In a default Verastream Host Integrator (VHI) installation, the Administrative Console application cannot connect to the management server through a firewall due to use of dynamic (arbitrary) port numbers. This technical note describes how to configure management server to instead use fixed port numbers for firewall compatibility.
In versions 7.1 through 7.7 SP2, you can enable management server connections through a firewall by configuring your management server, firewall, and Administrative Console as follows:
- Configure the management server ports:
- In a text editor, open the management server properties file. Typical locations are as follows:
Version 7.5 through 7.7 SP2 on 64-bit Windows: C:\Program Files\Attachmate\Verastream\ManagementServer\conf\container.properties
Version 7.1.x on 64-bit Windows: C:\Program Files (x86)\Attachmate\Verastream\ManagementServer\conf\container.properties
Version 7.1.x on 32-bit Windows: C:\Program Files\Attachmate\Verastream\ManagementServer\conf\container.properties
- In the rmi.export.port.ssl line, set a desired port number for encrypted RMI communications. (The default value 0 represents use of arbitrary ports.)
- (Optional:) By default, an additional port 33000 is used for encrypted RMI/JMX communication. However, you can configure rmi.port.ssl to use a different value instead.
- (Optional:) If you plan to also use third-party JMX tools and need to enable unencrypted JMX communications, set rmi.port to a desired port number such as 33001. (The default value 0 disables non-secure JMX.) Enabling non-secure JMX will also enable unencrypted RMI communications; set rmi.export.port to configure its port number. (The default value 0 represents use of arbitrary ports for non-secure RMI.)
- Important: After saving the modified file, restart the management server as described in KB 7021352.
Note: When you upgrade your product installation in the future (major release, service pack, or hotfix), the container.properties file may revert to new defaults. After upgrading, the above steps will need to be repeated.
- Configure your firewall:
- Refer to your firewall documentation for changing its configuration.
- Allow communication to the port you configured in step 1.b. above (rmi.export.port.ssl).
- Allow communication to the additional port 33000, or different port you configured in step 1.c. above (rmi.port.ssl).
- (Optional) If you plan to also use third-party JMX tools through the firewall, allow communication to the additional non-secure ports configured in step 1.d. above (rmi.port and rmi.export.port).
- Configure Administrative Console:
If you configured a different port in step 1.c. above, change the Connection Port in Console > Preferences > Connections. The default value is 33000.
About Port Properties
The rmi.port.ssl property specifies the port that the RMI server listens on for secure connections. Once a request comes in on that port, another port (as specified by the rmi.export.port.ssl property) is used to handle the request and send back the response. The rmi.export.port.ssl default value is set to 0, meaning use any available arbitrary port. Since using arbitrary ports can be problematic for firewalls, you can set rmi.export.port.ssl to a specific port number. (There is a similar set of properties for non-secure RMI communication: rmi.port and rmi.export.port.)