Académique Documents
Professionnel Documents
Culture Documents
Configuring BusinessObjects Enterprise for firewalls on page 309 Examples of typical firewall scenarios on page 313
296
The reference to a BusinessObjects Enterprise server will contain the server machine's host name by default. (If a machine has more than one hostname, the primary hostname is chose). You can configure a server so that its reference contains the IP address instead.
297
Related Topics
Server Intelligence Agents (SIA) communicate with the Central Management Server (CMS)
Your deployment will not work if the Server Intelligence Agent (SIA) and Central Management Server (CMS) cannot communicate with each other. Ensure that your firewall ports are configured to allow communication between the SIA and the CMS.
Job server child processes communicate with the data tier and the CMS
Most job servers create a child process to handle a task such as generating a report. The job server will create one or more child processes. Each child process has its own Request Port. By default, a job server will dynamically select a Request Port for each child process. You can specify a range of port numbers that the job server can select from. All child processes communicate with the CMS. If this communication crosses a firewall, you must: Specify the range of port numbers that the job server can select from. Note that the port range should be large enough to allow the maximum number of child process as specified by -maxJobs. Open the specified port range on the firewall.
Many child processes communicate with the data tier. For example, a child process might connect to a reporting database, extract data, and calculate values for a report. If the job server child process communicates with the data tier across a firewall, you must must: Open a communicate path on the firewall from any port on the job server machine to the database listen port on the database server machine.
298
Related Topics
299
Note:
The web application server only needs to communicate with BusinessObjects Enterprise servers that are used in the deployment. For example, if Crystal Reports is not being used, the web application server does not need to communicate with the Crystal Reports Processing Servers. 7. Job Servers use the port numbers that are specified with the -re questJSChildPorts <port range> command. If no numbers are specified in the command line, the servers use random port numbers. To allow a job server to communicate with an FTP or mail server on another machine either open all of the ports in the range specified by -re questJSChildPorts on your firewall, or add the job server child process as an exception for your firewall. 8. The CMS must be able to initiate communication with the CMS database listen port. 9. The Connection Server, most Job Server child process, and every Processing Server must be able to initiate communication with the reporting database listen port. Each database vendor uses a different listen port. For example, MySQL uses 3306 by default.
Related Topics
300
CMS Name Server Port (6400 by default) CMS Request Port Input FRS Request Port Output FRS Request Port
Crystal Reports
RAS Request Port Crystal Reports Cache Crystal Reports Cache ServServer er Request Port Crystal Reports Page Crystal Reports Page Server Server Request Port Web Intelligence ProWeb Intelligence Processing cessing Server Server Request Port
301
CMS Input FRS Output FRS Live Office web application Report Application Server (RAS)
CMS Name Server Port (6400 by default) CMS Request Port Input FRS Request Port Output FRS Request Port
Live Office
RAS Request Port Web Intelligence ProWeb Intelligence Processing cessing Server Server Request Port Adaptive Processing Adaptive Processing Server Server Request Port Crystal Reports Cache Crystal Reports Cache ServServer er Request Port
web application server that hosts the Live Of- HTTP port (80 by default) fice web application
Live Office
CMS Name Server Port (6400 by default) CMS Request Port Input FRS Request Port
302
CMS Name Server Port (6400 by default) CMS Request Port Input FRS Request Port Output FRS Request Port CMS Name Server Port (6400 by default) CMS Request Port Input FRS Request Port Connection Server port CMS Name Server Port (6400 by default) CMS Request Port Input FRS Request Port
CMS Business Objects Universe Input FRS EnterDesigner prise Connection Server
303
The following ports must be open to allow CCM to manage remote BusinessObjects Enterprise servers: CMS Name Server Port (6400 by default) CMS Request Port The following ports must be open to allow CCM to manage remote SIA processes: Central Business Configura- CMS Objects tion Man- Server Intelligence Enterager Agent (SIA) prise (CCM) Microsoft Directory Services (TCP port 445) NetBIOS Session Service (TCP port 139) NetBIOS Datagram Service (UDP port 138) NetBIOS Name Service (UDP port 137) DNS (TCP/UDP port 53) (Note that some ports listed above may not be required. Consult your Windows administrator).
