Understanding communication betweenBusinessObjects Enterprise components
If your BusinessObjects Enterprise system is deployed entirely on the same
subnet, there is no need to perform any special configuration of your firewalls.
However, you might choose to deploy some Business Objects components
on different subnets separated by one or more firewalls.
It is important to understand the communication between BusinessObjects
Enterprise servers, rich clients, and the web application server hosting the
BusinessObjects Enterprise SDK before configuring your BusinessObjects
Enterprise system to work with firewalls.
Related Topics
• Configuring BusinessObjects Enterprise for firewalls on page 309
• Examples of typical firewall scenarios on page 313
Overviewof BusinessObjects Enterprise servers andcommunication ports
It is important to understand BusinessObjects Enterprise servers and their
communication ports if the BusinessObjects Enterprise system is deployed
with firewalls.
Each BusinessObjects Enterprise server binds to a Request Port
A BusinessObjects Enterprise server, such as the Input File Repository
Server, binds to a Request Port when it starts. Other BusinessObjects
Enterprise components including BusinessObjects Enterprise servers,
Business Objects rich clients, and the Business Objects SDK hosted in the
web application server can use this Request Port to communicate with the
server.
A server will select its Request Port number dynamically unless it is configured
with a specific port number. A specific Request Port number must be
configured for servers that communicate with other BusinessObjects
Enterprise components across a firewall.
296 BusinessObjects Enterprise Administrator's Guide
Working with Firewalls
5 Understanding communication between BusinessObjects Enterprise components
Each BusinessObjects Enterprise server registers with the CMS
BusinessObjects Enterprise servers register with the CMS when they start.
When a server registers, the CMS records:
• The hostname (or IP address) of the server's host machine.
• The server's Request Port number.
The Central Management Server (CMS) uses two ports
The CMS uses two ports: the Request Port and the Name Server Port. The
Request Port is selected dynamically by default. The Name Server Port is
6400 by default.
Other BusinessObjects Enterprise servers will initially contact the CMS on
its Name Server port. The CMS will respond to this initial contact by returning
the value of its Request Port. The Business Objects servers will use this
Request Port for subsequent communication with the CMS.
The Central Management Server (CMS) provides a directory of
registered servers
The CMS provides a directory of the BusinessObjects Enterprise servers
that have registered with it. Other BusinessObjects Enterprise components
such as BusinessObjects Enterprise servers, Business Objects rich clients,
and the Business Objects SDK hosted in the web application server can
contact the CMS and request a reference to a particular server. A server's
reference contains the server's Request Port number and the host name (or
IP address) of the server's host machine.
BusinessObjects Enterprise components might reside on a different subnet
than the server they are using. The host name (or IP address) contained in
the server reference must be routable from the component's machine.
Note:
The reference to a BusinessObjects Enterprise server will contain the server
machine's host name by default. (If a machine has more than one hostname,
the primary hostname is chose). You can configure a server so that its
reference contains the IP address instead.
BusinessObjects Enterprise Administrator's Guide 297
5Working with Firewalls
Understanding communication between BusinessObjects Enterprise components
Related Topics
• Communication between BusinessObjects Enterprise components on
page 299
Server Intelligence Agents (SIA) communicate with the Central
Management Server (CMS)
Your deployment will not work if the Server Intelligence Agent (SIA) and
Central Management Server (CMS) cannot communicate with each other.
Ensure that your firewall ports are configured to allow communication between
the SIA and the CMS.
Job server child processes communicate with the data tier and
the CMS
Most job servers create a child process to handle a task such as generating
a report. The job server will create one or more child processes. Each child
process has its own Request Port.
By default, a job server will dynamically select a Request Port for each child
process. You can specify a range of port numbers that the job server can
select from.
All child processes communicate with the CMS. If this communication crosses
a firewall, you must:
• Specify the range of port numbers that the job server can select from.
Note that the port range should be large enough to allow the maximum
number of child process as specified by -maxJobs.
• Open the specified port range on the firewall.
Many child processes communicate with the data tier. For example, a child
process might connect to a reporting database, extract data, and calculate
values for a report. If the job server child process communicates with the
data tier across a firewall, you must must:
• Open a communicate path on the firewall from any port on the job server
machine to the database listen port on the database server machine.
