Planning for firewall traffic between container and catalog servers

You must plan for data grid traffic between a container server and a catalog server.

The examples illustrate where you must allow communication between these servers. You should read the port properties and values that are defined in Planning for network ports.
Figure 1. An intra-domain catalog to container service. Communication between these servers must be allowed through any firewall.
Figure 2. An inter-domain catalog to container service. If more domains are configured, then you will not have traffic between a catalog server and a container server.
B1: Both sides can initiate traffic.
If a listener port is not configured on a stand-alone catalog server, the data grid servers use the default that is set to 2809. For a stand-alone container server, an ephemeral port is picked at startup and this port can vary each time that the server is restarted. In this example, the data grid servers have a listener port that is set to 2809. For traffic that is initiated by A.CatServer1 server, outbound traffic uses source port: ephemeral, destination port: 2809, and return traffic from A.ContainerServer1 server flows over the same connection. Similarly, for traffic that is initiated by A.ContainerServer1 server, outbound traffic uses source port: ephemeral, destination port: 2809, and return traffic from A.CatServer1 server flows over the same connection.
Note: When a data grid server operates inside WebSphere Application Server and uses an Object Request Broker (ORB) transport protocol, another port ORB_LISTENER_ADDRESS must also be opened. The BOOTSTRAP_ADDRESS port forwards requests to this port.
B2: When either an IBM® eXtremeIO (XIO) or Object Request Broker (ORB) transport protocol is used, Secure Socket Layer (SSL) is an optional configuration. If SSL is enabled, then both sides can initiate traffic.
XIO does not use a separate SSL port and sends SSL traffic over the listener port. The following applies only when an ORB transport protocol is used: If an SSL port is not configured, an ephemeral port is chosen at startup and this port can vary each time that the server is restarted. In this example, the data grid servers have an SSL port that is set to 37511. For traffic that is initiated by A.CatServer1 server, outbound traffic uses source port: ephemeral, destination port: 37511, and return traffic from A.ContainerServer1 server flows over the same connection. Similarly, for traffic that is initiated by A.ContainerServer1 server, outbound traffic uses source port: ephemeral, destination port: 37511, and return traffic from A.CatServer1 server flows over the same connection.