| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| What are the rules for port usage? |
« View previous topic :: View next topic » |
| Author |
Message
|
| dougpierson |
 Posted: Fri Aug 01, 2003 4:47 am Post subject: What are the rules for port usage? |
 |
|
Newbie
Joined: 20 Sep 2001
Posts: 5
|
Hello,
In a particular implementation of MQ, I have to restrict the outbound (sender channel) port usage to a particular port or range of ports because of the way the customer configures its firewall. I'm doing this using the MQTCPSDRPORT environment variable.
For inbound traffic, MQ listens on a given port and can accomodate multiple concurrent transmissions coming in on that port. For outbound traffic, it doesn't seem to allow multiple concurrent transmissions going out on a single port, even though the outbound transmissions are destined for different IP addresses.
Not having experience coding sockets, my question is this: What are the rules of the game when it comes to ports? I've read the ma86 support pack. In it, the author says "Each sockets conversation is identified by a unique combination of source and target ip address, port number, and protocol... Only one conversation can exist on a network with a specific signature."
Well, if that's true, then why can't I seem to send concurrent traffic to two different destinations using the same sender port?
Thanks in advance for your help,
Doug Pierson |
|
| Back to top |
|
 |
| bduncan |
| Posted: Fri Aug 01, 2003 8:36 am Post subject: |
|
|
Padawan
Joined: 11 Apr 2001
Posts: 1554
Location: Silicon Valley
|
Hmm, it was my understanding that each sender channel used it's own port, and you couldn't get two sender channels to share the same outbound port.
_________________
Brandon Duncan
IBM Certified MQSeries Specialist
MQSeries.net forum moderator |
|
| Back to top |
|
|
| dougpierson |
| Posted: Fri Aug 01, 2003 8:45 am Post subject: |
|
|
Newbie
Joined: 20 Sep 2001
Posts: 5
|
That's evidently the case, given the behavior I'm experiencing. I wonder how others deal with the issue of a firewall that has outbound rules in place. The firewall administrator here is not thrilled with the idea of opening up a range of ports for MQ.  |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Fri Aug 01, 2003 7:26 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
In version 5.3, you can specify the port (or range of ports) that a SNDR channel will use by specifying the LOCLADDR attribute.
See Chapter 6 of the Intercommunication Manual:
http://publibfp.boulder.ibm.com/epubs/html/csqzae09/csqzae09tfrm.htm
Here is the relevant passage:
| Quote: |
Local Address (LOCLADDR)
This parameter specifies the local communications address for the channel. When a LOCLADDR value is specified, a channel that is stopped and then restarted continues to use the TCP/IP address specified in LOCLADDR. In recovery scenarios, this could be useful when the channel is communicating through a firewall, because it removes problems caused by the channel restarting with a different IP address, specified by the TCP/IP stack to which it is connected.
This parameter is valid for the following channel types:
Sender
Server
Requester
Client-connection
Cluster-receiver
Cluster-sender
The value used is the optional IP address and optional port or port range to be used for outbound TCP/IP communications. The format is as follows:
LOCLADDR([ip-addr][(low-port[,high-port])])
where "ip-addr" is specified in dotted alphanumeric or decimal form, for example, (MACH1.ABC.COM) or (19.22.11.162), and "low-port" and "high-port" are port numbers enclosed in parentheses. When two port values are specified, the channel binds to the address specified, using an available port within the range covered by the two port values. All values are optional.
The maximum length of the string is MQ_LOCAL_ADDRESS_LENGTH.
Note:
If the LOCLADDR port is in use, TCP/IP requires a time period to release the previously used port. If enough time is not left, and if only 1 LOCLADDR port is specified, the previously used port will not be available and so a random port will be chosen rather than the LOCLADDR port.
|
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Fri Aug 01, 2003 8:03 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
Also, don't forget about using the MQIPT (MQSeries Internet PassThru) Support pack, MS81: http://www-3.ibm.com/software/integration/support/supportpacs/individual/ms81.html
At a really high level, one of the things it allows you to do is mask the origin of your SNDR channels. For instance an MQIPT instance sits between your QM and the bad guys QM. You define a SNDR channel from your QM to MQIPT. MQIPT is listening on a specific port, say 3456. Its rules say that any communication it recieves on port 3456 will be forwarded over to ip address xxx.xxx.xx.xx to port nnnn (the bad guys ip address and port number) and to leave via port nnnn. Your Firwall guys then make a rule that opens up port nnnn for traffic from your ip address to their ip address. All other ports remained locked down. And the bad guys can never see anything sitting behind MQIPT
The reverse works for RCVRs. MQIPT will sit in between them and you, accepting their messages on a specific port, and forwarding it on to your QMs RCVR channel listening on port 1414, or whatever port you choose.
Again, the firewall guys only need to open a very specific hole, that is traffic coming from their ip address to your ip address via the one port MQIPT is listening on for messages from the bad guys.
The above examples assumed that MQIPT was running on the same server as your QM.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| dougpierson |
| Posted: Sun Aug 03, 2003 8:58 am Post subject: What are the rules for port usage? |
|
|
Newbie
Joined: 20 Sep 2001
Posts: 5
|
Peter,
I should keep up with new functionality in each release! Thanks very much for your replies. Exactly what I needed.
Regards,
Doug Pierson |
|
| Back to top |
|
|
| bduncan |
| Posted: Mon Aug 04, 2003 9:10 am Post subject: |
|
|
Padawan
Joined: 11 Apr 2001
Posts: 1554
Location: Silicon Valley
|
Yeah, I had no idea that feature was added in 5.3... Thanks for the info Peter!
_________________
Brandon Duncan
IBM Certified MQSeries Specialist
MQSeries.net forum moderator |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
