Firewall Settings

Port 19283 has been registered with the IANA (Internet Assigned Numbers Authority) for use by the KeyServer process so that enhanced security can be enforced with explicit firewall routing rules that avoid conflict with other services.

Network routing equipment and wireless routing devices typically include firewall features that can be configured to forward or block network packets. The latest desktop OS versions (both Windows and Macintosh) also include "personal firewall" features that can be configured to block or forward packets from the individual computer. Many third party "security" products may also include firewall features (e.g. Norton Personal Firewall, ZoneAlarm, etc).

Firewall rules must be configured on the KeyServer host to allow communication from its clients and from KeyConfigure, the administrative console. Response packets from KeyServer to its clients will generally be allowed by default client settings, but connection timeouts for personal firewalls, wireless routers, and NAT routers can be changed to achieve increased efficiency (e.g. see rule 1 and the Windows XP, Service Pack 2 note below).

The ks-prs process on the KeyServer host also needs to communicate with prs.sassafras.com (the PRS server) using standard https queries (and optionally also http), either directly or through a proxy in order to receive product definition updates.

KeyConfigure uses standard https or http queries directed to KeyReporter on the KeyServer host (for listing saved reports), and also to prs.sassafras.com (when querying the PRS server for new product definitions), and to www.sassafras.com (to check for new versions).

Ports

The KeyServer process listens for incoming UDP and TCP packets on port 19283. Response packets are sent from port 19283 back to the requesting address and port. Port 19283 is registered through ICANN to Sassafras Software so there should be no need to specify a different port (this default port for KeyServer can be customized).

  • UDP port 19283
    • open on the KeyServer host address for receipt of packets from clients
    • open on the KeyServer host address for support of admin connections
    • open on the KeyServer host address for receipt of packets from shadows (if any are installed)
  • TCP port 19283
    • open on the KeyServer host address for support of admin connections
    • open on the KeyServer host address for support of report queries (from KeyConfigure, KeyReporter, any external SQL reporting tools)


A KeyShadow process (e.g. the KeyServer component running with a shadow.lic license certificate) uses UDP port 19315 (instead of 19283). Allowing TCP traffic on 19315 is unnecessary.

  • UDP port 19315
    • open on the KeyShadow host address for receipt of packets from clients
    • open on the KeyShadow host address for receipt of packets from KeyConfigure (when the Shadows window is used to check shadow status)


A KeyReporter process (installed with KeyServer, optionally enabled ... optionally installed on a separate host) listens for incoming http, https, and KeyConfigure requests. The out going connection to KeyServer targets the standard KeyServer tcp port using a dynamic source port.

  • TCP port 80 (this default port for http can be customized)
    • open on the KeyReporter host address for receipt of packets from any web browser and from KeyConfigure
  • TCP port 443 (this default port for https can be customized)
    • open on the KeyReporter host address for receipt of secure packets from any web browser and from KeyConfigure


The KeyAccess process initiates communication to the KeyServer process on a dynamically allocated UDP port (with destination port 19283). When the KeyServer is unreachable and the client has previously obtained a "shadow hint list" of shadow addresses, a dynamic port is used to communicate to a KeyShadow (with destination port 19315) . The KeyServer (or KeyShadow) may send a response to a client's requesting port long after any client packet is sent - perhaps as much as 15 minutes later. Some firewalls may interfere with such a slow turn-around time for UDP "responses". For example, the Windows Firewall uses a default timeout of 90 seconds for "idle" UDP ports. Even though KeyAccess will tolerate this kind of packet blockage with an attempt to re-establish UDP communications, it is advisable to reduce network traffic and unnecessary processing by configuring firewalls (including personal firewalls on client computers) for a timeout of greater than 15 minutes for transactions directed out to the KeyServer on UDP port 19283.

KeyConfigure initiates admin communication to the KeyServer process on dynamically allocated TCP and UDP ports (with destination UDP 19283 and TCP 19283 at the KeyServer host address). A dynamic UDP port is also used to interrogate shadows (if any) for status information (with destination port UDP 19315). KeyConfigure sends to https port 443 (optionally, http port 80) to search for product definitions from prs.sassafras.com. KeyConfigure sends to www.sassafras.com using http port 80 to check for newer versions of the various K2 components. Communication from KeyConfigure to the KeyReporter host (for listing saved reports) sends to a configured address and port – port 80 is the default, but KeyReporter can be set up to listen on a custom port instead.