298 BusinessObjects Enterprise Administrator's Guide
Working with Firewalls
5 Understanding communication between BusinessObjects Enterprise components
Related Topics
• Job servers on page 663
CommunicationbetweenBusinessObjects Enterprisecomponents
BusinessObjects Enterprise components, such as browser clients, rich clients,
servers, and the BusinessObjects Enterprise SDK hosted in the web
application server, communicate with each other across the network during
typical workflows. You must understand these workflows to deploy Business
Objects products across different subnets that are separated by a firewall.
Requirements for communication between BusinessObjects
Enterprise components
Deployments of BusinessObjects Enterprise must conform to these general
requirements.
1. Every BusinessObjects Enterprise server must be able to initiate
communication with every other BusinessObjects Enterprise server on
that server's Request Port.
2. The CMS uses two ports. Every BusinessObjects Enterprise server,
BusinessObjects Enterprise rich client, and the web application server
that hosts the BusinessObjects Enterprise SDK must be able to initiate
communication with the Central Management Server (CMS) on both of
its ports.
3. Every job server child process must be able to initiate communication
with the CMS on both of its ports.
4. Rich clients must be able to initiate communication with the Request Port
of the Input and Output File Repository Servers
5. If Desktop Intelligence and Web Intelligence rich clients use Auditing,
they must be able to initiate communication with the Request Port of the
Adaptive Processing Servers that hosts the Client Auditing Proxy Service.
6. In general, the web application server that hosts the BusinessObjects
Enterprise SDK must be able to initiate communication with the Request
Port of every BusinessObjects Enterprise server.
BusinessObjects Enterprise Administrator's Guide 299
5Working with Firewalls
Understanding communication between BusinessObjects Enterprise components
Note:
The web application server only needs to communicate with
BusinessObjects Enterprise servers that are used in the deployment. For
example, if Crystal Reports is not being used, the web application server
does not need to communicate with the Crystal Reports Processing
Servers.
7. Job Servers use the port numbers that are specified with the -re
questJSChildPorts <port range> command. If no numbers are
specified in the command line, the servers use random port numbers. To
allow a job server to communicate with an FTP or mail server on another
machine either open all of the ports in the range specified by -re
questJSChildPorts on your firewall, or add the job server child process
as an exception for your firewall.
8. The CMS must be able to initiate communication with the CMS database
listen port.
9. The Connection Server, most Job Server child process, and every
Processing Server must be able to initiate communication with the
reporting database listen port. Each database vendor uses a different
listen port. For example, MySQL uses 3306 by default.
Related Topics
• BusinessObjects Enterprise port requirements on page 300
BusinessObjects Enterprise port requirements
This section lists the communication ports used by BusinessObjects
Enterprise servers, BusinessObjects Enterprise rich clients, the web
application server hosting the BusinessObjects Enterprise SDK, and
third-party software applications. If you deploy BusinessObjects Enterprise
with firewalls, you can use this information to open the minimum number of
ports in those firewalls.
Port Requirements for Business Objects Applications
This table lists the servers and port numbers used by BusinessObjects
Enterprise applications.
