Firewall Settings

Overview

Network routing equipment and wireless routing devices typically include firewall features that can be configured to forward or block network packets. The latest desktop OS versions (both Windows and Macintosh) also include "personal firewall" features that can be configured to block or forward packets from the individual computer. Many third party "security" products may also include firewall features (e.g. Norton Personal Firewall, ZoneAlarm, etc).

Special firewall rules must be configured on the KeyServer host to allow communication from its clients . Response packets from KeyServer to its clients will generally be allowed by default client settings, but connection timeouts for personal firewalls, wireless routers, and NAT routers may need to be changed to achieve best reliability and efficiency (e.g. see rule 1 and the Windows XP, Service Pack 2 note below).

Ports

The KeyServer process listens for incoming UDP and TCP packets on port 19283 - specific services are listed below. Response packets are sent from port 19283 back to the requesting address and port. Port 19283 is registered through ICANN to Sassafras Software so there is rarely any need to specify a different port - however, it can be changed using the TCP/IP item in KeyConfigure's Locations window.

• UDP port 19283
  • open for receipt of packets from the client component, KeyAccess
  • open to support KeyConfigure admin connection
  • open for receipt of packets from each KeyShadow process (if any are installed)
• TCP port 19283
  • open to support KeyConfigure admin connection
  • open to support data queries from KeyConfigure's report modules
  • open to support queries from any external SQL reporting tool

A KeyShadow process (e.g. the KeyServer component running with a shadow.lic license certificate) uses UDP port 19315 (instead of 19283) - services listed below. The only interaction between shadows and KeyConfigure is through the Shadows menu using UDP 19315, so allowing TCP traffic on 19315 is unnecessary (even though KeyShadow will respond on this port).

• UDP port 19315
  • open for receipt of packets from KeyAccess (when KeyServer cannot be reached)
  • open for receipt of packets from KeyConfigure (when the Shadows menu is used to check shadow status)

The KeyAccess process initiates communication to the KeyServer process on a dynamically allocated UDP port (with destination port 19283). When the KeyServer is unreachable and the client has received a "shadow hint list" of installed shadow addresses, a dynamic port is used to communicate to a KeyShadow (with destination port 19315) .

The KeyServer (or KeyShadow) may send a response to a client's requesting port long after any client packet is sent - perhaps as much as 15 minutes later. Some firewalls may interfere with such a slow turn-around time for UDP "responses". For example, the Windows Firewall uses a default timeout of 90 seconds for "idle" UDP ports. Even though KeyAccess will tolerate this kind of packet blockage with an attempt to re-establish UDP communications, it is advisable to reduce network traffic and unnecessary processing by configuring firewalls for no timeout on UDP port 19283 (or a timeout greater than 15 minutes).

KeyConfigure initiates admin communication to the KeyServer process on dynamically allocated TCP and UDP ports (with destination address UDP 19283 and TCP 19283 on the KeyServer host). A dynamic UDP port is also used to interrogate shadows (if any) for status information (with destination port UDP 19315). KeyConfigure also uses the HTTP protocol (with destination port TCP 80) to check for newer versions. If HTTP access is blocked, KeyConfigure's version check feature should be turned off in order to avoid an excessive delay when launching (use the Admin menu).

ksODBC is an ODBC driver component that can be installed on any Windows computer in order to support third party SQL reporting tools (e.g. Crystal Reports, MS Access, etc.). When an external reporting tool is used, ksODBC initiates communication to the KeyServer process on a dynamically allocated TCP port (with destination port 19283).

If the KeyServer process is specially configured to use external authentication services, to export its databases, or to backup onto a remote volume, additional dynamic ports will be opened to support these underlying network services. You may have to configure some firewall rules according to the documentation for each of these services.

The "Send KeyServer Status/Warning Messages" option (from KeyConfigure's Admin menu) initiates packets from KeyServer (and KeyShadow's, if any) to a specified mail server address (TCP destination port 25 from a dynamic source port).

Firewall Configuration Rules

1. All firewalls between KeyServer and its clients (and between KeyServer and KeyShadow hosts, if any) must be configured to allow traffic on UDP port 19283 into the KeyServer host address . For best efficiency, the UDP response path to the requestor must not be timed out for 15 minutes.
2. All firewalls between KeyShadow and its clients must be configured to allow traffic on UDP port 19315 into the KeyShadow host address(es). For best efficiency, the UDP response path to the requestor must not be timed out for 15 minutes.
3. All firewalls between the admin component, KeyConfigure, and KeyServer must be configured to allow traffic on both UDP and TCP port 19283 into the KeyServer host address. Normal UDP timeouts of at least 1 minute will suffice for the response path back to KeyConfigure.
4. Additional rules for optional features: external authentication, data export, backkup, and status e-mail may require firewall configuration rules to allow specific outgoing tcp target addresses and ports.

Windows XP Service pack 2 enables a "personal firewall" service on each computer. In addition to ignoring most incoming packets, the default firewall configuration will ignore response packets to outgoing UDP requests unless the response is received within 90 seconds. Use the Control Panel called "Windows Firewall" to make sure that special Exception rules have been added for K2:

• On client computers running Windows XP Service pack 2, keyacc32.exe (the K2 client component in the Windows directory), should be included as an added program in the firewall exception list. This will avoid unnecessary traffic and erratic client responses to KeyConfigure admin actions.
• If the KeyServer process is hosted on Windows XP Service pack 2, then entries for ports UDP 19283 and TCP 19283 must be added to the firewall exceptions list. A KeyShadow host must have an exception for UDP 19315.

Related Topics