Planning for firewall traffic between container servers
You must plan for data grid traffic between a container server and another container server.
The examples illustrate where you must allow communication between
these servers. You should read the port properties and values that
are defined in Planning for network ports.
- C1: Both sides can initiate traffic.
- If a High Availability (HA) manager port is not configured, an ephemeral port is chosen at startup. This port can vary each time that the server is restarted. In this example, the data grid servers have an HA manager port that is set to 37834. For traffic that is initiated by A.ContainerServer1 server, outbound traffic uses source port: ephemeral, destination port: 37834, and return traffic from A.ContainerServer2 server flows over the same connection. Similarly, for traffic that is initiated by A.ContainerServer2 server, outbound traffic uses source port: ephemeral, destination port: 37834, and return traffic from A.ContainerServer1 server flows over the same connection.
- C2: Both sides can initiate traffic.
- If a listener port is not configured, an ephemeral port is chosen
at startup and this port can vary each time that the server is restarted.
In this example, the data grid servers have a listener port that
is set to 2809. For traffic that is initiated
by A.ContainerServer1 server, outbound traffic uses source port: ephemeral,
destination port: 2809, and return traffic
from A.ContainerServer2 server flows over the same connection. Similarly,
for traffic that is initiated by A.ContainerServer2 server, outbound
traffic uses source port: ephemeral, destination port: 2809,
and return traffic from A.ContainerServer1 server flows over the same
connection.Note: When a data grid server operates inside WebSphere Application Server and uses an Object Request Broker (ORB) transport protocol, another port ORB_LISTENER_ADDRESS must also be opened. The BOOTSTRAP_ADDRESS port forwards requests to this port.
- C3: When either an IBM® eXtremeIO (XIO) or Object Request Broker (ORB) transport protocol is used, Secure Socket Layer (SSL) is an optional configuration. If SSL is enabled, then both sides can initiate traffic.
- XIO does not use a separate port for SSL and sends SSL traffic over the listener port. The following applies only when an ORB transport protocol is used: If an SSL port is not configured, an ephemeral port is chosen at startup and this port can vary each time that the server is restarted. In this example, the data grid servers have an SSL port that is set to 37511. For traffic that is initiated by A.ContainerServer1 server, outbound traffic uses source port: ephemeral, destination port: 37511, and return traffic from A.ContainerServer2 server flows over the same connection. Similarly, for traffic that is initiated by A.ContainerServer2 server, outbound traffic uses source port: ephemeral, destination port: 37511, and return traffic from A.ContainerServer1 server flows over the same connection.
- D1: Both sides can initiate traffic.
- If a listener port is not configured, an ephemeral port is chosen
and this port can vary each time that the server is restarted. In
this example, the data grid servers have a listener port that is
set to 2809. For traffic that is initiated
by A.ContainerServer1 server, outbound traffic uses source port: ephemeral,
destination port: 2809, and return traffic
from B.ContainerServer1 server flows over the same connection. Similarly,
for traffic that is initiated by B.ContainerServer1 server, outbound
traffic uses source port: ephemeral, destination port: 2809,
and return traffic from A.ContainerServer1 server flows over the same
connection.Note: When a data grid server operates inside WebSphere Application Server and uses an Object Request Broker (ORB) transport protocol, another port ORB_LISTENER_ADDRESS must also be opened. The BOOTSTRAP_ADDRESS port forwards requests to this port.
- D2: When either an XIO or ORB transport protocol is used, SSL is an optional configuration. If SSL is enabled, then both sides can initiate traffic.
- XIO does not use a separate port for SSL but sends SSL traffic over the listener port. The following applies only when an ORB transport protocol is used: If an SSL port is not configured, an ephemeral port is chosen at startup and this port can vary each time that the server is restarted. In this example, the data grid servers have an SSL port that is set to 37511. For traffic that is initiated by A.ContainerServer1 server, outbound traffic uses source port: ephemeral, destination port: 37511, and return traffic from B.ContainerServer1 flows over the same connection. Similarly, for traffic that is initiated by B.ContainerServer1 server, outbound traffic uses source port: ephemeral, destination port: 37511, and return traffic from A.ContainerServer1 server flows over the same connection.