304
SIA Request Port (6410 by default) Server InBusiness telligence Every Business Ob- CMS Name Server Port Objects Agent jects server including (6400 by default) Enter(SIA the CMS CMS Request Port prise ) Request Port for each server that is managed by the SIA CMS Name Server Port (6400 by default) CMS Request Port Input FRS Request Port Output FRS Request Port CMS Name Server Port (6400 by default) CMS Request Port Input FRS Request Port Output FRS Request Port CMS Name Server Port (6400 by default) CMS Request Port Input FRS Request Port
305
All Business Objects Business Enterprise servers required by the deObjects CMS Name Server Port ployed products. Enter(6400 by default) Business prise For example, commuObjects SDK host- nication with the Crys- CMS Request Port Entered in the tal Reports Cache prise web appli- Server Request Port Request Port for each server that is required. cation is required only if server Crystal Reports is deployed and used. CMS Name Server Port (6400 by default) CMS Request Port MDAS port Input FRS Request Port Output FRS Request Port
Voyager
OLAP
Note:
To configure the Report Application Server in a firewalled environment, you must implement the following steps: 1. Open the incoming RAS request port; this port is identified by the -re questport server command line switch. 2. Open all outgoing ports: By default, the RAS server picks a dynamic outgoing port. If you want to limit the outgoing ports, update the following registry keys with your specified range of ports, and enable these ports and the RAS request port.
306
For Windows, specify the range of ports in the following registry keys: HKEY_LOCAL_MACHINE\SOFTWARE\Business Objects\Suite
12.0\CER\RequestPortLower
"RequestPortLower"=dword:0 "RequestPortUpper"=dword:10000
CMS Database
Database server Central Manage- listen port ment Server For example, (CMS) MySQL uses port 3306.
MySQL is installed with Business Objects Enterprise. The CMS is the only server that communicates with the CMS database.
307
Business Objects compoThird-party appliThird-party nent that uses cation port require- Description application the third-party ment product
Every Job Server child process For example, MySQL uses port Every Process- 3306. ing Server
HTTP port and Live Office Rich HTTPS port. Client The HTTPS port is only web applica- All Business Ob- For example, on required if secure HTTP tion server jects portals in- Tomcat the default HTTP port is 8080 communication is used. cluding InfoView and the default and CMC HTTPS port is 443. The Job Servers use the FTP ports to allow send to FTP. The Job Servers use the SMTP port to allow send to email .
FTP server
Every Job Serv- FTP In (port 21) er FTP Out (port 22)
308
Business Objects compoThird-party appliThird-party nent that uses cation port require- Description application the third-party ment product
Unix servers to rexec out (port 512) which the Every Job Serv(Unix only) rsh out Job Servers er (port 514) can send content CMS web application server that hosts the BusinessObjects Enterprise Authentica- SDK tion Server every Rich Client, except Live Office and Desktop Intelligence in threetier "Zabo" mode
(Unix only) The Job Servers use these ports to allow send to disk .
User credentials are Connection port for stored in the third-party third-party authenti- authentication server. cation. The CMS, BusinessObjects Enterprise SDK, For example, the connection server and the Rich clients listed here need to for the Oracle LDAP server is de- communicate with the fined by the user in third-party authentication sever when a user the file ldap.ora. logs on.
309
If BusinessObjects Enterprise is deployed across firewalls that use NAT, every BusinessObjects Enterprise server on all machines needs a unique Request Port number. That is, no two servers in the entire deployment can share the same Request Port.
310
Note:
You do not need to specify any outbound access rules. BusinessObjects Enterprise servers do not initiate communication to the web application server, or to any client applications.
Example:
This example shows the inbound access rules for a firewall between the web application server and the BusinesObjects Enterprise servers. In this case you would open two ports for the CMS, one port for the Input File Repository Server (FRS), and one port for the Output FRS. The Request Port numbers are the port numbers you specify in the Port text box in the CMC configuration page for a server. Source Computer Destination Port Computer
Port
Action
web application Any server web application Any server web application Any server web application Any server Any Any
CMS
6400
Allow
CMS
<Request Allow Port number> <Request Allow Port number> <Request Allow Port number> Any Reject
Input FRS
Output FRS
CMS
Any
Any
Reject
311
Related Topics
BusinessObjects Enterprise can be deployed on machines that use Domain Name System (DNS). In this case, the server machine host names can be mapped to externally routable IP address on the DNS server, instead of in each machine's hosts file.
A firewall is deployed to protect an internal network from unauthorized access. Firewalls that use "NAT" will map the IP addresses from the internal network to a different address that is used by the external network. This "address translation" improves security by hiding the internal IP addresses from the external network. BusinessObjects Enterprise components such as servers, rich clients, and the web application server hosting the BusinessObjects Enterprise SDK will use a server reference to contact a server. The server reference contains the hostname of the server's machine. This hostname must be routable from the BusinessObjects Enterprise component's machine. This means the hosts file on the BusinessObjects Enterprise component's machine must map the server machine's hostname to the server machine's external IP address. The server machine's external IP address is routable from external side of the firewall, whereas the internal IP address is not. The procedure for configuring the hosts file is different for Windows and UNIX.
