Any network that is connected to the Internet is usually protected by some form of firewall, often in conjunction with different kinds of "demilitarized zones" and other security measures. If there is a desire to install the components of LISTSERV® Maestro behind a firewall, or in different protection zones so that some are behind and others are in front of the firewall, it is necessary to take into account the communication channels between the separate components.
Communication happens exclusively via ports (see the Section 10 Using Non-Standard Ports for more information). If the components are installed behind, in front of, or around a firewall, the firewall needs to be configured to let communication through on certain ports between certain servers. Figure 17 shows LISTSERV® Maestro components and all other players (the Maestro Administrator, the Maestro User, and the Internet, which stands for the set of messages sent to recipients) and their interconnections.
At each communication line, a labeled arrow illustrates the direction of the communication between the two components, and the port used for this communication. The communication can either go in one direction or both directions. However, if the communication goes in both directions, then an open port is required on both sides. The port label definitions are:
HTTP-Port - Used for standard HTTP access, via a web-browser. This is also used to transfer the tracking events from the Internet (from the e-mail messages that were sent) to the Maestro Tracker component. The standard HTTP-Port is 80.
If HTTPS access to the Administration Hub and/or the Maestro User Interface component is being used, then the HTTP-Port from the Maestro Administrator to the Administration Hub and/or the HTTP-Port from the Maestro User to the Maestro User Interface should be substituted with the HTTPS-Port, for which the standard is 447. (This does not apply for the HTTP-Port between the Internet and Maestro Tracker, which can never be replaced by the HTTPS-Port).
SMTP-Port - Used for standard SMTP communication, during the sending and receiving of e-mail. The standard SMTP-Port is 25.
Internal Communication-Port - Used for communication between the separate LISTSERV® Maestro components and the Administration Hub. The standard Internal Communication-Port is 1099.
Event-Notification-Port - Used by the Maestro Tracker component to transfer tracking events to the Maestro User Interface component (for analysis). The standard Event-Notification-Port is 7000.
LISTSERV-Port - Used by the Maestro User Interface component to access the external LISTSERV component. The standard LISTSERV-Port is 2306.
Database-Port - Used by the Maestro User Interface component to access the external database component. The standard Database-Port depends on the database used. (See Section 10 Using Non-Standard Ports for more information on using non-standard ports).
All the components shown in the figure (except for the "Internet", "Maestro Admin" and "Maestro User") may reside on a single server or may be distributed over different servers, up to the maximum distribution of a dedicated server for each of the components shown.
Whenever two components are installed on the same server, a firewall will not stop the communication between the two (except if the firewall is installed on the same server, where the firewall closes the ports the components use to communicate). However, if some components are installed on separate servers, a firewall may sit between the two. Most commonly a firewall will separate the "Internet" from the other components. The other components may also be installed in a way that has a firewall between them.
Imagine the firewall as sitting "on top" of the connection between two components.
If that is the case, then the firewall must be configured so that it lets communication through between the two components, as specified by the arrow(s) associated with the connection the firewall guards. The direction of the arrow shows the direction the port should be opened, and the label of the arrow defines which port needs to be open.
For most components, the safest method will be to open the firewall for only the required port(s), in the required direction(s), and between the IP-addresses of the servers where the components reside.
For example, if there is a firewall between the Maestro Tracker and the Maestro User Interface component, open the "Event-Notification-Port" only in the direction from the Maestro Tracker host to the Maestro User Interface host, and the "Internal Communication-Port" only in the direction from the Maestro User Interface host to the Maestro Tracker host, and both only for the two involved IP addresses. As a result only the Maestro Tracker host will be allowed to make a connection over the "Event-Notification-Port" and only the Maestro User Interface host will be allowed to make a connection over the "Internal Communication-Port", no other host will be allowed.
There are some exceptions:
If there is a firewall that separates the Internet from the other components (as is advisable), open the HTTP and SMTP ports from the Internet to the respective components as shown in the diagram, and open them for all incoming IP-addresses, not just for a specific one. Also, it is necessary to open the SMTP port for outgoing communication originating from the LISTSERV® and LSMTP® servers.
Similarly, if there is a firewall separating the Internet from the other components as described above, and both the Maestro Administrator and the Maestro User need to be able to connect to LISTSERV® Maestro from the Internet as well as the local intranet behind the firewall, then the HTTP port to the Administration Hub and Maestro User Interface components for all incoming IP-addresses must also open. In this case, LISTSERV® Maestro's login security will be relied upon to disallow unauthorized access to these components.
Allowing the Application Server Shutdown Port, (default 8007), access through the firewall is not a concern, as this port is only ever used locally for communication between two processes on the same server. If there is a firewall on the server itself, this port might also have to open. Simply check if the "L-Soft Tomcat" server still reacts to the "Stop" command. If not, then the port needs to be opened.