About Firewalls and ClearCase

Technote (FAQ)


Question

Is IBM Rational ClearCase supported for use through a firewall, can it be configured to use the ClearCase MultiSite variables, CLEARCASE_MIN_PORT and CLEARCASE_MAX_PORT, and what is the expected behavior when a desktop firewall is configured in the environment?

Answer

Note: The information in this technote has been incorporated into the 8.0 version of the IBM Rational ClearCase Information Center.








Overview

Currently, Rational ClearCase processes are not supported to operate through a firewall. If you are using a personal firewall, it is possible to configure it for use with ClearCase. It is not possible to configure a corporate firewall for use with ClearCase.

Refer to the Exceptions section below for information about MultiSite exceptions.


Note: IBM Rational ClearCase is known to operate correctly through firewalls in internal networks if the following conditions are met:
    • Port 371 (UDP and TCP) is passed through to any/all ClearCase server hosts from the allowed hosts.
    • All ports over 1024 (UDP and TCP) are open from the allowed ClearCase client hosts to needed ClearCase server hosts.
    • On Windows with McAfee Antivirus (access protection), also open port 6666 (IRC). Cleartool.exe may use that port to acquire a license. If you do not open that port, the user command will fail with error: Unable to contact albd_server on host.
If problems caused by firewall configuration issues occur in your ClearCase environment, resolution of those issues is beyond the scope of ClearCase support. Rational support can assist in figuring out what the specific firewall problem is (connections being aggressively closed by the firewall, packets being dropped, or others). However, it is your responsibility to work with your firewall vendor to determine how to resolve the issues.


ClearCase Port Assignment

Rational ClearCase communicates using different server processes through indiscriminate ports.

ClearCase specifically uses port 371 for the albd_server process; however, the ports to which the child processes spawned from the albd service are assigned dynamically.

It is the nature of the port assignment that makes firewall access with ClearCase impossible.

Note: Port-based firewalls within a development environment will cause problems for the ClearCase or ClearCase MultiSite environment.



Exceptions
  1. The ClearCase MultiSite Shipping Server, which can work through a firewall because you can configure the shipping server host to use specific ports to send packets through the firewall using either the albd_rt_params.conf file or the CLEARCASE_MIN_PORT & CLEARCASE_MAX_PORT variables. Review technote 1233313 for more information on the albd_rt_params.conf file. Review technote 1207525 for more information about the port environment variables.
  2. The ClearCase MultiSite msadm_server, which services reqmaster calls, can work through a firewall because you can configure this server to use a single port using the albd_rt_params.conf file. Review technote 1233313 for more information on the albd_rt_params.conf file.

  3. When using Network Address Translators (NAT), review technote 1167693 for information on the supported configuration for ClearCase clients using NAT hardware.

  4. If you run the Rational ClearCase Web client (CCWeb) on a host running Windows XP with SP2, you must add ccweb.exe to the firewall’s exception list.

    Note: In some cases, when ccweb is not on the exception list, Windows firewall displays an empty error dialog.


Known Problems

Review the following technotes as examples of the kinds of results you may encounter if desktop firewall software is in use on a ClearCase host :
  • 1122554 - Unable to allocate port in specified range

  • 1128548 - albd_rgy_get_entry call failed: RPC: Timed out

  • 1121619 - Overlapped I/O operations in progress

Microsoft Windows Vista



WORKAROUNDS:
  1. The only workaround to the WAN issue is to use ClearCase Web Interface (CCWeb) or ClearCase Remote Client (CCRC) where the Web Server is configured within the firewall.

  2. You can configure your personal firewall to work with ClearCase by allowing all Rational ClearCase processes unimpeded access through the personal firewall.

    Note: You can not configure a corporate firewall to work with ClearCase as you cannot configure a corporate firewall to allow specific processes through the firewall.

    For example, Windows XP and later comes standard with a personal firewall system on the host operating system. You can enable the firewall and configure ClearCase to work around it as described below.

    • Windows XP Firewall

      Refer to the IBM Rational ClearCase Information Center for instructions on configuring the Microsoft Windows firewall:

      Issues when using Windows Firewall > Enabling network access for Rational ClearCase server processes

    • Microsoft® Windows® Vista Firewall

      The firewall that comes with Windows Vista can affect Rational ClearCase in that it will block the albd_server service from communicating with remote servers.

      The firewall can be disabled or it can be configured for specific rules for certain programs.

      Refer to the following article on how to configure the Vista firewall, cg0106.

    Note: Review technote 1147107 on how to check if the personal firewall is enabled on RedHat® Linux®.

Related information

Store-n-forward alternatives across firewall
CCRC versus CCWeb versus Native ClearCase
Use the Microsoft Windows firewall with ClearCase
A Japanese translation is available


Cross reference information
Segment Product Component Platform Version Edition
Software Development Rational ClearCase Environment Variables
Software Development Rational ClearCase Environment Variables

Rate this page:

(0 users)Average rating

Document information


More support for:

Rational ClearCase
Environment Variables

Software version:

7.0, 7.0.1, 7.1, 7.1.1, 7.1.2, 8.0, 8.0.1

Operating system(s):

AIX, HP-UX, IRIX, Linux, Solaris, Windows

Reference #:

1117638

Modified date:

2014-03-20

Translate my page

Machine Translation

Content navigation