Any network that is connected to the Internet is usually protected by some form of firewall, often in conjunction with different kinds of “demilitarized zones” and other security measures. If there is a desire to install the components of LISTSERV® Maestro behind a firewall, or in different protection zones so that some are behind and others are in front of the firewall, it is necessary to take into account the communication channels between the separate components.
Communication happens exclusively via ports (see the Section 10 Using Non-Standard Ports for more information). If the components are installed behind, in front of, or around a firewall, the firewall needs to be configured to let communication through on certain ports between certain servers. Figure 30 shows LISTSERV Maestro components and all other players (the Maestro Administrator, the Maestro User, and the Internet, which stands for the set of messages sent to recipients) and their interconnections.
At each communication line, a labeled arrow illustrates the direction of the communication between the two components, and the port used for this communication. The communication can either go in one direction or both directions. However, if the communication goes in both directions, then an open port is required on both sides. The port label definitions are:
Figure 30 Component Communication Pathways
All the components shown in the figure (except for the “Internet”, “Maestro Admin”, and “Maestro User”) may reside on a single server or may be distributed over different servers, up to the maximum distribution of a dedicated server for each of the components shown.
When two components are installed on the same server, a firewall will not stop the communication between the two (except if the firewall is installed on the same server, where the firewall closes the ports the components use to communicate). However, if some components are installed on separate servers, a firewall may sit between the two. Most commonly a firewall will separate the “Internet” from the other components. The other components may also be installed in a way that has a firewall between them.
Imagine the firewall as sitting “on top” of the connection between two components. If that is the case, then the firewall must be configured so that it allows communication between the two components, as specified by the arrow(s) associated with the connection the firewall guards. The direction of the arrow shows the direction the port should be opened, and the label of the arrow defines which port needs to be open.
For most components, the safest method will be to open the firewall for only the required port(s) in the required direction(s), and between the IP addresses of the servers where the components reside.
For example, if there is a firewall between the Maestro Tracker and the Maestro User Interface component, open the "Communications Port" and the "Internal Communications Port" only in the direction from the Maestro User Interface host to the Maestro Tracker host. Open both ports only for the IP address involved. This limits the possible security breaches in the case of an unauthorized person gaining access to one of the component servers.
There are some exceptions:
Allowing the Application Server Shutdown Port, (default 8007), access through the firewall is not a concern, as this port is only ever used locally for communication between two processes on the same server. If there is a firewall on the server itself, this port might also have to open. Simply check if the "L-Soft Tomcat" server still reacts to the "Stop" command. If not, then the port needs to be opened.