| Author |
Message
|
| silvestrelsl |
 Posted: Wed Oct 01, 2008 11:41 pm Post subject: Firewall Rules for MQ |
 |
|
Novice
Joined: 29 Sep 2008
Posts: 10
|
I am having a concern with the firewall rules which are going to be defined for my MQ architecture. Hope any one of you are able to help me.
Scenario:
1. MQ client is installed in a IIS web server.
2. MQ client is in LAN A.
3. MQ server is installed in LAN B and listening to port 1414.
4. Browser client (MQ client) will put a request message to MQ server and wait for a response message from MQ server. My application put and get message in synchronous method.
Above scenarios are working fine in my development environment because no firewall restriction.
Now, I have to deploy my application to production environment, there are firewall rules that need to be concerned about. As we all know, MQ client from LAN A generate random local port number and connect to LAN B MQ server port 1414. Firewall rule for LAN B server must be set inbound port 1414 to open.
My concern:
1. When MQ client send a request message to MQ server, will there be a problem for MQ client to get the response message if no inbound firewall rule is set to open?
2. If I have to open both inbound and outbound rules for both servers, then that will be dangerous. I have to open all inbound port for LAN A MQ client, and open all outbound port for LAN B MQ server. Any better solution?
Please advice. |
|
| Back to top |
|
 |
| zpat |
| Posted: Thu Oct 02, 2008 12:28 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
Set up another queue manager in the web farm (DMZ) and connect the web clients to that.
Open a firewall rule between that queue manager and one inside the main LAN for sender/receiver channels.
You cannot avoid allowing MQ traffic through in some way, but it's better not to allow client connections through firewalls. |
|
| Back to top |
|
|
| silvestrelsl |
| Posted: Thu Oct 02, 2008 2:26 am Post subject: |
|
|
Novice
Joined: 29 Sep 2008
Posts: 10
|
Thanks for your reply.
Unfortunately, we do not have web farm or DMZ.
So, do you mean that, in order to let MQ client receive message from MQ server, I need to ensure that there has no firewall inbound rule to block my MQ client message receive? And also mean that I need to open all the firewall inbound rule to all port?
Perhaps any other solution?
Thanks |
|
| Back to top |
|
|
| zpat |
| Posted: Thu Oct 02, 2008 2:40 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
Have a QM in LAN A talk to a QM in LAN B - don't let the clients bridge the firewall. Open a firewall port rule between the QM's.
That's my view, not to say that clients can't work over firewalls because they can, but I wouldn't recommend it. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Oct 02, 2008 3:20 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| there's a channel property to help this... LOCLADDR or somesuch. |
|
| Back to top |
|
|
| silvestrelsl |
| Posted: Thu Oct 02, 2008 4:49 am Post subject: |
|
|
Novice
Joined: 29 Sep 2008
Posts: 10
|
|
| Back to top |
|
|
| atheek |
| Posted: Thu Oct 02, 2008 5:15 am Post subject: Re: Firewall Rules for MQ |
|
|
Partisan
Joined: 01 Jun 2006
Posts: 327
Location: Sydney
|
| silvestrelsl wrote: |
1. When MQ client send a request message to MQ server, will there be a problem for MQ client to get the response message if no inbound firewall rule is set to open?
|
As per my understanding no. The tcp/ip socket connections for client connections originate from the client server. The only firewall rule which you may have to configure is:
Source IP : Client IP
Source Port : * ( any port randomly allocated by the tcp/ip stack of the client system)
to
Detsination IP : MQ Server IP
Destination Port : 1414
You need not open the ports other way round . With this setup you should be able to make your client connections work |
|
| Back to top |
|
|
| zpat |
| Posted: Thu Oct 02, 2008 5:56 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
| Firewalls sometimes close inactive connections, which can upset some MQ client based applications. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Oct 02, 2008 6:39 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Also keep in mind that you should have an mcauser on the channel you are using, have the default channels disabled and probably run SSL on your client connection. 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| silvestrelsl |
| Posted: Thu Oct 02, 2008 5:44 pm Post subject: |
|
|
Novice
Joined: 29 Sep 2008
Posts: 10
|
I found that LOCLADDR properties is not available for server connection channel.
