3 Replies Latest reply on Oct 6, 2010 9:40 AM by philmodjunk

    Problems with FMS on virtual machines and DMZ

    OskarStröm

      Title

      Problems with FMS on virtual machines and DMZ

      Your post

      Hello!

      We have a concern with our configuration of FM Server 11. It is a two-machine configuration, web server and WPE (WS / WPE) on a machine and database server (DB) on another.
      The various machines are virtual machines with dedicated memory, different network cards and dedicated partitions on a RAID 5. On the WS/WPE machine, we run Windows Server 2003 and on the DB machine we run Windows Server 2008.


      The different network cards, we have in order to put the WS / WPE-machine in a DMZ, with a firewall to DB.

      On the WS/WPE machine, our CWP solution is to be situated.
      The point is to control what traffic is allowed into and out of the DB.
      Also if the WS/WPE machine becomes infected, this could not reproduce easily down to the DB.
      For this to be worthwhile we need to know what ports FM Server uses for communication between WS/WPE and DB. This has proved easier said than done.


      According to FM's documentation the ports that should be available are: 5003, 5013, 50003, 16000 and 16001. According to the installation instructions for FMS11 ports 5003 and 16000 are to be open in the firewall between WS/WPE and DB. If we shut down all other ports and only allow traffic on these, we will not find WS/WPE during deployment. If we shut down the ports after deployment, the connection is lost.

      We have seen in the firewall's logs that when one machine initiates contact with the other, it will start on any port. A completely random pattern on which it chooses. When the connection reaches the other it will be on one of the FM specified port. When DB calls the WS/WPE it lands on port 16000 and on the other side it lands on port 5003.
      We have tried with a rule that says that all calls from the DB, from any port, are to land on port 16000 when it reaches the WS/WPE side. While on the other side, we put a similar rule. This did not work, the machines seem to expect answers on the same port on which they asked. As we can not see which ports are used when all are open, we do not know whether the machines actually behave so.

      Software firewalls on each server is closed.

      One possible problem is Bonjour that FM uses to find the various machines in the configuration. No documentation on which ports are used, which is different from FM's, have been found.
      Everything works as it should when all ports are open, but then the idea of a DMZ for increased security somewhat falls.


      Does anyone have experience with similar problems or configurations?


      Oskar