Re: Ports to block to limit the use of Client access Data transfer Facility

Client Access will work without port 449 (Server Mapper) if you set the 
Connection Properties in iSeries Navigator, under "Where to look up port" 
to "Standard" or "Local" (from the default "Server", which is when it uses 
port 449 to find what ports other Client Access services are running on).

...Neil




James Rich <james@xxxxxxxxxxx> 
Sent by: midrange-l-bounces@xxxxxxxxxxxx
2005/05/23 15:58



To
Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
cc

Subject
Re: Ports to block to limit the use of Client access Data transfer 
Facility






On Mon, 23 May 2005 rob@xxxxxxxxx wrote:

> I think trying to control it by controlling which emulator people use is 
a
> bad thing.  Then you'd have to scan every pc that attached to your lan 
for
> IBM's client access on a continual basis.  All it would take is one copy
> to break into the fort.  Better to control it on the server.

I agree that controlling server access should be done on the server.  One 
of the ways this can be accomplished is by blocking all unnecessary ports. 

For simple 5250 access, port 23 (or 992 if using SSL) is all that is 
needed.  Specifically, port 449 is not needed.  But client access won't 
work unless that port is open.  Therefore, imo the best approach is 
two-fold:  block all ports except 23 (or 992) and don't use client access. 

Since 449 is not open client access won't work, so you don't need to scan 
for it.  And the only thing that will work is plain old 5250.  As I see 
it, you have accomplished three things:

1. closed more ports making security easier
2. probably saved some money on licensing
3. made your life simpler

All my opinion of course (I have a bit of a bias regarding 5250 emulation)

James Rich