By default, the store-and-forward facility (the shipping server) cannot operate through a firewall. Passing through a firewall is usually accomplished by granting access to specific ports for certain IP addresses. Because the shipping server picks any available port number on the sending and receiving replica hosts to make the connection, there is no single port number (or even small range of port numbers) to which special access can be granted.
If your site uses a firewall, you can set up an “exposed host,” a host that you configure to communicate through the firewall and on which you install the shipping server software. You configure the shipping servers on the replica hosts at your site to send packets to the exposed host, and the shipping server on the exposed host forwards the packets to hosts on the other side of the firewall. To maximize security on the exposed host, you must specify the range of port numbers that the shipping server can use.
Note: To enhance site security, we recommend that you install the shipping server on an exposed host only if other transport methods are unsuitable for your site. This method is not available for Windows. For information about other methods, see File-Based Methods.
Figure 18 is an example of an exposed host configuration. The exposed hosts communicate through the firewall. The store-and-forward software is installed on them, but ClearCase software is not installed on them. Rational ClearCase and MultiSite are installed on the replica server hosts (labeled RA and RB).
Before installing the shipping server on an exposed host, consider the following issues:
Using the shipping server on an exposed host enables anyone coming in from the network to fill shipping bays on the local network, on any machine where a shipping server is available. To avoid full disks and the related problems:
In normal update packets, information is not encoded. Therefore, anyone shipping packets across an unsecured network must encrypt the packets. Also, the format of an update packet is not very complicated; a dedicated programmer could figure out the format and create a packet with operations that damage a VOB. Encrypting the data makes this kind of attack much more difficult.
Allowing shipping server access also allows access to all servers created by the albd_server. Because the albd_server assigns port numbers in the allowed range to other servers running locally, programs from the outside network can connect to all of those servers. Therefore, the exposed host that runs the shipping server must not run other ClearCase servers.
We recommend that you specify the ports to which programs can connect and the IP addresses that are allowed to access the firewall. Limiting the allowed port numbers and IP addresses limits the possibility that unauthorized machines can breach the firewall.
You must allow access to the following ports on the exposed host:
You must allow access through the firewall for IP addresses of hosts that send packets through the firewall to the exposed host at your site.
For information about configuring your firewall, see the documentation for your firewall.
On UNIX, the ClearCase Product Family installation includes an option to install only the shipping server software. Follow the instructions in the Installation Guide for the ClearCase Product Family and select only the ClearCase MultiSite Shipping Server-only Installation option. Do not install ClearCase on the exposed host.
On Windows, there is no option to install only the shipping server software on an exposed host.
The environment variables CLEARCASE_MIN_PORT and CLEARCASE_MAX_PORT specify the range of port numbers that the albd_server and the shipping server can allocate for communication purposes. When the shipping server needs to assign a port number, it starts with the value of CLEARCASE_MIN_PORT and continues through the range until it reaches CLEARCASE_MAX_PORT. If a port in the range cannot be allocated, the shipping server sleeps and tries the ports again.
When the shipping server on the sending host detects that the port environment variables are set, it tries to use TCP to make the connection with the albd_server on the receiving host. If this connection fails, the shipping server tries UDP. Therefore, if you have TCP connectivity, you do not have to enable UDP or open UDP ports on the exposed host.
Running an individual shipping server does not require more than two ports at a time. When there are multiple requests to be sent, the shipping server forks. Child processes handle individual requests. The shipping server starts no more than 10 child processes (and starts that many only if there are 10 requests to process simultaneously), so the maximum range is 20 ports. If the range is smaller, it may result in failed attempts, which can be retried later.
The value range for CLEARCASE_MIN_PORT is 1024 through 65534, and the value range for CLEARCASE_MAX_PORT is 1025 through 65535. The value of CLEARCASE_MAX_PORT must be greater than the value of CLEARCASE_MIN_PORT.
Note: We recommend that you use the range 49152 through 65535, which is the Dynamic/Private Port Range.
To specify minimum and maximum port values, set the CLEARCASE_MIN_PORT and CLEARCASE_MAX_PORT environment variables in the following places:
This checklist summarizes the steps you must follow to use store-and-forward through a firewall.
On UNIX, edit the shipping.conf file and add ROUTE options. For example, on each replica server host at SiteA:
ROUTE SSA SiteB_host1 SiteB_host2 SiteB_host3 SiteC_host1 SiteC_host2 SiteC_host3
On Windows, open the MultiSite Control Panel and set the appropriate values in the Routing Information section. For example, on each replica server host at SiteA, the Next Routing Hop is SSA and the Destination Hostnames are SiteB_host1, SiteB_host2, SiteB_host3, SiteC_host1, SiteC_host2, and SiteC_host3.
Using the same example as in Step 5, on the exposed host at SiteA, you add the following ROUTE options to the shipping.conf file:
ROUTE SSB SiteB_host1 SiteB_host2 SiteB_host3 ROUTE SSC SiteC_host1 SiteC_host2 SiteC_host3
On the exposed host at SiteB, you add the following ROUTE options to the shipping.conf file:
ROUTE SSA SiteA_host1 SiteA_host2 SiteA_host3 ROUTE SSC SiteC_host1 SiteC_host2 SiteC_host3
On the exposed host at SiteC, you add the following ROUTE options to the shipping.conf file:
ROUTE SSA SiteA_host1 SiteA_host2 SiteA_host3 ROUTE SSB SiteB_host1 SiteB_host2 SiteB_host3