Planning for firewall traffic between container servers

You must plan for data grid traffic between a container server and another container server.

The examples illustrate where you must allow communication between these servers. You should read the port properties and values that are defined in Planning for network ports.

Figure 1. Intra-domain traffic between container servers. Communication between these servers must be allowed through any firewall.

Figure 2. Inter-domain traffic between container servers. If more domains are configured, then both inter-domain and intra-domain container service traffic must be allowed through any firewall.

C1: Both sides can initiate traffic.: If a High Availability (HA) manager port is not configured, an ephemeral port is chosen at startup. This port can vary each time that the server is restarted. In this example, the data grid servers have an HA manager port that is set to 37834. For traffic that is initiated by A.ContainerServer1 server, outbound traffic uses source port: ephemeral, destination port: 37834, and return traffic from A.ContainerServer2 server flows over the same connection. Similarly, for traffic that is initiated by A.ContainerServer2 server, outbound traffic uses source port: ephemeral, destination port: 37834, and return traffic from A.ContainerServer1 server flows over the same connection.
C2: Both sides can initiate traffic.: If a listener port is not configured, an ephemeral port is chosen at startup and this port can vary each time that the server is restarted. In this example, the data grid servers have a listener port that is set to 2809. For traffic that is initiated by A.ContainerServer1 server, outbound traffic uses source port: ephemeral, destination port: 2809, and return traffic from A.ContainerServer2 server flows over the same connection. Similarly, for traffic that is initiated by A.ContainerServer2 server, outbound traffic uses source port: ephemeral, destination port: 2809, and return traffic from A.ContainerServer1 server flows over the same connection.
Note: When a data grid server operates inside WebSphere Application Server and uses an Object Request Broker (ORB) transport protocol, another port ORB_LISTENER_ADDRESS must also be opened. The BOOTSTRAP_ADDRESS port forwards requests to this port.
C3: When either an IBM® eXtremeIO (XIO) or Object Request Broker (ORB) transport protocol is used, Secure Socket Layer (SSL) is an optional configuration. If SSL is enabled, then both sides can initiate traffic.: XIO does not use a separate port for SSL and sends SSL traffic over the listener port. The following applies only when an ORB transport protocol is used: If an SSL port is not configured, an ephemeral port is chosen at startup and this port can vary each time that the server is restarted. In this example, the data grid servers have an SSL port that is set to 37511. For traffic that is initiated by A.ContainerServer1 server, outbound traffic uses source port: ephemeral, destination port: 37511, and return traffic from A.ContainerServer2 server flows over the same connection. Similarly, for traffic that is initiated by A.ContainerServer2 server, outbound traffic uses source port: ephemeral, destination port: 37511, and return traffic from A.ContainerServer1 server flows over the same connection.
D1: Both sides can initiate traffic.: If a listener port is not configured, an ephemeral port is chosen and this port can vary each time that the server is restarted. In this example, the data grid servers have a listener port that is set to 2809. For traffic that is initiated by A.ContainerServer1 server, outbound traffic uses source port: ephemeral, destination port: 2809, and return traffic from B.ContainerServer1 server flows over the same connection. Similarly, for traffic that is initiated by B.ContainerServer1 server, outbound traffic uses source port: ephemeral, destination port: 2809, and return traffic from A.ContainerServer1 server flows over the same connection.
Note: When a data grid server operates inside WebSphere Application Server and uses an Object Request Broker (ORB) transport protocol, another port ORB_LISTENER_ADDRESS must also be opened. The BOOTSTRAP_ADDRESS port forwards requests to this port.

D2: When either an XIO or ORB transport protocol is used, SSL is an optional configuration. If SSL is enabled, then both sides can initiate traffic.: XIO does not use a separate port for SSL but sends SSL traffic over the listener port. The following applies only when an ORB transport protocol is used: If an SSL port is not configured, an ephemeral port is chosen at startup and this port can vary each time that the server is restarted. In this example, the data grid servers have an SSL port that is set to 37511. For traffic that is initiated by A.ContainerServer1 server, outbound traffic uses source port: ephemeral, destination port: 37511, and return traffic from B.ContainerServer1 flows over the same connection. Similarly, for traffic that is initiated by B.ContainerServer1 server, outbound traffic uses source port: ephemeral, destination port: 37511, and return traffic from A.ContainerServer1 server flows over the same connection.