300 BusinessObjects Enterprise Administrator's Guide
Working with Firewalls
5 Understanding communication between BusinessObjects Enterprise components
Server Port RequirementsAssociated Servers
Client
Applica-
tion
Product
CMS Name Server Port
(6400 by default)
CMS Request Port
Input FRS Request Port
Output FRS Request Port
RAS Request Port
Crystal Reports Cache Serv-
er Request Port
Crystal Reports Page Server
Request Port
Web Intelligence Processing
Server Request Port
CMS
Input FRS
Output FRS
Report Application
Server (RAS)
Crystal Reports Cache
Server
Crystal Reports Page
Server
Web Intelligence Pro-
cessing Server
Crystal
Reports
Designer
Crystal
Reports
BusinessObjects Enterprise Administrator's Guide 301
5Working with Firewalls
Understanding communication between BusinessObjects Enterprise components
Server Port RequirementsAssociated Servers
Client
Applica-
tion
Product
CMS Name Server Port
(6400 by default)
CMS Request Port
Input FRS Request Port
Output FRS Request Port
RAS Request Port
Web Intelligence Processing
Server Request Port
Adaptive Processing Server
Request Port
Crystal Reports Cache Serv-
er Request Port
CMS
Input FRS
Output FRS
Report Application
Server (RAS)
Web Intelligence Pro-
cessing Server
Adaptive Processing
Server
Crystal Reports Cache
Server
Live Of-
fice
Live Of-
fice web
applica-
tion
HTTP port (80 by default)
web application server
that hosts the Live Of-
fice web application
Live Of-
fice
Live Of-
fice Rich
Client
CMS Name Server Port
(6400 by default)
CMS Request Port
Input FRS Request Port
CMS
Input FRS
Web Intel-
ligence
Rich
Client
Business
Objects
Enter-
prise
302 BusinessObjects Enterprise Administrator's Guide
Working with Firewalls
5 Understanding communication between BusinessObjects Enterprise components
Server Port RequirementsAssociated Servers
Client
Applica-
tion
Product
CMS Name Server Port
(6400 by default)
CMS Request Port
Input FRS Request Port
Output FRS Request Port
CMS
Input FRS
Output FRS
Desktop
Intelli-
gence
Business
Objects
Enter-
prise
CMS Name Server Port
(6400 by default)
CMS Request Port
Input FRS Request Port
Connection Server port
CMS
Input FRS
Connection Server
Universe
Designer
Business
Objects
Enter-
prise
CMS Name Server Port
(6400 by default)
CMS Request Port
Input FRS Request Port
CMS
Input FRS
Business
View
Manager
Business
Objects
Enter-
prise
BusinessObjects Enterprise Administrator's Guide 303
5Working with Firewalls
Understanding communication between BusinessObjects Enterprise components
Server Port RequirementsAssociated Servers
Client
Applica-
tion
Product
The following ports must be
open to allow CCM to man-
age remote BusinessObjects
Enterprise servers:
CMS Name Server Port
(6400 by default)
CMS Request Port
The following ports must be
open to allow CCM to man-
age remote SIA processes:
Microsoft Directory Services
(TCP port 445)
NetBIOS Session Service
(TCP port 139)
NetBIOS Datagram Service
(UDP port 138)
NetBIOS Name Service
(UDP port 137)
DNS (TCP/UDP port 53)
(Note that some ports listed
above may not be required.
Consult yourWindows admin-
istrator).
CMS
Server Intelligence
Agent (SIA)
Central
Configura-
tion Man-
ager
(CCM)
Business
Objects
Enter-
prise
304 BusinessObjects Enterprise Administrator's Guide
Working with Firewalls
5 Understanding communication between BusinessObjects Enterprise components
Server Port RequirementsAssociated Servers
Client
Applica-
tion
Product
SIA Request Port (6410 by
default)
CMS Name Server Port
(6400 by default)
CMS Request Port
Request Port for each server
that is managed by the SIA
Every Business Ob-
jects server including
the CMS
Server In-
telligence
Agent
(SIA
)
Business
Objects
Enter-
prise
CMS Name Server Port
(6400 by default)
CMS Request Port
Input FRS Request Port
Output FRS Request Port
CMS
Input FRS
Output FRS
Import
Wizard
Business
Objects
Enter-
prise
CMS Name Server Port
(6400 by default)
CMS Request Port
Input FRS Request Port
Output FRS Request Port
CMS
Input FRS
Output FRS
Publish-
ing Wiz-
ard
Business
Objects
Enter-
prise
CMS Name Server Port
(6400 by default)
CMS Request Port
Input FRS Request Port
CMS
Input FRS
Report
Conver-
sion Tool
Business
Objects
Enter-
prise
BusinessObjects Enterprise Administrator's Guide 305
5Working with Firewalls
Understanding communication between BusinessObjects Enterprise components
Server Port RequirementsAssociated Servers
Client
Applica-
tion
Product
CMS Name Server Port
(6400 by default)
CMS Request Port
Request Port for each server
that is required.
All Business Objects
Enterprise servers re-
quired by the de-
ployed products.
For example, commu-
nication with the Crys-
tal Reports Cache
Server Request Port
is required only if
Crystal Reports is de-
ployed and used.
Business
Objects
Enter-
prise
SDKhost-
ed in the
webappli-
cation
server
Business
Objects
Enter-
prise
CMS Name Server Port
(6400 by default)
CMS Request Port
MDAS port
Input FRS Request Port
Output FRS Request Port
CMS
Multidimensional
Analysis Server
(MDAS)
Input FRS
Output FRS
OLAPVoyager
Note:
To configure the Report Application Server in a firewalled environment, you
must implement the following steps:
1. Open the incoming RAS request port; this port is identified by the -re
questport server command line switch.
