1. Administrator's Guide
  2. Firewall Security Option
  3. Turning On the Firewall Security on ACSLS Servers

Turning On the Firewall Security on ACSLS Servers

To turn on the firewall-secure option, you must set several variables using the acsss_config utility.

  1. Log in as acsss.
  2. Stop the ACSLS server.

    Note:

    You must bring down the ACSLS server for the new firewall-secure variables to take effect. 
    acsss disable
  3. To run the configuration script, enter the following command:
    acsss_config

    The ACSLS feature configuration screen appears.

  4. Select option 1 - Set CSI tuning variables

    Accept the default for all variables, except for the following.

    1. Set the value to TRUE at the following prompt:
      Changes to alter use of the TCP protocol will not take effect until the product is restarted.
CSI support for RPC using the TCP protocol is enabled [TRUE].

      Variable: CSI_TCP_RPCSERVICE

      Turning on TCP insures that the TCP protocol is available for use by clients of ACSLS for network communications. The firewall-secure feature of ACSLS supports TCP only, so clients should perform network communications using this protocol.

    2. Set the value to FALSE at the following prompt:
      Changes to alter the use of the UDP protocol will not take effect until the product is restarted.
CSI support for RPC using the UDP protocol is enabled [TRUE].

      Variable: CSI_UDP_RPCSERVICE

      Caution:

      Ensure that no ACSLS clients are depending on this UDP protocol. The firewall-secure ACSLS runs on TCP only.

      Turning off UDP insures that no clients will access the server using this protocol. This enables you to disallow all general UDP access to the ACSLS platform at the firewall, allowing only those accesses which are specifically required in your environment.

      Allow clients access to the UDP and TCP port 111 for portmapper access, unless those clients implement the firewall-secure feature, and specifically turn-off their queries to the ACSLS portmapper.

    3. Set the value to NEVER at the following prompt:
      Changes to alter use of the port mapper will not take effect until the product is restarted.
Enable port mapper: (ALWAYS / NEVER /IF_DUAL_LAN_NOT_ENABLED) [IF_DUAL_LAN_NOT_ENABLED].

      Variable: CSI_USE_PORTMAPPER

      NEVER enables clients of ACSLS to disallow external access to the portmapper on those client platforms.

      Important: This does not allow you to turn-off external access to the portmapper on the ACSLS platform; to do that, the client(s) of ACSLS must have adopted the firewall-secure changes in the client software component(s), and this feature must be turned on in the client software component.

      This feature ensures that the ACSLS server will not make any queries of the portmapper on the client platform. This enables any firewall which is protecting the client to disallow access to the portmapper.

    4. Set the value to TRUE at the following prompt:
      Enable CSI to be used behind a firewall (user-defined inbound port) (TRUE/FALSE) [FALSE]:

      Variable: CSI_FIREWALL_SECURE

      TRUE enables you to specify the single port that ACSLS will use for accepting inbound client communications (TCP connections). This variable simply enables this feature. The specific port will be specified in the next variable.

    5. Set the value to an available fixed port on the ACSLS server, at the following prompt:
      Port number used by the CSI to receive incoming ACSLS requests.

      Variable: CSI_INET_PORT

      This is the port which will be used by the ACSLS CSI component for accepting incoming network connections. Specify a port in the range of 1024-65535, excluding port 50003.

      IMPORTANT: Configure your firewall to allow incoming connections on this port. This ensures that only that port is exposed for use by those outside clients wanting to initiate communications with ACSLS. You may disallow connections on all other incoming ports except this one, and UDP/TCP port 111 (unless clients have implemented the feature to eliminate their queries to the ACSLS portmapper; in that case, port 111 may also be disallowed at the firewall). The recommended default value for this port is 30031. It is unlikely (but not impossible) that this port will be used by other processes on most systems. See Troubleshooting for steps to take if there is a port conflict.

  5. Select E to exit acsss_config.

    Your changes are saved.

  6. Restart ACSLS by entering the following command:
    acsss enable