× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



You could also open the SSH port and  create a secure connection forwarding all the ports you need.

The "Other Way" is perform some kind of call-back or "relay proxying", without opening ports, just allowing your IBM i to reach your home from behind the firewall.

Just put a small PC/Raspberry Pi/VM/Server with Linux at home and open one port on your home firewall, lets say port 443 pointing to this machine port 22  (needs a public IP, at least a dynamic one with DynDNS) .

Then you need to create private/public keys on your IBM i and copy the id_rsa.pub content to your server authorized_keys file (Scot Klement's SSH guide will explain)

From your IBMi you will submit something like this:

QSH CMD('ssh -p 443 yoursshuser@xxxxxxxxxxxxxxxxxxxxx -R 22:localhost:2200')

This will "publish" the IBM i port 22 to your home server.

Next:

On your PC side with Windows open CMD and run:

ssh yoursshuser@LocalServerIP -L 2200:localhost:2200

and finally:

ssh -p 2200 IBMiUserProfile@127.0.0.1 -D 8080 -L 23:localhost:23 -L  449:127.0.0.1:449 -L 8470:127.0.0.1:8470  -L 8471:127.0.0.1:8471  -L 8472:127.0.0.1:8472 -L 8473:127.0.0.1:8473 -L 8474:127.0.0.1:8474 -L 8475:127.0.0.1:8475 -L 8476:127.0.0.1:8476

Now you can point your ACS to Localhost (127.0.0.1) without opening ports on your firewall.

The private/public avoids using user/password, which is more secure and can be submited.

Regards

Diego E. KESSELMAN



El 20/04/20 a las 17:15, Clay Carley escribió:
If the remote users are using VPN, why would you need to open any ports on the firewall?  They would already have access to the internal LAN at that point anyway.

If you need to open ports, best case is each user at home has a static IP address so you can lock access down to those at least.

Clay Carley


On 2020-04-20 14:20, Steinmetz, Paul via MIDRANGE-L wrote:

We are now starting to allow users to WFH without using RDP, via VPN.
Many ports need to be enabled on the firewall for remote access.

I found below link, not sure if this was a complete list.

TCP/IP Ports Required for IBM i Access and Related Functions

https://www.ibm.com/support/pages/tcpip-ports-required-ibm-i-access-and-related-functions

The following table lists the ports that IBM i Access and related functions use for communication with the IBM i OS System:

*
o    PC Function

*         Server Name

Port Non-SSL

Port SSL

*         Server Mapper

*         as-svrmap

*         449

*         ---

*         License Management

*         as-central

*         8470

*         9470

*         Database Access

*         as-database

*         8471

*         9471

*         Data Queues

*         as-dtaq

*         8472

*         9472

*         IFS Access using
System i Navigator

*         as-file

*         8473

*         9473

*         Network Printers

*         as-netprt

*         8474

*         9474

*         Remote Command

*         as-rmtcmd

*         8475

*         9475

*         Signon Verification

*         as-signon

*         8476

*         9476

*         Telnet (5250 Emulation)

*         telnet

*         23

*         992

Navigator for i (web)

as-nav

2004

2005

*         HTTP Administration

*         as-admin

*         2001

*         2010

*         POP3 (MAPI)

*         pop3

*         5010

*         ---

*         Management Central

*         as-mgtc >

*         5555 and 5544

*         5566 and 5577

*         Ultimedia Services

*         as-usf

*         8480

*         9480

*         DDM/DRDA

*         DDM/DRDA

*         446

*         448

*         NetServer

*         netbios >

*         137

*         ---

*         NetServer

*         CIFS

*         445

*         ---

*         NetServer

*         netbios >

*         139

*         ---

*         Service Tools Server

*         as-sts

*         3000

*         ---

DHCP Monitor

---

---

942

*         RUNRMTCMD

*         REXEC

*         512

*         ---

If any of the above ports are restricted using a firewall or any other mechanism, IBM i Access or related functions may fail to operate. For assistance with configuring ports or working with a firewall beyond the above information, contact the firewall provider or obtain a consulting agreement.

Note:
The following ports are common to most IBM i Access Client products such as ODBC, Telnet and other specific functions:
Port 449 is used to look up service by name and return the port number.
Ports 8470 and 9470(TLS/SSL) are used for host code page translation tables and licensing functions.
Ports 8475 and 9475(TLS/SSL) are used to check for application administration restrictions.
Ports 8476 and 9476(TLS/SSL) are used for checking signon verification to authenticate.
depending on your needs you may only need the above ports and the port(s) for your function/application.

Thank You
_____
Paul Steinmetz
IBM i Systems Administrator

Pencor Services, Inc.
462 Delaware Ave
Palmerton Pa 18071

610-826-9117 work
610-826-9188 fax
610-349-0913 cell
610-377-6012 home

psteinmetz@xxxxxxxxxx<mailto:psteinmetz@xxxxxxxxxx>
http://www.pencor.com/

As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.