Firewall Considerations

Here are the firewall rules that must be allowed for Connection Manager to operate correctly:

  1. Command Center must be able to open TCP connections to:
    • CMS: generally executing in the Internal Network on port 48443
    • CMA: generally executing in the DMZ on port 48443
    • Internet Server: generally executing in the DMZ on port 443 or 7443

    If these ports are not open, Connection Manager can still operate, but you cannot use Command Center to configure the Connection Manager nodes. Normal Command Center and Internet Server definitions will still work. But if you want to change the ports on a CMA or Internet Server, you must make the changes directly to the XML configuration files. See the Connection Manager Configuration Files section.

  2. CMS must be able to open TCP connections to the CMA on ports 48000 and 48001. If this is not allowed, Connection Manager will not work.
  3. Internet Server must be able to open TCP connections to the CMA on ports 41080. If this is not allowed, Connection Manager will not work.
  4. CMS must be able to open TCP connections to internal servers. If this is not allowed, Connection Manager requests will not work to this server.
  5. Server shutdown ports (generally 48005) are not documented above since they do not need to be allowed by the firewall. The MFTIS, CMA and CMS shutdown ports are typically used by shutdown scripts executing on the instance where the MFTIS, CMA or CMS server is executing.
  6. When a connection is active between a CMS and a CMA, the CMA initiates “heartbeat” requests to the CMS every 45 seconds. If a response is not received within 45 seconds, the CMA will break the connection to the CMS and will wait for the CMS to establish a new connection to the CMA.