Firewall Settings

Overview

Network routing equipment and wireless routing devices typically include firewall features that can be configured to forward or block network packets. The latest desktop OS versions (both Windows and Macintosh) also include "personal firewall" features that can be configured to block or forward packets from the individual computer. Many third party "security" products may also include firewall features (e.g. Norton Personal Firewall, ZoneAlarm, etc).

Special firewall rules must be configured on the KeyServer host to allow communication from its clients . Response packets from KeyServer to its clients will generally be allowed by default client settings, but connection timeouts for personal firewalls, wireless routers, and NAT routers may need to be changed to achieve best reliability and efficiency (e.g. see rule 1 and the Windows XP, Service Pack 2 note below).

Ports

The KeyServer process listens for incoming UDP and TCP packets on port 19283. Response packets are sent from port 19283 back to the requesting address and port. Port 19283 is registered through ICANN to Sassafras Software so there should be no need to specify a different port - however, it can be changed using the TCP/IP item in KeyConfigure's Locations window.

  • UDP port 19283
    • open for receipt of packets from the client component, KeyAccess
    • open to support KeyConfigure admin connection
    • open for receipt of packets from each KeyShadow process (if any are installed)
  • TCP port 19283
    • open to support KeyConfigure admin connection
    • open to support data queries from KeyConfigure's report modules
    • open to support data queries from KeyReporter
    • open to support queries from any external SQL reporting tool


A KeyShadow process (e.g. the KeyServer component running with a shadow.lic license certificate) uses UDP port 19315 (instead of 19283). Allowing TCP traffic on 19315 is unnecessary.

  • UDP port 19315
    • open for receipt of packets from KeyAccess (when KeyServer cannot be reached)
    • open for receipt of packets from KeyConfigure (when the Shadows window is used to check shadow status)


A KeyReporter process listens for incoming http, https, and KeyConfigure requests. The out going connection to KeyServer targets the standard KeyServer tcp port using a dynamic source port.

  • TCP port 80 (this default port for http can be customized)
    • open for receipt of packets from any web browser and from KeyConfigure
  • TCP port 443 (this default port for https can be customized)
    • open for receipt of secure packets from any web browser and from KeyConfigure


The KeyAccess process initiates communication to the KeyServer process on a dynamically allocated UDP port (with destination port 19283). When the KeyServer is unreachable and the client has received a "shadow hint list" of installed shadow addresses, a dynamic port is used to communicate to a KeyShadow (with destination port 19315) . The KeyServer (or KeyShadow) may send a response to a client's requesting port long after any client packet is sent - perhaps as much as 15 minutes later. Some firewalls may interfere with such a slow turn-around time for UDP "responses". For example, the Windows Firewall uses a default timeout of 90 seconds for "idle" UDP ports. Even though KeyAccess will tolerate this kind of packet blockage with an attempt to re-establish UDP communications, it is advisable to reduce network traffic and unnecessary processing by configuring firewalls (including personal firewalls on client computers) for a timeout of greater than 15 minutes for transactions directed out to the KeyServer on UDP port 19283.

KeyConfigure initiates admin communication to the KeyServer process on dynamically allocated TCP and UDP ports (with destination UDP 19283 and TCP 19283 at the KeyServer host address). A dynamic UDP port is also used to interrogate shadows (if any) for status information (with destination port UDP 19315). KeyConfigure also uses the HTTP protocol (with destination port TCP 80) to check for newer versions. If HTTP access is blocked, KeyConfigure's version check feature should be turned off in order to avoid an excessive delay when launching (use the Admin menu). Communication from KeyConfigure to KeyReporter also uses the HTTP protocol directed to port 80 (unless KeyReporter has been configured to use a non-standard port).

ksODBC is an ODBC driver component that can be installed on any Windows or Macintosh computer in order to support third party SQL reporting tools (e.g. Crystal Reports, MS Access, FileMaker, etc.). When an external reporting tool is used, ksODBC initiates communication to the KeyServer process on a dynamically allocated TCP port (with destination port 19283).

KeyReporter initiates a connection to the KeyServer process on dynamically allocated port with destination port TCP 19283 on the KeyServer host. KeyReporter listens for web browser connections on the standard http port 80 and standard https port 443. If KeyReporter is hosted on a computer that is already running a web server, this default must be changed as explained in the KeyReporter documentation. Connections from KeyConfigure for access to archived reports are accepted on this same port.

If the KeyServer process is specially configured to use external authentication services, to export its databases, or to backup onto a remote volume, additional dynamic ports will be opened to support these underlying network services. You may have to configure some firewall rules according to the documentation for each of these services.

The "Send KeyServer Status/Warning Messages" option (from KeyConfigure's Admin menu) initiates packets from KeyServer (and KeyShadows, if any) to a specified mail server address using TCP destination port 25 from a dynamic source port.

Firewall Configuration Rules

  1. All firewalls between KeyServer and its clients (and between KeyServer and KeyShadow hosts, if any) must be configured to allow traffic on UDP port 19283 into the KeyServer host address . For best efficiency, the UDP response path to the requester must not be timed out for 15 minutes.
  2. All firewalls between KeyShadow and its clients must be configured to allow traffic on UDP port 19315 into the KeyShadow host address(es). For best efficiency, the UDP response path to the requester must not be timed out for 15 minutes.
  3. All firewalls between the admin component, KeyConfigure, and KeyServer must be configured to allow traffic on both UDP and TCP port 19283 into the KeyServer host address. Normal UDP timeouts of at least 1 minute will suffice for the response path back to KeyConfigure.
  4. Additional rules for optional features: external authentication, data export, backup, and status e-mail may require firewall configuration rules to allow specific outgoing tcp target addresses and ports.
  "Personal Firewall" - Windows XP (Service Pack 2), Vista, etc.

Starting with Windows XP Service pack 2, a "personal firewall" service is enabled by default when upgrading from a previous system version. In addition to ignoring most unsolicited incoming packets, the default firewall configuration will also ignore "late" UDP response packets from any address unless the response is received within 90 seconds of a send to that same address. In order to keep UDP communications open, use the Control Panel called "Windows Firewall" (or the appropriate local firewall configuration interface) to make sure that special Exception rules have been added for K2 components:

  • On client computers running a local firewall process, keyacc32.exe (the K2 client component in the Windows directory), should be included as an added program in the firewall exception list. This will avoid unnecessary traffic and erratic client responsiveness to KeyConfigure admin actions.
     
    The K2Client installer adds a keyacc32.exe exception rule to the local firewall configuration.
     
  • If the KeyServer (or KeyShadow) process is hosted on a computer running a local firewall process, ks.exe (the K2 Server component in "Program Files\Sassafras K2\Server" directory), should be included as an added program in the firewall exception list. This will allow UDP and TCP packets to be received on the dedicated port 19283 (port 19315 for shadows).
     
    The K2Server installer adds a ks.exe exception rule to the local firewall configuration.
     
  • If the KeyReporter process is hosted on a computer running a local firewall process, kr.exe (the K2 Reporter component in the "Program Files\Sassafras K2\Reporter" directory), should be included as an added program in the firewall exception list. This will allow TCP packets to be received on the dedicated port 80 and 443 (or customized ports).
     
    The K2Reporter installer adds a kr.exe exception rule to the local firewall configuration.

Help Index 2010.01.20

Related Topics

K2 Getting Started
   - Installation

Authentication
Exporting
Backup
Reports
Help Index
?