Re: Ports needed for ACS when working from home over VPN -- MIDRANGE-L

One other point of clarification.

When you apply these rules the general thinking is that they are being applied to external access. So your suggestion here of allowing the subnet y-y-y-y access to port 443 (https) for all the IPs in the group 'WEBDEV' would be found on the access-list for public access. Often of course when dealing with public access to web servers the rule is *ANY4 or *ANY rather than a subnet.

When adding rules to a VPN though those rules don't go on the outside (or in your case 'ingress') access-list. They go in the group-policy for the VPN user. It's NOT the access-list that is assigned to the public (external) interface of the firewall that is in play for VPN users.

Applying the list then looks like this:

group-policy WorkFromHome attributes
vpn-filter value AccessToIBMi

In this case the VPN users would then be assigned to this policy thus:

username workfromhomebob attributes
vpn-group-policy WorkFromHome

The access-list AccessToIBMi then would allow FROM the IP addresses assigned to the VPN client users TO IBM i on the ports listed. Clearly other uses may be allowed depending on what else those users need access to.

- Larry "DrFranken" Bolhuis

www.Frankeni.com
www.iDevCloud.com - Personal Development IBM i timeshare service.
www.iInTheCloud.com - Commercial IBM i Cloud Hosting.

On 4/21/2020 9:11 AM, Steinmetz, Paul wrote:

I believe we allow some ports and block the rest

Example

x.x.x.x
PERMITS:

access-list ingress line 376 extended permit tcp y.y.y.y 255.255.255.0 object-group webdev eq https

Paul

-----Original Message-----
From: DrFranken <midrange@xxxxxxxxxxxx>
Sent: Tuesday, April 21, 2020 8:47 AM
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxxxxxxxx>
Cc: Steinmetz, Paul <PSteinmetz@xxxxxxxxxx>
Subject: Re: Ports needed for ACS when working from home over VPN

Sorry to be late to the party. Yesterday was Lumberjack day, gravity won.

First off the link is good. Those are the ports you'll need. Highly unlikely you'll use the Management Central ports though or the POP3 port for that matter. Hopefully Netbios is also unused (137, 139) as CIFS
(445) is the choice these days. Finally Service Tools would only be needed for admins not general users.

One thing that seems missing is the remaining ports for Navigator for i (The *ADMIN Server) Shown are 2004 for non SSL and 2005 for SSL which is correct and 2001 is the starting port. But they use TCP ports from
2001 through 2012 so if you need access to that use the port range in your rules not just the ports listed there.

NOW as to the question "Do you need to open firewall ports at all?"
That depends. When the VPN connection is made your firewall administrators CAN apply filters/rules (access-lists in cisco terms) that either allow some ports and block the rest OR block some ports allow the rest. OR they may not apply filters and thus you can get to any ports required. That is a configuration choice. So you'll need to find out if they did apply any filters and only if they did allow these ports through the firewall.

- Larry "DrFranken" Bolhuis

www.Frankeni.com
www.iDevCloud.com - Personal Development IBM i timeshare service.
www.iInTheCloud.com - Commercial IBM i Cloud Hosting.

On 4/20/2020 5:20 PM, Steinmetz, Paul via MIDRANGE-L wrote:

We are now starting to allow users to WFH without using RDP, via VPN.
Many ports need to be enabled on the firewall for remote access.

I found below link, not sure if this was a complete list.

TCP/IP Ports Required for IBM i Access and Related Functions

https://www.ibm.com/support/pages/tcpip-ports-required-ibm-i-access-an
d-related-functions

The following table lists the ports that IBM i Access and related functions use for communication with the IBM i OS System:

*
o PC Function

* Server Name

Port Non-SSL

Port SSL

* Server Mapper

* as-svrmap

* 449

* ---

* License Management

* as-central

* 8470

* 9470

* Database Access

* as-database

* 8471

* 9471

* Data Queues

* as-dtaq

* 8472

* 9472

* IFS Access using
System i Navigator

* as-file

* 8473

* 9473

* Network Printers

* as-netprt

* 8474

* 9474

* Remote Command

* as-rmtcmd

* 8475

* 9475

* Signon Verification

* as-signon

* 8476

* 9476

* Telnet (5250 Emulation)

* telnet

* 23

* 992

Navigator for i (web)

as-nav

2004

2005

* HTTP Administration

* as-admin

* 2001

* 2010

* POP3 (MAPI)

* pop3

* 5010

* ---

* Management Central

* as-mgtc >

* 5555 and 5544

* 5566 and 5577

* Ultimedia Services

* as-usf

* 8480

* 9480

* DDM/DRDA

* DDM/DRDA

* 446

* 448

* NetServer

* netbios >

* 137

* ---

* NetServer

* CIFS

* 445

* ---

* NetServer

* netbios >

* 139

* ---

* Service Tools Server

* as-sts

* 3000

* ---

DHCP Monitor

---

---

942

* RUNRMTCMD

* REXEC

* 512

* ---

If any of the above ports are restricted using a firewall or any other mechanism, IBM i Access or related functions may fail to operate. For assistance with configuring ports or working with a firewall beyond the above information, contact the firewall provider or obtain a consulting agreement.

Note:
The following ports are common to most IBM i Access Client products such as ODBC, Telnet and other specific functions:
Port 449 is used to look up service by name and return the port number.
Ports 8470 and 9470(TLS/SSL) are used for host code page translation tables and licensing functions.
Ports 8475 and 9475(TLS/SSL) are used to check for application administration restrictions.
Ports 8476 and 9476(TLS/SSL) are used for checking signon verification to authenticate.
depending on your needs you may only need the above ports and the port(s) for your function/application.

Thank You
_____
Paul Steinmetz
IBM i Systems Administrator

Pencor Services, Inc.
462 Delaware Ave
Palmerton Pa 18071

610-826-9117 work
610-826-9188 fax
610-349-0913 cell
610-377-6012 home

psteinmetz@xxxxxxxxxx<mailto:psteinmetz@xxxxxxxxxx>
http://www.pencor.com/