Re: Ports needed for ACS when working from home over VPN -- MIDRANGE-L

Beyond that, you are go get pummeled with probes from China, Russia, and other countries, your firewall will get overrun. Even if you put the ACS to block certain countries ( easily found commercial solutions for that) most of them redirect from places inside the US.

Not my first choice either. You’d be way better off with spending the time/money to upgrade the firewall and set up the VPN accounts.

Jim Oberholtzer
Agile Technology Architects

On Apr 20, 2020, at 5:05 PM, Don Brown via MIDRANGE-L <midrange-l@xxxxxxxxxxxxxxxxxx> wrote:

So you are going to allow ANYONE through your firewall on the ACS ports -
no security except user name and password ?

I hope you have good password policies and all default user profiles
passwords have been changed.

Would not be my recommendation.

Cheers

Don Brown

From: "Steinmetz, Paul via MIDRANGE-L" <midrange-l@xxxxxxxxxxxxxxxxxx>
To: "'Midrange Systems Technical Discussion'"
<midrange-l@xxxxxxxxxxxxxxxxxx>
Cc: "Steinmetz, Paul" <PSteinmetz@xxxxxxxxxx>
Date: 21/04/2020 07:20 AM
Subject: Ports needed for ACS when working from home over VPN
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxxxxxxxx>

We are now starting to allow users to WFH without using RDP, via VPN.
Many ports need to be enabled on the firewall for remote access.

I found below link, not sure if this was a complete list.

TCP/IP Ports Required for IBM i Access and Related Functions

https://www.ibm.com/support/pages/tcpip-ports-required-ibm-i-access-and-related-functions

The following table lists the ports that IBM i Access and related
functions use for communication with the IBM i OS System:

*
o PC Function

* Server Name

Port Non-SSL

Port SSL

* Server Mapper

* as-svrmap

* 449

* ---

* License Management

* as-central

* 8470

* 9470

* Database Access

* as-database

* 8471

* 9471

* Data Queues

* as-dtaq

* 8472

* 9472

* IFS Access using
System i Navigator

* as-file

* 8473

* 9473

* Network Printers

* as-netprt

* 8474

* 9474

* Remote Command

* as-rmtcmd

* 8475

* 9475

* Signon Verification

* as-signon

* 8476

* 9476

* Telnet (5250 Emulation)

* telnet

* 23

* 992

Navigator for i (web)

as-nav

2004

2005

* HTTP Administration

* as-admin

* 2001

* 2010

* POP3 (MAPI)

* pop3

* 5010

* ---

* Management Central

* as-mgtc >

* 5555 and 5544

* 5566 and 5577

* Ultimedia Services

* as-usf

* 8480

* 9480

* DDM/DRDA

* DDM/DRDA

* 446

* 448

* NetServer

* netbios >

* 137

* ---

* NetServer

* CIFS

* 445

* ---

* NetServer

* netbios >

* 139

* ---

* Service Tools Server

* as-sts

* 3000

* ---

DHCP Monitor

---

---

942

* RUNRMTCMD

* REXEC

* 512

* ---

If any of the above ports are restricted using a firewall or any other
mechanism, IBM i Access or related functions may fail to operate. For
assistance with configuring ports or working with a firewall beyond the
above information, contact the firewall provider or obtain a consulting
agreement.

Note:
The following ports are common to most IBM i Access Client products such
as ODBC, Telnet and other specific functions:
Port 449 is used to look up service by name and return the port number.
Ports 8470 and 9470(TLS/SSL) are used for host code page translation
tables and licensing functions.
Ports 8475 and 9475(TLS/SSL) are used to check for application
administration restrictions.
Ports 8476 and 9476(TLS/SSL) are used for checking signon verification to
authenticate.
depending on your needs you may only need the above ports and the port(s)
for your function/application.

Thank You
_____
Paul Steinmetz
IBM i Systems Administrator

Pencor Services, Inc.
462 Delaware Ave
Palmerton Pa 18071

610-826-9117 work
610-826-9188 fax
610-349-0913 cell
610-377-6012 home

psteinmetz@xxxxxxxxxx<mailto:psteinmetz@xxxxxxxxxx>
http://www.pencor.com/

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
______________________________________________________________________

______________________________________________________________________
This email has been scanned for computer viruses. Although MSD has taken reasonable precautions to ensure no viruses are present in this email, MSD cannot accept responsibility for any loss or damage arising from the use of this email or attachments.
______________________________________________________________________
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related questions.

Help support midrange.com by shopping at amazon.com with our affiliate link: https://amazon.midrange.com