Any network that is connected to the Internet is usually protected by some form of firewall, often in conjunction with different kinds of “demilitarized zones” and other security measures. If there is a desire to install the components of LISTSERV Maestro behind a firewall, or in different protection zones so that some are behind and others are in front of the firewall, it is necessary to take into account the communication channels between the separate components.
Communication occurs exclusively using TCP ports (see the Section 14 Using Non-Standard Ports for more information). If the components are installed behind, in front of, or on both sides of a firewall, then the firewall needs to be configured to let communication through on certain ports between certain servers. Figure 57 shows LISTSERV Maestro components and all other players (the Maestro Administrator, the Maestro User, and the Internet, which represents the messages recipients) and their interconnections.
At each communication line, a labeled arrow illustrates the direction of the communication between the two components, and the port used for this communication. The communication can go in one direction or both directions. However, if the communication goes in both directions, then an open port is required on both sides.
The port label definitions are:
· HTTP Port – Used for standard HTTP access, using a web browser. This is also used to transfer the tracking events from the Internet (from the email messages that were sent) to the Maestro Tracker component. The standard HTTP Port is 80.
· If HTTPS access to the Administration Hub and/or the Maestro User Interface component is being used, then the HTTP Port from the Maestro Administrator to the Administration Hub and/or the HTTP Port from the Maestro User to the Maestro User Interface should be substituted with the HTTPS Port, for which the standard is 443. (This does not apply for the HTTP Port between the Internet and Maestro Tracker, which can never be replaced by the HTTPS Port).
· SMTP Port – Used for standard SMTP communication, during the sending and receiving of email. The standard SMTP Port is 25.
· Internal Communication Port – Used for communication between the separate LISTSERV Maestro components and the Administration Hub. The standard Internal Communication Port is 1099.
· Communications Port – Used for special communication between the Maestro User Interface and the Maestro Tracker component to transfer tracking events to the Maestro User Interface component (for reports). The standard Communication Port is 7000.
· LISTSERV Port – Used by the Maestro User Interface component to access the external LISTSERV component. The standard LISTSERV Port is 2306.
· Database Port – Used by the Maestro User Interface component to access the external database component. The standard Database Port depends on the database used.
All the components shown in the figure (except for the Internet, LISTSERV Maestro Administrator, and LISTSERV Maestro User) may reside on a single server or may be distributed over different servers, up to the maximum distribution of a dedicated server for each of the components shown (or multiple servers in the cases of LISTSERV and SMTP).
When two components are installed on the same server, a firewall will not stop the communication between the two (except if the firewall is installed on the same server, where the firewall may close the ports the components use to communicate). However, if some components are installed on separate servers, a firewall may sit between the two. Most commonly, a firewall will separate the Internet from the other components. The other components may also be installed in a way that has a firewall between them.
Imagine the firewall as sitting “on top” of the connection between two components.
If that is the case, then the firewall must be configured so that it allows communication between the two components, as specified by the arrow(s) associated with the connection the firewall guards. The direction of the arrow shows the direction the port should be opened, and the label of the arrow defines which port needs to be open.
For most components, the safest method will be to open the firewall for only the required port(s) in the required direction(s), and between the IP addresses of the servers where the components reside.
For example, if there is a firewall between the Maestro Tracker and the Maestro User Interface component, open the Communications Port and the Internal Communications Port only in the direction from the Maestro User Interface host to the Maestro Tracker host. Open both ports only for the IP address involved. This limits the possible security breaches in the case of an unauthorized person gaining access to one of the component servers.
There are some exceptions:
· If there is a firewall that separates the Internet from the other components (as is advisable), open the HTTP and SMTP ports from the Internet to the respective components as shown in the diagram, and open them for all incoming IP addresses, not just for a specific one. In addition, it is necessary to open the SMTP port for outgoing communication originating from the LISTSERV and SMTP servers.
· Similarly, if there is a firewall separating the Internet from the other components as described above, and both the Maestro Administrator and the Maestro User need to be able to connect to LISTSERV Maestro from the Internet as well as the local intranet behind the firewall, then the HTTP port to the Administration Hub and Maestro User Interface components for all incoming IP-addresses must also open. In this case, LISTSERV Maestro’s login security will be relied upon to disallow unauthorized access to these components.
Allowing the Application Server Shutdown Port, (default 8007) access through the firewall is not a concern, as this port is only ever used locally for communication between two processes on the same server. If there is a firewall on the server itself, this port might also have to be opened. Simply check if the L-Soft Tomcat server still reacts to the Stop command. If not, then the port needs to be opened.