2. Open all outgoing ports:
By default, the RAS server picks a dynamic outgoing port. If you want to
limit the outgoing ports, update the following registry keys with your
specified range of ports, and enable these ports and the RAS request
port.
306 BusinessObjects Enterprise Administrator's Guide
Working with Firewalls
5 Understanding communication between BusinessObjects Enterprise components
For Windows, specify the range of ports in the following registry keys:
• HKEY_LOCAL_MACHINE\SOFTWARE\Business Objects\Suite12.0\CER\RequestPortLower
• HKEY_LOCAL_MACHINE\SOFTWARE\Business Objects\Suite12.0\CER\RequestPortUpper
For UNIX, specify the range of ports in the following file:
<INSTALLDIR>/bobje/data/.bobj/registry/software/businessobjects/suite 12.0/cer/.registry
• "RequestPortLower"=dword:0"RequestPortUpper"=dword:10000
Port Requirements for Third-Party Applications
This table lists third-party software used by Business Objects products. It
includes specific examples from some software vendors, but different vendors
will have different port requirements.
Description
Third-party appli-
cationport require-
ment
Business Ob-
jects compo-
nent that uses
the third-party
product
Third-party
application
MySQL is installed
with Business Objects
Enterprise. The CMS
is the only server that
communicates with the
CMS database.
Database server
listen port
For example,
MySQL uses port
3306.
CentralManage-
ment Server
(CMS)
CMS
Database
BusinessObjects Enterprise Administrator's Guide 307
5Working with Firewalls
Understanding communication between BusinessObjects Enterprise components
Description
Third-party appli-
cationport require-
ment
Business Ob-
jects compo-
nent that uses
the third-party
product
Third-party
application
These servers retrieve
information from the
reporting database.
Database server
listen port
For example,
MySQL uses port
3306.
Connection
Server
Every Job Serv-
er child process
Every Process-
ing Server
Reporting
Database
The HTTPS port is only
required if secure HTTP
communication is used.
HTTP port and
HTTPS port.
For example, on
Tomcat the default
HTTP port is 8080
and the default
HTTPS port is 443.
Live Office Rich
Client
All Business Ob-
jects portals in-
cluding InfoView
and CMC
webapplica-
tion server
The Job Servers use
the FTP ports to allow
send to FTP.
FTP In (port 21)
FTP Out (port 22)
Every Job Serv-
erFTP server
The Job Servers use
the SMTP port to allow
send to email .
SMTP (port 25)Every Job Serv-
er
Email serv-
er
308 BusinessObjects Enterprise Administrator's Guide
Working with Firewalls
5 Understanding communication between BusinessObjects Enterprise components
Description
Third-party appli-
cationport require-
ment
Business Ob-
jects compo-
nent that uses
the third-party
product
Third-party
application
(Unix only) The Job
Servers use these
ports to allow send to
disk .
rexec out (port 512)
(Unix only) rsh out
(port 514)
Every Job Serv-
er
Unix
servers to
which the
Job Servers
can send
content
User credentials are
stored in the third-party
authentication server.
TheCMS,BusinessOb-
jects Enterprise SDK,
and the Rich clients
listed here need to
communicate with the
third-party authentica-
tion sever when a user
logs on.
Connection port for
third-party authenti-
cation.
For example, the
connection server
for the Oracle
LDAP server is de-
fined by the user in
the file ldap.ora.
CMS
web application
server that hosts
the BusinessOb-
jects Enterprise
SDK
every Rich
Client, except
Live Office and
Desktop Intelli-
gence in three-
tier "Zabo"mode
Authentica-
tion Server
Configuring BusinessObjects Enterprisefor firewalls
This section gives step-by-step instructions for configuring your
BusinessObjects Enterprise system to work in a firewalled environment.
BusinessObjects Enterprise Administrator's Guide 309
5Working with Firewalls
Configuring BusinessObjects Enterprise for firewalls
To configure the system for firewalls
1. Determine which BusinessObjects Enterprise servers must communicate
across a firewall. See Communication between BusinessObjects
Enterprise components on page 299.