312
To configure the hosts file on Windows 1. Locate every machine that runs a BusinessObjects Enterprise component that must communicate across a firewall on which "Network Address Translation " ("NAT") is enabled. 2. On each machine located in the previous step, open the hosts file using a text editor like Notepad. The hosts file is located at \WINNT\sys tem32\drivers\etc\hosts. 3. Follow the instructions in the hosts file to add an entry for each machine behind the firewall that is running a BusinessObjects Enterprise server or servers. Map the server machine's hostname or fully qualified domain name to its external IP address. 4. Save the hosts file. To configure the hosts file on UNIX
Note:
Your UNIX operating system must be configured to first consult the "hosts" file to resolve domain names before consulting DNS. Consult your UNIX systems documentation for details. 1. Locate every machine that runs a BusinessObjects Enterprise component that must communicate across a firewall on which "Network Address Translation " ("NAT") is enabled. 2. Open the "hosts" file using an editor like vi. The hosts file is located in the following directory \etc 3. Follow the instructions in the hosts file to add an entry for each machine behind the firewall that is running a BusinessObjects Enterprise server or servers. Map the server machine's hostname or fully qualified domain name to its external IP address. 4. Save the hosts file.
313
314
315
3. Configure the firewalls Firewall_1 and Firewall_2 to allow communication to the fixed ports on the BusinessObjects Enterprise servers and the web application server that you configured in the previous step. Note that port 6400 is the default port number for the CMS Name Server Port and did not need to be explicitly configured. In this example we are opening the HTTP Port for the Tomcat Application server.
Table 5-5: Configuration for Firewall_1
Port Any
Port 8080
Action Allow
316
Source ComPort puter boe_1 boe_1 boe_1 boe_1 boe_1 boe_1 boe_1 Any Any Any Any Any Any Any
4. This firewall is not NAT-enabled, and so we do not have to configure the hosts file
Related Topics
Configuring port numbers on page 166 Understanding communication between BusinessObjects Enterprise components on page 296
Example - Rich client and database tier separated from BusinessObjects Enterprise servers by a firewall
This example shows how to configure a firewall and BusinessObjects Enterprise to work together in a deployment scenario where: One firewall separates a rich client from BusinessObjects Enterprise servers. One firewall separates BusinessObjects Enterprise servers from the database tier.
In this example, BusinessObjects Enterprise components are deployed across these machines:
317
Machine boe_1 hosts the Publishing Wizard. Publishing Wizard is a BusinessObjects Enterprise rich client. Machine boe_2 hosts the Intelligence tier servers, including the Central Management Server, the Input File Repository Server, the Output File Repository Server, and the Event server. Machine boe_3 hosts the Processing tier servers, including: Crystal Reports Job Server, Program Job Server, Destination Job Server, List of Values Job Server, Web Intelligence Job Server, Web Intelligence Report Server, Report Application Server, and the Crystal Reports Page Server. Machine Databases hosts the CMS database and the reporting database. Note that you can deploy both databases on the same database server, or you can deploy each database on its own database server. In this example, both the CMS database and the reporting database are deployed on the same database server. The database server listen port is 3306, which is the default listen port for MySql server.
Figure 5-2: Rich client and database tier deployed on separate networks
318
The Publishing Wizard must be able to initiate communication with the Input File Repository Server and the Output File Repository Server. The Connection Server, every Job Server child process, and every Processing Server must have access to the listen port on the reporting database server. The CMS must have access to the database listen port on the CMS database server.
2. Configure a specific port for the CMS, the Input FRS, and the Output FRS. Note that you can use any free port between 1,025 and 65,535. The port numbers chosen for this example are listed in the table:
Server Central Management Server Input File Repository Server Output File Repository Server Port Number 6411 6415 6416
3. We do not need to configure a port range for the Job Server children because the firewall between the job servers and the database servers will be configured to allow any port to initiate communication. 4. Configure Firewall_1 to allow communication to the fixed ports on the BusinessObjects Enterprise servers that you configured in the previous step. Note that port 6400 is the default port number for the CMS Name Server Port and did not need to be explicitly configured in the previous step.
Port Any Any Any Any Destination Computer boe_2 boe_2 boe_2 boe_2 Port 6400 6411 6415 6416 Action Allow Allow Allow Allow
319
Configure Firewall_2 to allow communication to the database server listen port. The CMS (on boe_2) must have access to the CMS database and the Job Servers (on boe_3) must have access to the reporting database. Note that we did not have configure a port range for job server child processes because their communication with the CMS did not cross a firewall.
Source ComPort puter boe_2 boe_3 Any Any Destination Computer Databases Databases Port 3306 3306 Action Allow Allow
5. This firewall is not NAT-enabled, and so we do not have to configure the hosts file
Related Topics
Understanding communication between BusinessObjects Enterprise components on page 296 Configuring BusinessObjects Enterprise for firewalls on page 309
320