| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| ZONE LABS ZONEALARM PRO AND MQSERIES |
« View previous topic :: View next topic » |
| Author |
Message
|
| CodeCraft |
 Posted: Sat Jun 08, 2002 3:54 am Post subject: ZONE LABS ZONEALARM PRO AND MQSERIES |
 |
|
Disciple
Joined: 05 Sep 2001
Posts: 195
|
Anyone had any success trying to get MQ to work with this product? I have it running as a personal firewall on a standalone test server. I do not wish MQ to communicate through it, just between multiple queue managers on the test server itself.
When I try to start components, runmqchl, runmqchi and runmqlsr all appear to be causing devldr32.exe errors, the cause of which I haven't yet found.
I am aware of MA86, but it's not wholly relevent in this case because I am not trying to have MQ communicate *through* the firewall.
Any ideas? |
|
| Back to top |
|
 |
| CodeCraft |
| Posted: Sat Jun 08, 2002 10:34 pm Post subject: Answer .... |
|
|
Disciple
Joined: 05 Sep 2001
Posts: 195
|
It seems that ZA pro should pop up and ask whether you want to allow a given program to access the "internet". After doing so, you can tune the access to be more granular, that is, access the trusted zone or internet zone, and, act as a server in the trusted zone or internet zone.
This is all controlled under ZA pro's "Program Control" which manages what programs *within* the local firewall can do. This is used to prevent things on your system from inadvertently acting as servers, and, to stop programs from "phoning home".
It also seems that ZA pro is enforcing these rules, even when you are not network attached.
The solution is:
a) Simply to turn off "Program Control" altogether when you are not connected to a network or dialup connection.
b) Alternatively, you can explicity find all WMQ and WMQI components which attempt TCP/IP access or to be TCP/IP servers and give them explicit access to access/serve in the trusted zone.
Option b) is not that easy: I believe ZA pro should prompt when each of these utilities first attempts it's access, but doesn't appear to be doing so. To manually identify each program which requires access requires a good knowledge of what each binary in WMQ and WMQI bin directories is supposed to do.
The ideal solution for a system which uses dialup networking only would be to confine ZA pro's activity to when you are actually dialed up to your ISP. If I find this is possible, I will repost. |
|
| Back to top |
|
|
| CodeCraft |
| Posted: Sat Jun 08, 2002 11:06 pm Post subject: |
|
|
Disciple
Joined: 05 Sep 2001
Posts: 195
|
Further:
ZA pro's configuration is such that you can have multiple hosts, each in different zones.
So, while my ISP's DHCP address always ends up in the "internet" zone, I can add "localhost" to ZA pro's host list and make it a member of the "trusted" zone. Then, in ZA pro's advanced configuration options, I can allow all access/server requests when they are in the "trusted" zone, while still maintaining my outbound and inbound firewall protection for the "internet" zone.
In my case, this is easy because I have loopback installed. It may be slightly more complicated in the case where someone needs personal firewall protection and the ability to run MQ/WMQI using the same host address (although you can always add a loopback adapter to allow creation of a separate trusted zone). |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