2. Configure the Request Port for each BusinessObjects Enterprise server
that must communicate across a firewall. See Configuring port numbers
on page 166.
3. Configure a port range for any Job Server children that must communicate
across a firewall. See Job servers on page 663.
4. Configure the firewall to allow communication to the Request Ports on
the BusinessObjects Enterprise servers that you configured in the previous
step. See Specifying the firewall rules on page 310.
5. (Optional) Configure the hosts file on each machine that hosts a
BusinessObjects Enterprise server that must communicate across a
firewall. SeeConfigure the hosts file for firewalls that use NAT on page 312.
Specifying the firewall rules
You must configure the firewall to allow the necessary traffic between
Business Objects components. Consult your firewall documentation for details
of how to specify these rules.
Specify one inbound access rule for each communication path that crosses
the firewall. You might not need to specify an access rule for every Business
Objects server behind the firewall.
Use the port number you specify in the server Port text box. Remember that
each server on a machine must use a unique port number. Some Business
Objects servers use more than one port.
Note:
If BusinessObjects Enterprise is deployed across firewalls that use NAT,
every BusinessObjects Enterprise server on all machines needs a unique
Request Port number. That is, no two servers in the entire deployment can
share the same Request Port.
310 BusinessObjects Enterprise Administrator's Guide
Working with Firewalls
5 Configuring BusinessObjects Enterprise for firewalls
Note:
You do not need to specify any outbound access rules. BusinessObjects
Enterprise servers do not initiate communication to the web application
server, or to any client applications.
Example:
This example shows the inbound access rules for a firewall between the
web application server and the BusinesObjects Enterprise servers. In this
case you would open two ports for the CMS, one port for the Input File
Repository Server (FRS), and one port for the Output FRS. The Request
Port numbers are the port numbers you specify in the Port text box in the
CMC configuration page for a server.
ActionPortDestination
ComputerPort
Source Com-
puter
Allow6400CMSAnyweb application
server
Allow<Request
Port number>CMSAny
web application
server
Allow<Request
Port number>Input FRSAny
web application
server
Allow<Request
Port number>Output FRSAny
web application
server
RejectAnyCMSAnyAny
RejectAny
Other Busi-
nessObjects
Enterprise
servers
AnyAny
BusinessObjects Enterprise Administrator's Guide 311
5Working with Firewalls
Configuring BusinessObjects Enterprise for firewalls
Related Topics
• Communication between BusinessObjects Enterprise components on
page 299
Configure the hosts file for firewalls that use NAT
This step is required only if the BusinessObjects Enterprise servers must
communicate across a firewall on which "Network Address Translation "
("NAT") is enabled. This step allows the client machines to map a server's
hostname to a routable IP address.
This step is required in addition to the steps described in To configure the
system for firewalls on page 310.
Note:
BusinessObjects Enterprise can be deployed on machines that use Domain
Name System (DNS). In this case, the server machine host names can be
mapped to externally routable IP address on the DNS server, instead of in
each machine's hosts file.
Understanding Network Address Translation
A firewall is deployed to protect an internal network from unauthorized access.
Firewalls that use "NAT" will map the IP addresses from the internal network
to a different address that is used by the external network. This "address
translation" improves security by hiding the internal IP addresses from the
external network.
BusinessObjects Enterprise components such as servers, rich clients, and
the web application server hosting the BusinessObjects Enterprise SDK will
use a server reference to contact a server. The server reference contains
the hostname of the server's machine. This hostnamemust be routable from
the BusinessObjects Enterprise component's machine. This means the hosts
file on the BusinessObjects Enterprise component's machine must map the
server machine's hostname to the server machine's external IP address.
The server machine's external IP address is routable from external side of
the firewall, whereas the internal IP address is not.
The procedure for configuring the hosts file is different for Windows and
UNIX.
312 BusinessObjects Enterprise Administrator's Guide
Working with Firewalls
5 Configuring BusinessObjects Enterprise for firewalls
To configure the hosts file on Windows
1. Locate every machine that runs a BusinessObjects Enterprise component
that must communicate across a firewall on which "Network Address
Translation " ("NAT") is enabled.
2. On each machine located in the previous step, open the hosts file using
a text editor like Notepad. The hosts file is located at \WINNT\sys
tem32\drivers\etc\hosts.
