Port 19283 has been registered with the IANA (Internet Assigned Numbers Authority) for use by the KeyServer process so that enhanced security can be enforced with explicit firewall routing rules that avoid conflict with other services.
Network routing equipment and wireless routing devices typically include firewall features that can be configured to forward or block network packets. The latest desktop OS versions (both Windows and Macintosh) also include "personal firewall" features that can be configured to block or forward packets from the individual computer. Many third party "security" products may also include firewall features (e.g. Norton Personal Firewall, ZoneAlarm, etc).
Firewall rules must be configured on the KeyServer host to allow communication from its clients and from KeyConfigure, the administrative console. Response packets from KeyServer to its clients will generally be allowed by default client settings, but connection timeouts for personal firewalls, wireless routers, and NAT routers can be changed to achieve increased efficiency (e.g. see rule 1 and the Windows XP, Service Pack 2 note below).
The ks-prs process on the KeyServer host also needs to communicate with prs.sassafras.com (the PRS server) using standard https queries (and optionally also http), either directly or through a proxy in order to receive product definition updates.
KeyConfigure uses standard https or http queries directed to KeyReporter on the KeyServer host (for listing saved reports), and also to prs.sassafras.com (when querying the PRS server for new product definitions), and to www.sassafras.com (to check for new versions).
The KeyServer process listens for incoming UDP and TCP packets on port 19283. Response packets are sent from port 19283 back to the requesting address and port. Port 19283 is registered through ICANN to Sassafras Software so there should be no need to specify a different port (this default port for KeyServer can be customized).
A KeyShadow process (e.g. the KeyServer component running with a shadow.lic license certificate) uses UDP port 19315 (instead of 19283). Allowing TCP traffic on 19315 is unnecessary.
A KeyReporter process (installed with KeyServer, optionally enabled ... optionally installed on a separate host) listens for incoming http, https, and KeyConfigure requests. The out going connection to KeyServer targets the standard KeyServer tcp port using a dynamic source port.
The KeyAccess process initiates communication to the KeyServer process on a dynamically allocated UDP port (with destination port 19283). When the KeyServer is unreachable and the client has previously obtained a "shadow hint list" of shadow addresses, a dynamic port is used to communicate to a KeyShadow (with destination port 19315) . The KeyServer (or KeyShadow) may send a response to a client's requesting port long after any client packet is sent - perhaps as much as 15 minutes later. Some firewalls may interfere with such a slow turn-around time for UDP "responses". For example, the Windows Firewall uses a default timeout of 90 seconds for "idle" UDP ports. Even though KeyAccess will tolerate this kind of packet blockage with an attempt to re-establish UDP communications, it is advisable to reduce network traffic and unnecessary processing by configuring firewalls (including personal firewalls on client computers) for a timeout of greater than 15 minutes for transactions directed out to the KeyServer on UDP port 19283.
KeyConfigure initiates admin communication to the KeyServer process on dynamically allocated TCP and UDP ports (with destination UDP 19283 and TCP 19283 at the KeyServer host address). A dynamic UDP port is also used to interrogate shadows (if any) for status information (with destination port UDP 19315). KeyConfigure sends to https port 443 (optionally, http port 80) to search for product definitions from prs.sassafras.com. KeyConfigure sends to www.sassafras.com using http port 80 to check for newer versions of the various K2 components. Communication from KeyConfigure to the KeyReporter host (for listing saved reports) sends to a configured address and port – port 80 is the default, but KeyReporter can be set up to listen on a custom port instead.
If http access to sassafras.com from the computer hosting KeyConfigure is blocked, KeyConfigure's version check feature should be turned off (from the Config Menu) in order to avoid an excessive delay when launching. Note: if traffic from the KeyServer host is blocked from reaching prs.sassafras.com, the automatic product recognition service cannot work. But if KeyConfigure can connect to KeyServer from a different computer that is not blocked, its manual "Find Product Definitions" menu can still be used to add new definitions to KeyServer's Products table.
ksODBC is an ODBC driver component that can be installed on any Windows or Macintosh computer in order to support third party SQL reporting tools (e.g. Crystal Reports, MS Access, FileMaker, etc.). When an external reporting tool is used, ksODBC initiates communication to the KeyServer process on a dynamically allocated TCP port (with destination port 19283).
ks-prs is a helper utility sub launched on the KeyServer host whenever the Product Recognition Service (PRS) is enabled. It will initiate an https connection (or optionally, http) to the Sassafras PRS server at prs.sassafras.com.
KeyReporter initiates a connection to the KeyServer process on dynamically allocated port with destination port TCP 19283 on the KeyServer host. KeyReporter listens for web browser connections on the standard http port 80 and standard https port 443. If KeyReporter is hosted on a computer that is already running a web server, this default must be changed as explained in the KeyReporter documentation. Connections from KeyConfigure for access to archived reports are accepted on this same port.
If the KeyServer process is specially configured to use external authentication services, to export its databases, or to backup onto a remote volume, additional dynamic ports will be opened to support these underlying network services. You may have to configure some firewall rules according to the documentation for each of these services.
The "Send KeyServer Status/Warning Messages" option (from KeyConfigure's Config Menu) initiates packets from KeyServer (and KeyShadows, if any) to a specified mail server address using TCP destination port 25 from a dynamic source port.
Starting with Windows XP Service pack 2, a "personal firewall" service is enabled by default when upgrading from a previous system version. In addition to ignoring most unsolicited incoming packets, the default firewall configuration will also ignore "late" UDP response packets from any address unless the response is received within 90 seconds of a send to that same address. In order to keep UDP communications open, use the Control Panel called "Windows Firewall" (or the appropriate local firewall configuration interface) to make sure that special Exception rules have been added for K2 components: