Planning for firewall traffic between catalog servers

You must plan for data grid traffic between a catalog server and another catalog server.

The examples illustrate where you must allow communication between these servers. You should read the port properties and values that are defined in Planning for network ports.

Figure 1. An intra-domain catalog service. Communication between these servers must be allowed through any firewall.

Figure 2. An inter-domain catalog service. If you configure more catalog server domains, then both inter-domain and intra-domain catalog server traffic must be allowed through any firewall.

A1: Both sides can initiate traffic.: In this example, the data grid servers have a peer port that is set to 6602. For traffic that is initiated by A.CatServer1 server, outbound traffic uses source port: ephemeral, destination port: 6602, and return traffic from A.CatServer2 server flows over the same connection. Similarly, for traffic that is initiated by A.CatServer2 server, outbound traffic uses source port: ephemeral, destination port: 6602, and return traffic from A.CatServer1 server flows over the same connection.

A2: Both sides can initiate traffic.: If a listener port is not configured, the data grid servers use the default that is set to 2809. In this example, the data grid servers have a listener port that is set to 2809. For traffic that is initiated by A.CatServer1 server, outbound traffic uses source port: ephemeral, destination port: 2809, and return traffic from A.CatServer2 server flows over the same connection. Similarly, for traffic that is initiated by A.CatServer2 server, outbound traffic uses source port: ephemeral, destination port: 2809, and return traffic from A.CatServer1 server flows over the same connection.
Note: When a data grid server operates inside WebSphere Application Server and uses an ORB transport protocol, another port ORB_LISTENER_ADDRESS must also be opened. The BOOTSTRAP_ADDRESS port forwards requests to this port.
A3: Both sides can initiate traffic.: In this example, the data grid servers have a client port that is set to 6601. For traffic that is initiated by A.CatServer1 server, outbound traffic uses source port: ephemeral, destination port: 6601, and return traffic from A.CatServer2 server flows over the same connection. Similarly, for traffic that is initiated by A.CatServer2 server, outbound traffic uses source port: ephemeral, destination port: 6601, and return traffic from A.CatServer1 server flows over the same connection.

A4: Both sides can initiate traffic.: If a listener port is not configured, the data grid servers use the default that is set to 2809. In this example, data grid servers have a listener port that is set to 2809. For traffic that is initiated by A.CatServer1 server, outbound traffic uses source port: ephemeral, destination port: 2809, and return traffic from B.CatServer1 server flows over the same connection. Similarly, for traffic that is initiated by B.CatServer1 server, outbound traffic uses source port: ephemeral, destination port: 2809, and return traffic from A.CatServer1 server flows over the same connection.
Note: When a data grid server operates inside WebSphere Application Server and uses an ORB transport protocol, another port ORB_LISTENER_ADDRESS must also be opened. The BOOTSTRAP_ADDRESS port forwards requests to this port.
A5: When either an ORB or XIO transport protocol is used, Secure Sockets Layer (SSL) is an optional configuration. If SSL is enabled, then both sides can initiate traffic.: XIO does not use a separate SSL port and sends SSL traffic over the listener port. The following applies only when an ORB transport protocol is used: If the SSL port is not configured, an ephemeral port is chosen at startup, and this port can vary each time the catalog server is restarted. In this example, the data grid servers have an SSL port that is set to 37511. For traffic that is initiated by A.CatServer1 server, outbound traffic uses source port: ephemeral, destination port: 37511, and return traffic from A.CatServer2 server flows over the same connection. Similarly, for traffic that is initiated by A.CatServer2 server, outbound traffic uses source port: ephemeral, destination port: 37511, and return traffic from A.CatServer1 server flows over the same connection.
A6: When either an ORB or XIO transport protocol is used, Secure Sockets Layer (SSL) is an optional configuration. If SSL is enabled, then both sides can initiate traffic.: IBM® eXtremeIO (XIO) does not use a separate SSL port and sends SSL traffic over the listener port. The following applies only when an ORB transport protocol is used: If an SSL port is not configured, an ephemeral port is chosen at startup and this port can vary each time the catalog server is restarted. In this example, data grid servers have an SSL port that is set to 37511. For traffic that is initiated by A.CatServer1 server, outbound traffic uses source port: ephemeral, destination port: 37511, and return traffic from B.CatServer1 server flows over the same connection. Similarly, for traffic that is initiated by B.CatServer1 server, outbound traffic uses source port: ephemeral, destination port: 37511, and return traffic from A.CatServer1 server flows over the same connection.