
      Lets it complete, can take a while.
      VFYSRVCFG SERVICE(*PRBRPT) VFYOPT(*ALL)
      Lets it complete, can take a while.
      VFYSRVCFG SERVICE(*SPCFG) VFYOPT(*ALL)
      Lets it complete, can take a while.
      VFYSRVCFG SERVICE(*SRVAGT) VFYOPT(*ALL)
      Lets it complete, can take a while.
       
      The VFYSRVCFG commands log to joblog:  IP address, protocol, and port used along with success or failure information.
      CPIAC59: Verification was successful.
      CPIAC60: Verification was not successful.
      CPIAC61: The value does not match an existing service destination.

      For CPIAC60, assure Firewall is correctly set. For CPIAC61, recommended PTFs for ESA and delete and re-create service configuration, need to be followed correctly. Review Configuration Instructions for Electronic Customer Support (ECS) and Electronic Service Agent (ESA) for IBM i document.
    For this test, you should open two IBM i sessions, noted below as Session A and Session B:

    On Session A:
    1. Issue NETSTAT, Option 3
    2. Press F15, and in the Remote port range, enter the following:
    Remote port range:
    Lower value . . . . . . . . 80
    Upper value . . . . . . . . 443

    On Session B:
    1. Issue SNDPTFORD SF98xxx
    Where xxx is the version and release of the operating system (in other words, SF98720, SF98730, SF98740).

    2. While the PTF order is running on Session B, watch the IP address traffic on Session A. On a successful connection, the state or status should be established. If several IP addresses appear and leave with only Syn_Sent status, the site network is blocking the connection.

    At R710, the Verify Service Configuration command has been enhanced to do extra connection tests:
    Verify Service Configuration Enhancements

    [{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CGRAA2","label":"Electronic Service Agent"}],"ARM Case Number":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"All Versions"}]

    Document Information

    Modified date:
    12 October 2023

    UID

    nas8N1018980

    Page Feedback