If http access to sassafras.com from the computer hosting KeyConfigure is blocked, KeyConfigure's version check feature should be turned off (from the Config Menu) in order to avoid an excessive delay when launching. Note: if traffic from the KeyServer host is blocked from reaching prs.sassafras.com, the automatic product recognition service cannot work. But if KeyConfigure can connect to KeyServer from a different computer that is not blocked, its manual "Find Product Definitions" menu can still be used to add new definitions to KeyServer's Products table.

ksODBC is an ODBC driver component that can be installed on any Windows or Macintosh computer in order to support third party SQL reporting tools (e.g. Crystal Reports, MS Access, FileMaker, etc.). When an external reporting tool is used, ksODBC initiates communication to the KeyServer process on a dynamically allocated TCP port (with destination port 19283).

ks-prs is a helper utility sub launched on the KeyServer host whenever the Product Recognition Service (PRS) is enabled. It will initiate an https connection (or optionally, http) to the Sassafras PRS server at prs.sassafras.com.

KeyReporter initiates a connection to the KeyServer process on dynamically allocated port with destination port TCP 19283 on the KeyServer host. KeyReporter listens for web browser connections on the standard http port 80 and standard https port 443. If KeyReporter is hosted on a computer that is already running a web server, this default must be changed as explained in the KeyReporter documentation. Connections from KeyConfigure for access to archived reports are accepted on this same port.

If the KeyServer process is specially configured to use external authentication services, to export its databases, or to backup onto a remote volume, additional dynamic ports will be opened to support these underlying network services. You may have to configure some firewall rules according to the documentation for each of these services.

The "Send KeyServer Status/Warning Messages" option (from KeyConfigure's Config Menu) initiates packets from KeyServer (and KeyShadows, if any) to a specified mail server address using TCP destination port 25 from a dynamic source port.

Firewall Configuration Rules

  1. All firewalls between KeyServer and its clients (and between KeyServer and KeyShadow hosts, if any) must be configured to allow traffic on UDP port 19283 into the KeyServer host address. KeyServer will send and receive packets on port 19283, while clients will send and receive packets on a dynamically assigned port. For best efficiency, the UDP response path to the requester must not be timed out for 15 minutes.
  2. All firewalls between KeyShadow and its clients must be configured to allow traffic on UDP port 19315 into the KeyShadow host address(es). KeyShadow will send and receive packets on port 19283, while clients will send and receive packets on a dynamically assigned port. For best efficiency, the UDP response path to the requester must not be timed out for 15 minutes.
  3. All firewalls between the admin computer running KeyConfigure and KeyServer must be configured to allow traffic on both UDP and TCP port 19283 into the KeyServer host address. KeyServer will send and receive packets on port 19283, while KeyConfigure will send and receive packets on a dynamically assigned port. Normal UDP timeouts of at least 1 minute will suffice for the response path back to KeyConfigure.
  4. All firewalls between KeyServer and prs.sassafras.com must be configured to allow https port 443 (or optionally, http port 80) connections initiated from the KeyServer computer in order to support the Product Recognition Service.
  5. Whenever KeyConfigure's product definition search feature is needed, standard https communication using port 443 (optionally, http port 80) must be allowed to prs.sassafras.com. The version check and online documentation features use http port 80 to query www.sassafras.com.
  6. Additional rules for optional features: external authentication, data export, backup, and status e-mail may require firewall configuration rules to allow specific outgoing tcp target addresses and ports.

Windows “Personal Firewall”

Starting with Windows XP Service pack 2, a "personal firewall" service is enabled by default when upgrading from a previous system version. In addition to ignoring most unsolicited incoming packets, the default firewall configuration will also ignore "late" UDP response packets from any address unless the response is received within 90 seconds of a send to that same address. In order to keep UDP communications open, use the Control Panel called "Windows Firewall" (or the appropriate local firewall configuration interface) to make sure that special Exception rules have been added for K2 components:

  • On client computers running a local firewall process, keyacc32.exe (the K2 client component in the Windows directory), should be included as an added program in the firewall exception list. This will avoid unnecessary traffic and erratic client responsiveness to KeyConfigure admin actions.
     
    The K2Client installer adds a keyacc32.exe exception rule to the local firewall configuration.
     
  • If the KeyServer (or KeyShadow) process is hosted on a computer running a local firewall process, ks.exe (the K2 Server component in "Program Files\Sassafras K2\Server" directory), should be included as an added program in the firewall exception list. This will allow UDP and TCP packets to be received on the dedicated port 19283 (port 19315 for shadows).
     
    The K2Server installer adds a ks.exe exception rule to the local firewall configuration.
     
  • If the KeyReporter process is hosted on a computer running a local firewall process, kr.exe (the K2 Reporter component in the "Program Files\Sassafras K2\Reporter" directory), should be included as an added program in the firewall exception list. This will allow TCP packets to be received on the standard http port 80 and https port 443 (or you can configure custom ports).
     
    The K2Reporter installer adds a kr.exe exception rule to the local firewall configuration.