Message boards : Number crunching : needed network Ports and IPs to get CMS work through a firewall
Message board moderation

To post messages, you must log in.

AuthorMessage
Yeti
Avatar

Send message
Joined: 29 May 15
Posts: 147
Credit: 2,842,484
RAC: 0
Message 564 - Posted: 14 Aug 2015, 11:08:42 UTC

It took me quit some time to figure out what CMS Needs to get through my restriktive Firewall.

From other CERN-Projects I had follwoing already configured:

•Jabber messaging which needs XMPP (port 5222),
•Chirp (port 9094) for moving data in and out,
•HTTP (port 80) and
•HTTPS (port 443)

And if you want, you can grant access to the entire CERN network:
•137.138.0.0/16
•128.141.0.0/16
•128.142.0.0/16

Now I had to add:

130.246.180.119-120 with TCP-Ports 8319,9620-9623,9817,9818

188.184.134.98 with TCP-Port 3128
188.184.140.166 with TCP-Port 3128

128.142.166.0/255.255.255.0 with TCP-Port 8884

It would be good and helpfull if someone from the Project-Team can check and confirm or correct this table

Thanks in Advance

Yeti
ID: 564 · Rating: 0 · rate: Rate + / Rate - Report as offensive     Reply Quote
Profile Laurence
Project administrator
Project developer
Project tester
Avatar

Send message
Joined: 12 Sep 14
Posts: 1067
Credit: 334,882
RAC: 70
Message 565 - Posted: 14 Aug 2015, 12:22:16 UTC - in response to Message 564.  

Yes, we should provide this information. Are you referring to only incoming traffic or also outgoing?

Jabber and Chirp are required for test4theory but should not be required in the future when it is migrated to different infrastructure. We use Condor and this can require some ports but I don't have the exacts details right now. It might be possible to configure Condor in such away that this isn't required. There may also be some other CMS magic going on that I haven't identified yet.
ID: 565 · Rating: 0 · rate: Rate + / Rate - Report as offensive     Reply Quote
Yeti
Avatar

Send message
Joined: 29 May 15
Posts: 147
Credit: 2,842,484
RAC: 0
Message 566 - Posted: 14 Aug 2015, 12:35:23 UTC - in response to Message 565.  

Yes, we should provide this information. Are you referring to only incoming traffic or also outgoing?

All that is needed to get it work.

Usually you configure something in one direction and the Firewall accepts the answering automatic.

So for my System I have configured the outgoing Connections and my Firewall lets the reply pass through.
ID: 566 · Rating: 0 · rate: Rate + / Rate - Report as offensive     Reply Quote
Yeti
Avatar

Send message
Joined: 29 May 15
Posts: 147
Credit: 2,842,484
RAC: 0
Message 1104 - Posted: 17 Sep 2015, 18:03:07 UTC

Today I had to make following Change:

130.246.180.119-120 with TCP-Ports 8319,9619-9623,9817,9818
ID: 1104 · Rating: 0 · rate: Rate + / Rate - Report as offensive     Reply Quote
Profile ivan
Volunteer moderator
Project administrator
Project developer
Project tester
Project scientist
Avatar

Send message
Joined: 20 Jan 15
Posts: 1137
Credit: 7,991,905
RAC: 656
Message 1107 - Posted: 18 Sep 2015, 9:30:11 UTC - in response to Message 1104.  

Today I had to make following Change:

130.246.180.119-120 with TCP-Ports 8319,9619-9623,9817,9818

A site admin replies:
The condor glideins should only require outgoing connections.
 My (test)
glideinWMS is configured to have 4 collectors, using ports 9619 to 9623,
 on
the host 130.246.180.120. Config files need to be downloaded from the same
host on port 8319, as well as from 130.246.180.119 on the same port (8319).

ID: 1107 · Rating: 0 · rate: Rate + / Rate - Report as offensive     Reply Quote

Message boards : Number crunching : needed network Ports and IPs to get CMS work through a firewall


©2024 CERN