Base on atheek, firewall will not block the other way round?
Actually I thought the same as you, but I need confirmation.
Perhaps, someone else have the same opinion?
My pseudo code should be in this way:
1. put "request" message into MQ server request queue.
2. listen to the reply queue.
3. "request" message has been processed and put into the reply queue.
4. get the processed reply message out from reply queue.
When a TCP/IP connection is established between MQ client and MQ server via server connection channel. MQ client generate a random local port number, connect to the fixed port 1414 MQ server. Firewall inbound rule definitely must be set to open at MQ server port 1414. In the other way round, when the connection is still established and active, MQ client is able to get the message out from the reply queue? Will the message came back to the correct MQ client if I have multiple concurrent connection bound to the MQ server?
How about we look this manner from the other way? MQ client initiate the connection, then get the message out from the queue only. What firewall rule should be set?
Thanks for the sharing. |
|
| Back to top |
|
|
| bower5932 |
| Posted: Thu Oct 02, 2008 5:49 pm Post subject: |
|
|
Jedi Knight
Joined: 27 Aug 2001
Posts: 3023
Location: Dallas, TX, USA
|
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Fri Oct 03, 2008 3:37 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
| silvestrelsl wrote: |
I found that LOCLADDR properties is not available for server connection channel.
|
It is on the CLNTCONN channel, the sending side of a client channel. You won't be able to specify this if you use the MQSERVER variable to define your connection parms, but you will if you use channel tables or the MQCONNX call.
http://publib.boulder.ibm.com/infocenter/wmqv6/v6r0/topic/com.ibm.mq.csqzaj.doc/sc11040_.htm
You should be able to specify the exact IP and port used both ways if you need to.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| atheek |
| Posted: Fri Oct 03, 2008 4:20 am Post subject: |
|
|
Partisan
Joined: 01 Jun 2006
Posts: 327
Location: Sydney
|
When you connect your app to qmgr using server connection channel, all the mqi calls ( get, put, connet etc ) are executed via the server connection tcp/ip socket. Both requests and responses flow via this connection
You can use the web server as an analogy here. The browsers just make a single tcp/ip connection to port 80 and is able to retreive the web pages. The same connection is used for sending the http request from the browser's system to the web server and the response ( the web pages) goes via the same connection back to the browser. The organisation hosting the web server need not open all outbound ip's and port's for sending the response back..they just need to open port 80 open for inbound
| silvestrelsl wrote: |
Will the message came back to the correct MQ client if I have multiple concurrent connection bound to the MQ server?
|
When you have multiple concurrent connections, there will be multiple instances of server connection channels running and hence multiple tcp/ip socket connections are open. Each client's request are processed via its own SVRCONN. This is why its a good reason to specify * as port
for Source in the firewall rule. You can allow the client tcp/ip stack to randomly allocate any ports for the multiple concurrent connections.
I am fairly confident because we made a similar setup to work in production recently |
|
| Back to top |
|
|
| atheek |
| Posted: Fri Oct 03, 2008 5:15 am Post subject: |
|
|
Partisan
Joined: 01 Jun 2006
Posts: 327
Location: Sydney
|
| Quote: |
| How about we look this manner from the other way? MQ client initiate the connection, then get the message out from the queue only. What firewall rule should be set? |
This scenario should be same as any other mqi call...the call used here is mqget |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Fri Oct 03, 2008 6:29 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
| atheek wrote: |
Each client's request are processed via its own SVRCONN. This is why its a good reason to specify * as port
for Source in the firewall rule. You can allow the client tcp/ip stack to randomly allocate any ports for the multiple concurrent connections.
|
Thousands of connections can all come into a single port, like #1414. Can't outgoing connections all leave via one port as well? If yes, you can avoid making your outgoing firewall port rules wide open.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
|
|
