Environment
Situation
Network connection requirements and firewall ports needed for the installation of Analysis Center
Resolution
When separating Analysis Center from your AppManager repository by a firewall, you must specify the SQL communication port open for Analysis Center. Some recommended best practices for Analysis Center are:
- Place all the Analysis Center components on the internal network.
- Install Analysis Center using the recommended security model and then define standard SQL authentication for the connectivity to the AppManager repository when creating the data source.
- On the firewall, open the standard SQL Server port to the AppManager repository machine from the Analysis Center Data Mart machine. The default standard port is 1433. If the standard port has changed, then open the new port.
Use the following guide for port assignment among AC components:
- Port 80 open from the AC Console to the WebServices (IIS Server)
- Port 1433 for SQL (or your designated port for SQL) for the WebServices to the AC_Warehousr and AC_Configuration database connections.
- Ports 2393, 2394 and 2725 for the WebServices to the Analysis Services OLAP database connection
- If you have your Data Mart installed on a separate server from your Data Warehouse, you will also need port 135 open for DTC
NOTE: Configuring a mutiple firewall configuration for a distributed AC configuration has not been verified by NetIQ. While no problems should occur, this configuration may not function without the required ports detailed below, or additional settings determined by your network and firewall administrators.
Communication will initiate from the Analysis Center Data Mart SQL Server machine issuing SQL queries against the AppManager repository database via DTS packages. Also, NetIQ recommends that the Data Mart and Data Warewhouse component servers be on the same local network for speed and reliability.
Console to Web Service
| Port | Description |
| 80 | Http connection to the web service |
Web Service to Data Warehouse
| Port | Description |
| 1433 | The default for SQL Server |
| 2393, 2394 and 2725 | Analysis Server (OLAP) http://go.microsoft.com/fwlink/?LinkId=15299 . |
Data Warehouse to Data Mart
| Port | Description |
| 1433 | The default for SQL Server |
Data Mart to QDB
| Port | Description |
| 1433 | The default for SQL Server |
Configure SQL Server to use TCP/IP:
In order for SQL to function in a firewall environment you must make sure that SQL is only using the TCP/IP network libraries for communications. You must ensure that named pipes is not enabled in the Server Network Utility and Client Network Utility.
Specifically, here is a list of ports required by various Microsoft Components (see this Microsoft KB for more details: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/csvr2002/htm/cs_dp_typical_mjjt.asp):
| Port | Description |
| 1433 | The default for SQL Server |
| 2393, 2394 and 2725 | Analysis Server (OLAP) For additional information, see Knowledge Base article 301901: "INF: TCP Ports Used by OLAP Services when Connecting Through a Firewall," available at http://go.microsoft.com/fwlink/?LinkId=15299 |
| 135 | DTC Allow access in both directions, inbound and outbound. If you are using a firewall that does not manage RPC connections, you will need to modify the registry on the computers involved to limit RPC secondary outbound ports to 5000-5020 (or whatever your preferred ports are) for Microsoft Distributed Transaction Coordinator (MSDTC). |
| 53 | DNS |
| 389 | Active Directory name resolution |
| 88 | Active Directory authentication |
| 445 | Server Message Block * This may be required for file sharing as defined by Microsoft |
This KB article has several links for Single and multiple firewall configurations.