<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.5730.13" name=GENERATOR></HEAD>
<BODY text=#000000 bgColor=#ffffff>
<DIV dir=ltr align=left><SPAN class=656534509-20112008><FONT face=Arial
color=#0000ff size=2>Hi Rick,</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=656534509-20112008><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=656534509-20112008><FONT face=Arial
color=#0000ff size=2>To get AG toolkit working on a unicast network, you
only need to have the following ports configured:</FONT></SPAN><SPAN
class=656534509-20112008></DIV>
<DIV dir=ltr align=left>
<DIV align=left><SPAN class=style8><SPAN
class=656534509-20112008></SPAN></SPAN> </DIV>
<DIV align=left><SPAN class=style8><SPAN
class=656534509-20112008></SPAN></SPAN><SPAN class=style1>8000<SPAN
class=656534509-20112008> </SPAN></SPAN><SPAN class=style1>TCP</SPAN></TD>
<TD></TD><TD></TD><TD><SPAN class=style1>Virtual Venue Server Port</SPAN></TD>
</TR><TR bgcolor="#99ffff"><TD align="right"></DIV>
<DIV align=left><SPAN class=style1>8002<SPAN class=656534509-20112008>
</SPAN></SPAN><SPAN
class=style1>TCP</SPAN></TD> <TD></TD><TD></TD><TD><SPAN class=style1>Event
Port</SPAN></TD> </TR><TR bgcolor="#99ffff"><TD align="right"></DIV>
<DIV align=left><SPAN class=style1>5223<SPAN class=656534509-20112008>
</SPAN></SPAN><SPAN class=style1>TCP</SPAN></TD> <TD></TD><TD></TD><TD><SPAN
class=style1>Text Port</SPAN></TD> </TR><TR bgcolor="#99ffff"><TD
align="right"></DIV>
<DIV align=left><SPAN class=style1>8006<SPAN class=656534509-20112008>
</SPAN></SPAN><SPAN class=style1>TCP</SPAN></TD><TD></TD><TD><SPAN class=style1>
</SPAN></TD><TD><SPAN class=style1>Data Port</SPAN></TD> </TR><TR
bgcolor="#99ffff"><TD align="right"></DIV>
<DIV align=left><SPAN class=style1>47000<SPAN class=656534509-20112008>
</SPAN></SPAN><SPAN class=style1>UDP</SPAN></TD> <TD><SPAN
class=style1>Internal</SPAN></TD> <TD></TD><TD><SPAN class=style1>Rat -Internal
Port</SPAN></TD> </TR><TR bgcolor="#99ffff"><TD align="right"></DIV>
<DIV align=left><SPAN class=style1>50000-50020<SPAN class=656534509-20112008>
</SPAN></SPAN><SPAN class=style1>TCP</SPAN></TD><TD></TD><TD><SPAN class=style1>
</SPAN></TD><TD><SPAN class=style1>Data Transfer Port</SPAN></TD> </TR><TR
bgcolor="#99ffff"><TD></DIV>
<DIV align=left><SPAN class=style1>10000-10999<SPAN class=656534509-20112008>
</SPAN></SPAN><SPAN class=style1>UDP</SPAN></TD><TD></TR><TR
bgcolor="#99ffff"><TD align="right"></DIV>
<DIV align=left><SPAN class=style1>1992<SPAN class=656534509-20112008>
</SPAN></SPAN><SPAN class=style1>TCP</SPAN></TD><TD></TD><TD><SPAN class=style1>
</SPAN></TD><TD><SPAN class=style1>Bridge Listening Port</SPAN></TD> </TR><TR
bgcolor="#99ffff"><TD align="right"></DIV>
<DIV align=left><SPAN class=style1>8030<SPAN class=656534509-20112008>
</SPAN></SPAN><SPAN class=style1>TCP<SPAN class=656534509-20112008>
</SPAN></SPAN><SPAN class=style1>Bridge Registry Peer</SPAN></DIV>
<DIV align=left><SPAN class=style1></SPAN> </DIV>
<DIV align=left><SPAN class=style1></SPAN></TD></TR></SPAN><SPAN
class=656534509-20112008><FONT face=Arial color=#0000ff size=2>The above info
comes from our firewall web page:</FONT></SPAN></DIV>
<DIV align=left><SPAN class=656534509-20112008><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV align=left><SPAN class=656534509-20112008><FONT face=Arial color=#0000ff
size=2><A
href="http://www.ja.net/services/video/agsc/technical-information/porttable.html">http://www.ja.net/services/video/agsc/technical-information/porttable.html</A></FONT></SPAN></DIV>
<DIV align=left><SPAN class=656534509-20112008><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV align=left><SPAN class=656534509-20112008><FONT face=Arial color=#0000ff
size=2>If you're installing Toolkit on Windows XP, you may find the
following document useful:</FONT></SPAN></DIV>
<DIV align=left><SPAN class=656534509-20112008><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV align=left><SPAN class=656534509-20112008><FONT face=Arial color=#0000ff
size=2><A
href="http://www.ja.net/documents/services/video/installingagtkonwindows_000.pdf">http://www.ja.net/documents/services/video/installingagtkonwindows_000.pdf</A></FONT></SPAN></DIV>
<DIV align=left><SPAN class=656534509-20112008><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV align=left><SPAN class=656534509-20112008><FONT face=Arial color=#0000ff
size=2>I think a lot of the ports you've mention below are specific to other
