Planning for firewall traffic between clients and data grid servers

You must plan for data grid traffic between a client and the data grid servers.

The examples illustrate where you must allow communication between clients and data grid servers. You should read the port properties and values that are defined in Planning for network ports.

Figure 1. Client to grid communication: IBM® eXtremeIO (XIO) transport only. Communication between a client and data grid servers must be allowed through any firewall.

Figure 2. Client to grid communication: Object Request Broker (ORB) transport only. Communication between a client and data grid servers must be allowed through any firewall.

CL1: Only the client application can initiate traffic.: If a listener port is not configured, the data grid server uses the default that is set to 2809. In this example, the listener port is set to 2809. Client to data grid server traffic uses source port: ephemeral, destination port: 2809, and only when the connection is opened by the client can traffic from the data grid server flow over the same connection.
Note: When a data grid server operates inside WebSphere Application Server and uses an Object Request Broker (ORB) transport protocol, another port ORB_LISTENER_ADDRESS must also be opened. The BOOTSTRAP_ADDRESS port forwards requests to this port.

CL2: IBM® eXtremeIO (XIO) transport protocol only. Only the client can initiate traffic.: If a listener port is not configured, an ephemeral port is chosen at startup and this port can vary each time that the server is restarted. In this example, the listener port is set to 2809. Client to data grid server traffic uses source port: ephemeral, destination port: 2809, and only when the connection is opened by the client can traffic from the data grid server flow over the same connection.

CL3: Object Request Broker (ORB) transport protocol only. Both sides can initiate traffic.: If a listener port is not configured on the client application or data grid server, an ephemeral port is chosen at startup and this port can vary each time that the client application or data grid server is restarted. In this example, a listener port is set to 2809. For traffic that is initiated by the client application, outbound traffic uses source port: ephemeral, destination port: 2809, and return traffic from A.ContainerServer1 server flows over the same connection. Similarly, for traffic that is initiated by A.ContainerServer1 server, outbound traffic uses source port: ephemeral, destination port: 2809, and return traffic from the client flows over the same connection.
Note: When a client application or data grid server operates inside WebSphere Application Server and uses an ORB transport protocol, another port ORB_LISTENER_ADDRESS must also be opened. The BOOTSTRAP_ADDRESS port forwards requests to this port.

CL4, CL5: ORB transport protocol only. When either an ORB or XIO transport protocol is used, Secure Socket Layer (SSL) is an optional configuration. Both sides can initiate traffic.: XIO does not use a separate SSL port and sends SSL traffic over the listener port. The following applies only when an ORB transport protocol is used: If an SSL port is not configured on the client application or data grid server, an ephemeral port is chosen at startup and this port can vary each time the client application or data grid server is restarted. If SSL is enabled, then both sides of the data grid server can initiate traffic. In this example, both sides have an SSL port that is set to 37511. For traffic that is initiated by the client, outbound traffic uses source port: ephemeral, destination port: 37511, and return traffic from data grid server flows over the same connection. Similarly, for traffic that is initiated by the data grid server, outbound traffic uses source port: ephemeral, destination port: 37511, and return traffic from the client flows over the same connection.