Firewalls – Ports – TCP/IP
Three words that strike fear into most IBM i programmers.
General Use — Green screen emulator, ftp, file sharing etc.
On the IBM i System, most of the host servers can be configured for SSL by using the Digital Certificate Manager (DCM) to assign a certificate to that individual server.
Once that assignment is made, that host server starts listening on the additional port (in addition to the non-SSL port that was already listening). A common method of forcing all remote clients to use encrypted sessions is to only allow traffic to flow through the firewall on the encrypted ports.
|Servers||Server Name||Ports (SSL)||Descriptions|
|Port Mapper||as-svrmap||449||Port Mapper returns the port number for the requested server.|
|Sign-on||as-signon||8476 (9476)||Sign-on is used for every iSeries Access connection to authenticate users and to change passwords. It is also used to retrieve Application Administration settings.|
|Central||as-central||8470 (9470)||Central is used when an iSeries Access license is required. It’s also used for downloading conversion tables.|
|Data Queue||as-dtaq||8472 (9472)||Data Queue allows access to the iSeries data queues, used for passing data between applications.|
|Database||as-database||8471 (9471)||Database is used for accessing the OS/400 database.|
|Remote Command||as-rmtcmd||8475 (9475)||Remote Command is used for sending commands from a PC to an iSeries and for program calls.|
|File – IFS Access using|
|as-file||8473 (9473)||File is used for accessing any part of the OS/400 file system.|
|Printers||as-netprt||8474 (9474)||Print is used to access printers known to the OS/400.|
|Web Admin – IBM Navigator for i||as-admin||2004 (2005)||Web Admin is used to access Web applications served by the iSeries.|
|Web Admin – ACS Webservers||2001 (2010)||Web Admin for Web Servers|
|DDM||DDM/DRDA||446 (448)||DDM is used to access data via DRDA. It’s also used for record-level access.|
|Telnet||telnet||23 (992)||Telnet is used to access 5250 emulation.|
|Netserver||netbois>||137, 138, 139, 8474||Netserver allows access to the OS/400 Integrated File System (IFS) from Windows PCs.|
|USF||8480||USF (or Ultimedia) is used for multimedia data. (Note: This server is being removed in a future release.)|
|LDAP||389 (636)||LDAP provides a network directory service.|
|Management Central||5555 5544 5577 (5566)||Management Central is used to manage multiple iSeries 400s in a network|
Ports that may need to be opened up on a firewall to print using a Remote Output Queue or a *LAN device description:
- 161 any *LAN 3812 SNMP printer device descriptions
- 9100 for *LAN 3812 PJL or *LAN 3812 SNMP printer device descriptions to most ASCII laser printers including those from IBM, InfoPrint Solutions Company, HP, Lexmark, and Ricoh
- 9100, 9101, and 9102 for *LAN 3812 PJL or *LAN 3812 SNMP printer device descriptions to printers using an external, multi-port HP JetDirect or Lexmark MarkNet print server
- 2501 for *LAN 3812 PJL or *LAN 3812 SNMP printer device descriptions to older IBM Network Printer or IBM Infoprint printers
- 5001, 9100, and 9600 for *LAN IPDS printer device descriptions to most IPDS-capable laser printers including those from IBM, InfoPrint Solutions Company, Lexmark and others
- 631 or 6310 for *LAN 3812 IPPP printer device descriptions to most ASCII laser printers that support the Internet Print Protocol (IPP) and that will print using a *LAN 3812 IPP DEVD
Remote Output Queues use source ports 256 through 1024 on IBM OS/400 or IBM i5/OS and always use destination port 515 on the printer or print server.
*LAN device descriptions use source ports 5000 through 65000 on OS/400 or i5/OS; however, the destination port depends on the printer hardware. The destination port for the printer hardware is always reflected in the Port number (PORT) parameter in the printer device description, so that can be a good place to look.
The most common destination ports are 2501, 5001, 9100, 9101, 9102, and 9600; however, some printers could use other ports. Port 161 must be opened on the firewall if any printers are configured as a *LAN 3812 SNMP device description, and ports 631 and 6310 must be opened on the firewall if any printers are configured as a *LAN 3812 IPPP printer device description.
IBM i Access Client
IBM Access for Windows program files that might require outgoing connections, incoming connections, or both:
|1||512||TCP||Well known port used for the TCP “exec” service. Any remote machine running the “rexec” client or compatible program might attempt to connect to this port, if open.|
|2||67||UDP||This is the well known port used for the “bootp” service (bootps) and receives connections from remote System i servers.|
|3||2112||TCP||This port is used for communications within the PC and, therefore, must accept only connection requests from address 127.0.0.1 (loopback).|
|4||“any”||N/A||Used only in the case of an LCS accepting connections from an RCS. A listening port on the LCS can be any in the range 1025 to 5000. For this reason, do not set up PORT exceptions for this case; set up an APPLICATION exception for cwbopcon.exe. This also covers the above exceptions; therefore, they are not required.|
The mandatory ports for Rdi are: 8470, 8475, 8476, 446, 449
We also have some optional ports for Debug, IFS etc: 8473, 8472, 4300, 3825