Using Store-and-Forward Through a Firewall (UNIX only)


By default, the store-and-forward facility (the shipping server) cannot operate through a firewall. Passing through a firewall is usually accomplished by granting access to specific ports for certain IP addresses. Because the shipping server picks any available port number on the sending and receiving replica hosts to make the connection, there is no single port number (or even small range of port numbers) to which special access can be granted.

If your site uses a firewall, you can set up an “exposed host,” a host that you configure to communicate through the firewall and on which you install the shipping server software. You configure the shipping servers on the replica hosts at your site to send packets to the exposed host, and the shipping server on the exposed host forwards the packets to hosts on the other side of the firewall. To maximize security on the exposed host, you must specify the range of port numbers that the shipping server can use.

Note: To enhance site security, we recommend that you install the shipping server on an exposed host only if other transport methods are unsuitable for your site. This method is not available for Windows. For information about other methods, see File-Based Methods.

Figure 18 is an example of an exposed host configuration. The exposed hosts communicate through the firewall. The store-and-forward software is installed on them, but ClearCase software is not installed on them. Rational ClearCase and MultiSite are installed on the replica server hosts (labeled RA and RB).

Figure 18 Store-and-Forward Configuration

Firewall Issues

Before installing the shipping server on an exposed host, consider the following issues:

Configuring Your Firewall to Limit Access

We recommend that you specify the ports to which programs can connect and the IP addresses that are allowed to access the firewall. Limiting the allowed port numbers and IP addresses limits the possibility that unauthorized machines can breach the firewall.

You must allow access to the following ports on the exposed host:

You must allow access through the firewall for IP addresses of hosts that send packets through the firewall to the exposed host at your site.

For information about configuring your firewall, see the documentation for your firewall.

Installing the Shipping Server on an Exposed Host

On UNIX, the ClearCase Product Family installation includes an option to install only the shipping server software. Follow the instructions in the Installation Guide for the ClearCase Product Family and select only the ClearCase MultiSite Shipping Server-only Installation option. Do not install ClearCase on the exposed host.

On Windows, there is no option to install only the shipping server software on an exposed host.

Controlling Ports Used by albd_server and shipping_server

The environment variables CLEARCASE_MIN_PORT and CLEARCASE_MAX_PORT specify the range of port numbers that the albd_server and the shipping server can allocate for communication purposes. When the shipping server needs to assign a port number, it starts with the value of CLEARCASE_MIN_PORT and continues through the range until it reaches CLEARCASE_MAX_PORT. If a port in the range cannot be allocated, the shipping server sleeps and tries the ports again.

When the shipping server on the sending host detects that the port environment variables are set, it tries to use TCP to make the connection with the albd_server on the receiving host. If this connection fails, the shipping server tries UDP. Therefore, if you have TCP connectivity, you do not have to enable UDP or open UDP ports on the exposed host.

Running an individual shipping server does not require more than two ports at a time. When there are multiple requests to be sent, the shipping server forks. Child processes handle individual requests. The shipping server starts no more than 10 child processes (and starts that many only if there are 10 requests to process simultaneously), so the maximum range is 20 ports. If the range is smaller, it may result in failed attempts, which can be retried later.

Specifying Port Values

The value range for CLEARCASE_MIN_PORT is 1024 through 65534, and the value range for CLEARCASE_MAX_PORT is 1025 through 65535. The value of CLEARCASE_MAX_PORT must be greater than the value of CLEARCASE_MIN_PORT.

Note: We recommend that you use the range 49152 through 65535, which is the Dynamic/Private Port Range.

To specify minimum and maximum port values, set the CLEARCASE_MIN_PORT and CLEARCASE_MAX_PORT environment variables in the following places:

Checklist for Using Store-and-Forward Through a Firewall

This checklist summarizes the steps you must follow to use store-and-forward through a firewall.

  1. Determine the port ranges that the shipping server can use and the IP addresses of the hosts that will send packets to your site’s exposed host.
  2. Configure your firewall to limit the allowed port numbers and IP addresses. Remember that you must allow access to TCP port 371 in addition to the port ranges.
  3. Install the shipping server software on the exposed host.
  4. Set the CLEARCASE_MIN_PORT and CLEARCASE_MAX_PORT environment variables.
  5. On each replica server host at your site, specify the exposed host as the next-hop host for packets sent to other sites. For example, your company has three sites (SiteA, SiteB, SiteC), each with one exposed host running the shipping server (SSA, SSB, SSC), and three replica server hosts.
  6. On UNIX, edit the shipping.conf file and add ROUTE options. For example, on each replica server host at SiteA:

    ROUTE SSA SiteB_host1 SiteB_host2 SiteB_host3 SiteC_host1 
    SiteC_host2 SiteC_host3

    On Windows, open the MultiSite Control Panel and set the appropriate values in the Routing Information section. For example, on each replica server host at SiteA, the Next Routing Hop is SSA and the Destination Hostnames are SiteB_host1, SiteB_host2, SiteB_host3, SiteC_host1, SiteC_host2, and SiteC_host3.

  7. On the exposed host, edit the shipping.conf file and add ROUTE options for the next destination of the packets.
  8. Using the same example as in Step 5, on the exposed host at SiteA, you add the following ROUTE options to the shipping.conf file:

    ROUTE SSB SiteB_host1 SiteB_host2 SiteB_host3
    ROUTE SSC SiteC_host1 SiteC_host2 SiteC_host3

    On the exposed host at SiteB, you add the following ROUTE options to the shipping.conf file:

    ROUTE SSA SiteA_host1 SiteA_host2 SiteA_host3
    ROUTE SSC SiteC_host1 SiteC_host2 SiteC_host3

    On the exposed host at SiteC, you add the following ROUTE options to the shipping.conf file:

    ROUTE SSA SiteA_host1 SiteA_host2 SiteA_host3
    ROUTE SSB SiteB_host1 SiteB_host2 SiteB_host3