Any network that is connected to the Internet is usually protected by some form of firewall, often in conjunction with different kinds of “demilitarized zones” and other security measures. If there is a desire to install the components of LISTSERV Maestro behind a firewall, or in different protection zones so that some are behind and others are in front of the firewall, it is necessary to take into account the communication channels between the separate components.
Communication occurs exclusively using TCP ports (see the Section 14 Using Non-Standard Ports for more information). If the components are installed behind, in front of, or on both sides of a firewall, then the firewall needs to be configured to let communication through on certain ports between certain servers. Figure 16-1 shows LISTSERV Maestro components and all other players (the Maestro Administrator, the Maestro User, and the Internet, which represents the messages recipients) and their interconnections.
At each communication line, a labeled arrow illustrates the direction of the communication between the two components, and the port used for this communication. The communication can go in one direction or both directions. However, if the communication goes in both directions, then an open port is required on both sides.
All the components shown in the figure (except for the Internet, LISTSERV Maestro Administrator, and LISTSERV Maestro User) may reside on a single server or may be distributed over different servers, up to the maximum distribution of a dedicated server for each of the components shown (or multiple servers in the cases of LISTSERV and SMTP).
When two components are installed on the same server, a firewall will not stop the communication between the two (except if the firewall is installed on the same server, where the firewall may close the ports the components use to communicate). However, if some components are installed on separate servers, a firewall may sit between the two. Most commonly, a firewall will separate the Internet from the other components. The other components may also be installed in a way that has a firewall between them.
If that is the case, then the firewall must be configured so that it allows communication between the two components, as specified by the arrow(s) associated with the connection the firewall guards. The direction of the arrow shows the direction the port should be opened, and the label of the arrow defines which port needs to be open.
For most components, the safest method will be to open the firewall for only the required port(s) in the required direction(s), and between the IP addresses of the servers where the components reside.
For example, if there is a firewall between the Maestro Tracker and the Maestro User Interface component, open the Communications Port and the Internal Communications Port
only in the direction from the Maestro User Interface host to the Maestro Tracker host. Open both ports
only for the IP address involved. This limits the possible security breaches in the case of an unauthorized person gaining access to one of the component servers.
Allowing the Application Server Shutdown Port, (default 8007) access through the firewall is not a concern, as this port is only ever used locally for communication between two processes on the same server. If there is a firewall on the server itself, this port might also have to be opened. Simply check if the L-Soft Tomcat server still reacts to the
Stop command. If not, then the port needs to be opened.