× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. February 2004

Re: Firewall and SSL blues

> I can use TN5250 with SSL internally, but I can't seem to connect outside
> the firewall.  I opened port 992 TCP inbound, and 992 UDP send receive.  I
> have to "Publish" the internal address with an inbound connection from the
> external address to the internal address on 992 TCP as well.

No need to open up UDP, the TN5250e protocol does not use it.


> The TN5250 client connects but I never get a sign on screen...just a
> "Connection to the AS/400 has been lost message".  I know I have seen this
> and fixed it before, but, what the heck was it?  Advancing years making it
> tough...

Could be anything with a message like that...

First of all, what software are you using?   Client Access requires some
additional ports, if I remember correctly.   RUMBA 7.0 will give a
"connection timed out" response even when the problem is with it not
trusting the certificate.   The open-source TN5250 will say "cannot open
stream" (or similar) but will give lots of diagnostic info if you create a
trace file.  Mocha's client does not validate the certificates at all, and
so if it fails you've probably got an error in the firewall config.

Second, do you know if the firewall configuration works?  Have you tested
that you're actually able to reach port 992?  If I use an ordinary telnet
client to connect to port 992, I can connect successfully.  I can't do
anything once I'm connected, but the connection works -- that would prove
that the firewall is letting you in.

Third, have you tried using some SSL tools to determine what's going on?
Personally, I like to use the openssl command-line tool.  I do something
like this:

openssl s_client -showcerts -connect as400.example.com:992

Assuming that you passed test #2 so that you can get through the firewall,
it'll tell you all sorts of information about the certificates presented
by the iSeries, and report any errors that might've occurred when
validating the certs.

OpenSSL is an open-source project that you can learn about on the Internet
here:
http://www.openssl.org

For the sake of convienience, I've got a copy of the OpenSSL command-line
tool that's pre-compiled for Windows on my web site here:

http://www.scottklement.com/tools/openssl.exe

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.