3. Follow the instructions in the hosts file to add an entry for each machine
behind the firewall that is running a BusinessObjects Enterprise server
or servers. Map the server machine's hostname or fully qualified domain
name to its external IP address.
4. Save the hosts file.
To configure the hosts file on UNIX
Note:
Your UNIX operating system must be configured to first consult the "hosts"
file to resolve domain names before consulting DNS. Consult your UNIX
systems documentation for details.
1. Locate every machine that runs a BusinessObjects Enterprise component
that must communicate across a firewall on which "Network Address
Translation " ("NAT") is enabled.
2. Open the "hosts" file using an editor like vi. The hosts file is located in
the following directory \etc
3. Follow the instructions in the hosts file to add an entry for each machine
behind the firewall that is running a BusinessObjects Enterprise server
or servers. Map the server machine's hostname or fully qualified domain
name to its external IP address.
4. Save the hosts file.
Examples of typical firewall scenarios
This section provides examples of typical firewall deployment scenarios.
BusinessObjects Enterprise Administrator's Guide 313
5Working with Firewalls
Examples of typical firewall scenarios
Example - Application tier deployed on a separatenetwork
This example shows how to configure a firewall and BusinessObjects
Enterprise to work together in a deployment where the firewall separates the
web application server from other BusinessObjects Enterprise servers.
In this example, BusinessObjects Enterprise components are deployed
across these machines:
• Machine boe_1 hosts the web application server and the BusinessObjects
Enterprise SDK.
• Machine boe_2 hosts the Intelligence tier servers, including the Central
Management Server, the Input File Repository Server, the Output File
Repository Server, and the Event server.
• Machine boe_3 hosts the Processing tier servers, including the Crystal
Reports Job Server, the Program Job Server, the Destination Job Server,
the List of Values Job Server, the Web Intelligence Job Server, the Web
Intelligence Report Server, the Report Application Server, and the Crystal
Reports Page Server.
Figure 5-1: Application tier deployed on a separate network
314 BusinessObjects Enterprise Administrator's Guide
Working with Firewalls
5 Examples of typical firewall scenarios
To configure an application tier deployed on a separate network
The following steps explain how to configure this example.
1. These communication requirements apply to this example:
• The web application server that hosts the BusinessObjects Enterprise
SDK must be able to initiate communication with the CMS on both of
its ports.
• The web application server that hosts the BusinessObjects Enterprise
SDK must be able to initiate communication with every
BusinessObjects Enterprise server.
• The browser must have access to the http or the https Request Port
on the Web Application Server.
2. The web application server must communicate with all Business Objects
Enterprise servers on machine boe_2 and boe_3. Configure the port
numbers for each server on these machines. Note that you can use any
free port between 1,025 and 65,535.
The port numbers chosen for this example are listed in the table:
Port NumberServer
6411Central Management Server
6415Input File Repository Server
6420Output File Repository Server
6425Event server
6435Crystal Reports Job Server
6440Program Job Server
6445Destination Job Server
6450List of Values Job Server
6455Web Intelligence Job Server
6460Web Intelligence Report Server
BusinessObjects Enterprise Administrator's Guide 315
5Working with Firewalls
Examples of typical firewall scenarios
Port NumberServer
6465Report Application Server
6470Crystal Reports Page Server
3. Configure the firewalls Firewall_1 and Firewall_2 to allow communication
to the fixed ports on the BusinessObjects Enterprise servers and the web
application server that you configured in the previous step. Note that port
6400 is the default port number for the CMS Name Server Port and did
not need to be explicitly configured.
In this example we are opening the HTTP Port for the Tomcat Application
server.