applications that are not necessary, i.e. VNC, FTP, SSH
etc..</FONT></SPAN></DIV>
<DIV align=left><SPAN class=656534509-20112008><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV align=left><SPAN class=656534509-20112008><FONT face=Arial color=#0000ff
size=2>And the info is quite old, so it may actually refer to AG Toolkit v2.x -
you should be using v3.1 stable release.</FONT></SPAN></DIV>
<DIV align=left><SPAN class=656534509-20112008><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV align=left><SPAN class=656534509-20112008><FONT face=Arial color=#0000ff
size=2>Cheers, Ben.</FONT></SPAN></DIV>
<DIV align=left><SPAN class=656534509-20112008><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV align=left><SPAN class=656534509-20112008><!-- Converted from text/plain format -->
<P><FONT size=2>-----------------------------------------<BR>Ben
Green<BR><BR>Access Grid Support Centre<BR>Research Computing
Services<BR>University of Manchester<BR>Room 73A, Devonshire House, Precinct
Centre,<BR>Oxford Road, Manchester, M13 9PL<BR>tel: +44 (0)161 306 6621<BR>fax:
+44 (0)161 275 6120<BR>email - ben.green@manchester.ac.uk<BR>web -
www.agsc.ja.net<BR>-----------------------------------<BR></FONT></P></SPAN></DIV></DIV><BR>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> owner-ag-tech@mcs.anl.gov
[mailto:owner-ag-tech@mcs.anl.gov] <B>On Behalf Of </B>R. P. C.
Rodgers<BR><B>Sent:</B> 20 November 2008 02:41<BR><B>To:</B>
ag-tech<BR><B>Subject:</B> [AG-TECH] Clarification of firewall requirements for
AG<BR></FONT><BR></DIV>
<DIV></DIV>Dear AG Colleagues,<BR><BR>I am trying to configure a small SonicWall
network security appliance to allow Access Grid to<BR>work well. I am
using a cable broadband provider that does not support multicast, wo will
be<BR>using bridges. Before proceeding I wanted to seek wider
advice. Several year ago I exracted a list<BR>of ports/services from the
excellent document put together at Manchester in 2005 by Javier Gomez<BR>Alonso
(<A class=moz-txt-link-freetext
href="http://www.accessgrid.org/agdp/guide/ports.html">http://www.accessgrid.org/agdp/guide/ports.html</A>).
To boil it down to its essence, it looks<BR>something like
this:<BR><BR> port 8000/TCP for venue server<BR> port
8002/TCP event<BR> port 8004/TCP text<BR> port 8006/TCP
data<BR> port 5222/TCP Jabber server<BR> port 7777/TCP
NCSA Jabber server<BR> port 4561/TCP for distributed powerpoint
server<BR> port 5001/TCP for distributed powerpoint
server<BR> [subtotal: 9]<BR> ports 5800-5999
for VNC server<BR> [subtotal: 200]<BR> ports
49152-65535 for unicast bridge<BR> [subtotal:
16384]<BR> [grand total: 16593]<BR><BR>of which I was
assuming one could ignore all but 5800-5999 and 49152-65535 because<BR>in other
cases the connection is established by the client coming into the server (though
I'm not at<BR>all certain of this in the case of shared powerpoint, or for all
of the 800x ports). But its not<BR>clear if one really needs ALL of these
ports. To further confuse things, there is a document<BR>at: <A
class=moz-txt-link-freetext
href="http://www.accessgrid.org/node/898">http://www.accessgrid.org/node/898</A><BR>which
states that the following firewall rules are required:<BR>
<UL>
<LI>Accept all traffic from localhost (Required for things like rat, etc)
<LI>Accept all multicast traffic (224.0.0.0/4)
<LI>Accept all port 21 traffic (FTP)
<LI>Accept all port 22 traffic (SSH)
<LI>Accept all port 80 traffic (HTTP)
<LI>Accept all port 443 traffic (TLS/SSL)
<LI>Accept all port 631 traffic (IPP)
<LI>Accept all port 5353 traffic (Multicast DNS)
<LI>Accept icmp traffic (ping)
<LI>Accept traffic from ports 5900-5920 (Required for VenueVNC)
<LI>Accept traffic from ports 8000, 8002 and 8004 (Required for Multicast
Beacon)
<LI>Accept traffic from ports 10000, 10002 and 10004 (Required for
VenueServer)
<LI>Accept traffic from ports 11000, 11100 (Required for NodeService Manager)
<LI>Accept traffic from ports 20000-20020 (Required for BridgeServer)
</LI></UL>which is quite at variance with my list, even discounting the fact
that many of the above<BR>rules seem concerned not with AG but with standard
services that might be of interest<BR>at that site. This may reflect
misunderstandings on the part of me, the second source, or both.<BR>Anyone have
suggestions as to how best to proceed?<BR><BR>Thanks in advance for any helpful
guidance.<BR><BR>Thanks and Best Regards, Rick Rodgers<BR><BR></BODY></HTML>