MIDRANGE dot COM Mailing List Archive



Home » MIDRANGE-L » December 2013

Re: ESA (Electronic Service Agent ports)



fixed

Thanks for the reply. The first file was much easier to read.

Ports 80 and 443 are open outbound through the firewall. And I forgot that
all ports are open outbound for the System i.

Doesn't explain what's going on with VFYSRVCFG though. Haven't had a
chance to look at that. We have a 3rd party for HW service (though we do
have SWMA with IBM). Wonder if that's it?



On Thu, Dec 5, 2013 at 12:06 PM, CRPence <CRPbottle@xxxxxxxxx> wrote:

On 04-Dec-2013 13:21 -0800, Jeff Crosby wrote:
<<SNIP>>

We have a new firewall and I began wondering what port(s) were used
for these. In this manual:

http://pic.dhe.ibm.com/infocenter/iseries/v7r1m0/topic/rzaji/rzaji.pdf

it says use VFYSRVCFG to check. That does not work for me. The job
message queue wraps. And wraps. And wraps.

Any errors logged? Perhaps a fast exception loop; the same message
repeatedly? No apparent matching error description there, but the
command name is listed in one of the PTFs of each list below, but that
is on C2115710:

<www.ibm.com/support/docview.wss?uid=nas10f566401d222c98a86257714007c5d80>
_i Recommended Fixes for Electronic Services for Release 7.1 i_

<www.ibm.com/support/docview.wss?uid=nas17b124b45e2a7eafb862577140079cc9a>
_i Recommended Fixes for ECS for Release 7.1 i_

So I found, in this same manual, that this file:

/qibm/userdata/os400/universalconnection/serviceProviderIBM.xml

contains the port. I found a line that says port 19285. Can anyone
confirm?

Supposedly the following document has the information that is quoted
in snippets beneath... but seems the IBM support portal or my access is
broken presently [that issue cleared up since last night], so I got a
cached copy; note that a slightly different file name is noted there,
than shown above:

www.ibm.com/support/docview.wss?uid=nas8N1018980
IBM i Electronic Service Agent
Software version: 5.3.0, 5.4.0, 6.1.0, 7.1.0
Reference #: N1018980 Modified date: 2013-07-26
Title: Electronic Service Agent (ESA) and Electronic Customer Support
(ECS) VPN and HTTP Firewall Settings
Technote (troubleshooting)
"Problem(Abstract)

This document provides information for properly setting the firewall to
allow Virtual Private Network (VPN) and HTTP ESA (IBM Electronic Service
Agent) and ECS connections.
...
_Determine the IBM Service Destination Addresses_
To find the exact IBM Service Destination addresses that might be used
for HTTP and HTTPs traffic, the service provider location definition
files can be browsed.

The files available for this on the system are located at:
WRKLNK '/qibm/userdata/os400/universalconnection'

Notes:

1. For each option, type WRKLNK, followed by the full path. This will go
directly to the noted file.
2. If using WRKLNK, taking Option 5 through the path and using F22 on
the file will show the full name.

Option 1:


'/qibm/userdata/os400/universalconnection/serviceProviderIBMLocationDefinition.txt'
Note: This file is written in a more readable format than the file noted
in Option 2.

This option is only available if a client installs PTFs SI34505 (V5R4)
or SI34552 (V6R1). These PTFs are noted as required, so all systems
should have this option.

+ Example

Option 2:


'/qibm/userdata/os400/universalconnection/serviceProviderIBMLocationDefinition.xml'

...
Complete example of WRKLNK

'/qibm/userdata/os400/universalconnection/serviceProviderIBMLocationDefinition.txt
file described above in Option 1, the following IP addresses can be
utilized for ECS and ESA functions:

Configuration Date: 2012-05-02

IP Address TCP Port Destination
---------- -------- -----------
198.74.67.240 19285 URSF_1
198.74.71.240 19285 URSF_2
170.225.15.41 443 Bulk_Data_1
192.109.81.20 443 Bulk_Data_2
129.42.160.48 80 Doc_Update_1
207.25.252.200 80 Doc_Update_2
170.225.15.107 80 Fix_Repository_1
... ... ...
207.25.252.197 443 Gateway_1
129.42.160.51 443 Gateway_2
207.25.252.197 443 Inventory_Report_1
129.42.160.51 443 Inventory_Report_2
129.42.26.224 443 Problem_Report_1
... ... ...
...
Attached document contains a List of IP addresses used by ECS/ESA for
ports 80 and 443, sorted by IP address.
Note: When using this option, all IP addresses must be allowed in the
site firewall rules, omitting any may cause connection attempts to fail.
_ECS IP Addresses for port 80 443.doc_
<http://www.ibm.com/support/docview.wss?uid=nas8N1018980&aid=5>

For information about VPN security, refer to the InfoCenter by release:
...
Electronic Service Agent (ESA) security information:
http://www.ibm.com/support/esa/security.htm
...
Note: If a Remote or Multi-hop or Multihop connection is being used
(RMTSYS) in CRTSRVCFG, port 1701 must be open for UDP communication
between the source and remote servers. If a HTTP proxy is being used,
the default port for *IBMSVR is port 5026
...
At R710, the Verify Service Configuration command has been enhanced to
do additional connection tests:
Document N1010854 , Verify Service Configuration Enhancements:
<http://www.ibm.com/support/docview.wss?uid=nas8N1010854>
Verify Service Configuration Enhancements

Historical Number: KB 419109186"


Before finding the above document, which may be what is required, I
was originally going to respond with the following:

The port configuration may depend on what was specified on the Change
Service Configuration (CHGSRVCFG) or the Create Service Configuration
(CRTSRVCFG) command? See the Proxy server (PROXY) parameter and the
Connection point proxy (CNNPNTPRX) for the "Port number" on each. The
default is the special value *IBMSVR, but a specific number can be
specified 1-65535.

*IBMSVR
The Service and Support proxy server will accept connections using
the default port.
1-65535
Specifies the port number on which the Service and Support proxy
server will accept connections.

--
Regards, Chuck
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.









Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2014 by MIDRANGE dot COM and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available here. If you have questions about this, please contact