Table 5-5: Configuration for Firewall_1
ActionPortDestination
ComputerPort
Allow8080boe_1Any
Configuration for firewall_2
ActionPortDestination
ComputerPort
SourceCom-
puter
Allow6400boe_2Anyboe_1
Allow6411boe_2Anyboe_1
Allow6415boe_2Anyboe_1
Allow6420boe_2Anyboe_1
Allow6425boe_2Anyboe_1
Allow6435boe_3Anyboe_1
316 BusinessObjects Enterprise Administrator's Guide
Working with Firewalls
5 Examples of typical firewall scenarios
ActionPortDestination
ComputerPort
SourceCom-
puter
Allow6440boe_3Anyboe_1
Allow6445boe_3Anyboe_1
Allow6450boe_3Anyboe_1
Allow6455boe_3Anyboe_1
Allow6460boe_3Anyboe_1
Allow6465boe_3Anyboe_1
Allow6470boe_3Anyboe_1
4. This firewall is not NAT-enabled, and so we do not have to configure the
hosts file
Related Topics
• Configuring port numbers on page 166
• Understanding communication between BusinessObjects Enterprise
components on page 296
Example - Rich client and database tier separatedfromBusinessObjects Enterprise servers by a firewall
This example shows how to configure a firewall and BusinessObjects
Enterprise to work together in a deployment scenario where:
• One firewall separates a rich client from BusinessObjects Enterprise
servers.
• One firewall separates BusinessObjects Enterprise servers from the
database tier.
In this example, BusinessObjects Enterprise components are deployed
across these machines:
BusinessObjects Enterprise Administrator's Guide 317
5Working with Firewalls
Examples of typical firewall scenarios
• Machine boe_1 hosts the Publishing Wizard. Publishing Wizard is a
BusinessObjects Enterprise rich client.
• Machine boe_2 hosts the Intelligence tier servers, including the Central
Management Server, the Input File Repository Server, the Output File
Repository Server, and the Event server.
• Machine boe_3 hosts the Processing tier servers, including: Crystal
Reports Job Server, Program Job Server, Destination Job Server, List of
Values Job Server, Web Intelligence Job Server, Web Intelligence Report
Server, Report Application Server, and the Crystal Reports Page Server.
• Machine Databases hosts the CMS database and the reporting database.
Note that you can deploy both databases on the same database server,
or you can deploy each database on its own database server. In this
example, both the CMS database and the reporting database are deployed
on the same database server. The database server listen port is 3306,
which is the default listen port for MySql server.
Figure 5-2: Rich client and database tier deployed on separate networks
To configure tiers separated from BusinessObjects Enterprise
servers by a firewall
The following steps explain how to configure this example.
1. Apply the following communication requirements to this example:
• The Publishing Wizard must be able to initiate communication with
the CMS on both of its ports.
318 BusinessObjects Enterprise Administrator's Guide
Working with Firewalls
5 Examples of typical firewall scenarios
• The Publishing Wizard must be able to initiate communication with
the Input File Repository Server and the Output File Repository Server.
• The Connection Server, every Job Server child process, and every
Processing Server must have access to the listen port on the reporting
database server.
• The CMS must have access to the database listen port on the CMS
database server.
2. Configure a specific port for the CMS, the Input FRS, and the Output
FRS. Note that you can use any free port between 1,025 and 65,535.
The port numbers chosen for this example are listed in the table:
Port NumberServer
6411Central Management Server
6415Input File Repository Server
6416Output File Repository Server
3. We do not need to configure a port range for the Job Server children
because the firewall between the job servers and the database servers
will be configured to allow any port to initiate communication.
4. Configure Firewall_1 to allow communication to the fixed ports on
the BusinessObjects Enterprise servers that you configured in the previous
step. Note that port 6400 is the default port number for the CMS Name
Server Port and did not need to be explicitly configured in the previous
step.
ActionPortDestination
ComputerPort
Allow6400boe_2Any
Allow6411boe_2Any
Allow6415boe_2Any
Allow6416boe_2Any
BusinessObjects Enterprise Administrator's Guide 319
5Working with Firewalls
Examples of typical firewall scenarios
Configure Firewall_2 to allow communication to the database server
listen port. The CMS (on boe_2) must have access to the CMS database
and the Job Servers (on boe_3) must have access to the reporting
database. Note that we did not have configure a port range for job server
child processes because their communication with the CMS did not cross
a firewall.
ActionPortDestination
ComputerPort
SourceCom-
puter
Allow3306DatabasesAnyboe_2
Allow3306DatabasesAnyboe_3
5. This firewall is not NAT-enabled, and so we do not have to configure the
hosts file
Related Topics
• Understanding communication between BusinessObjects Enterprise
components on page 296
• Configuring BusinessObjects Enterprise for firewalls on page 309
320 BusinessObjects Enterprise Administrator's Guide
Working with Firewalls
5 Examples of typical firewall scenarios