11 Replies Latest reply on Jun 10, 2016 3:41 AM by dandanthesushiman

    Two Machine Configuration - DMZ Ports?

    jwmickelson

      Can anyone within the community (or FMI) confirm that TCP 80 /443 /16000 are the ONLY ports required to successfully deploy and use FileMaker 14 Server for Web hosting (Web Direct, Remote Container Streaming, PHP Custom Publishing) in a Two Machine configuration that is as described below?

       

      1) FileMaker 14 Server (Master) Database Server - Within the protected Corporate network.

      2) FileMaker 14 Server (Worker) Web Server - Within separate a DMZ network VLAN, accessible to the public internet via TCP port 80 & 443.

      Note: This will not use ODBC/JDBC, nor remote access to by FileMaker Clients, just WEB.

      3) Internet Web Clients connect to Web Server only correct?  so do they just need 80 / 443 to the Web Server?

       

      Just those 3 ports 80, 443, 16000 between the two servers? 

       

      I ask because of the below "apparent" discrepancies between sources of FileMaker documentation:

      1. the website (Ports used by FileMaker Server | FileMaker) doesn't list 5003 as needed between Master and Worker,
      2. but the diagram in the Getting Started Guide (https://fmhelp.filemaker.com/docs/14/en/fms14_getting_started.pdf - PAGE 25) shows ONLY 5003 and 16000 being open between the servers!
      3. but in the Ports listed in the table of Getting Started Guide on pages 26-27, and the website ports table, it says:
        • 80 is required progressive downloading of containers to all clients (includes WebDirect?), but doesn't specify if the Web Server (Worker) needs this access like a client, and if those clients must see the Master Server (which is in a different VLAN).
        • 443 is needed for inserting data into externally stored containers, but doesn't specify if the Web Server needs this or if the external Web Direct clients on the Internet, which can't directly see the master Server anyway due to firewall and VLAN.

       

      Thank you in advance to ANYONE who can help clarify this!

       

      P.S. This would appear to be a prototypical use case for a two machine configuration for Internet webdirect/php clients, right?  Is anyone else doing this with FileMaker 14?

        • 1. Re: Two Machine Configuration - DMZ Ports?
          databuzz

          I've got a few of these 2 machine deployments running at the moment with the worker machine in a DMZ. It was setup a while ago now but I'm pretty sure we just opened ports 5003 and 16000. 80 and 443 and required for the PHP web browser clients depending on whether you use SSL or not, so that's between the Web Server and the outside world.

          • 2. Re: Two Machine Configuration - DMZ Ports?
            DonCollier

            Usually in these cases I have found it is not filemaker but the network architecture, especially with all the necessary security infrastructure these days.

             

            I know this is out of date and I hope the guys as Six Fried Rice go ahead and update it is as it is the most useful map for a two system deployment (If they don't maybe I will). Handing an updated version  to a Network engineer in a Corporate or including it in a required spec has got passed many issues for me!

             

            Clearly some has changed since v9 but not all and it still helps me clarify it in my mind and a simple update works as above.

             

            have faith in FileMaker! I have found the issue is within the LAN/WAN environment in these cases more often that not. Testing a port being open is difficult when you don't  have control of the devices or the network. Doing a port scan of available ports from one server (or something with the same IP address) to the other server is a first step in debugging this.  Once you have established that is working then you need to look a the internal firewalls of the machines. If they are running that can be a game stopper.

             

            In my experience it is usually the fat fingering or error of a tech on a network router that causes this but it can be a devil to prove where or what is causing it!

             

            good luck

             

            Configuring Firewall Ports for FileMaker 9 : SFR FileMaker Blog

            • 3. Re: Two Machine Configuration - DMZ Ports?
              wimdecorte

              databuzz wrote:

               

              80 and 443 and required for the PHP web browser clients

               

              And for "interactive containers" (port 80) and for using "externally stored container data" (port 443)

               

              Ports used by FileMaker Server | FileMaker

               

              So if even if you do not use web publishing but you use these other features you need to have those ports available going into the db server.

              • 4. Re: Two Machine Configuration - DMZ Ports?
                jwmickelson

                Thank you for the reply Dan, We'll continue looking for that culprit.

                 

                Can you speak to which specific ports are required for this configuration?

                • 5. Re: Two Machine Configuration - DMZ Ports?
                  jwmickelson

                  If interactive content is working 80/443, understood.. BUT, is it the Worker that needs these ports open to the Master server only?  Or are we talking Internet clients as well? or just internet clients? 

                   

                  Because we wouldn't think internet users should need know, or have access to ANY Private network resource, correct?

                  • 6. Re: Two Machine Configuration - DMZ Ports?
                    DonCollier

                    @jwmickelson Its Don not Dan but I will forgive you

                     

                    The six Fried map is good with showing you the ports.  You will see 80/443 for the CLIENT web browser to the web server BUT where is the Web Publishing engine? with that there is a different array of ports if you have split that from the Web Server. if it is one ad the same it is only two if not a whole range more.  Without seeing a topology map of your deployment it is tricky to make a further comment and that isn't one you want to put down here so PM if you want. 

                    • 7. Re: Two Machine Configuration - DMZ Ports?
                      jwmickelson

                      Should have sent this on original... topology is attached... Since it's FM14 Web server houses all Web Technologies, publisher etc... and all we're concerned with is Web, Container streaming video... not Native Client connections nor ODBC.

                       

                      FM SSL Topology.png

                      • 8. Re: Two Machine Configuration - DMZ Ports?
                        DonCollier

                        Check the six fried rice link the diagram there will show you you have the ports wrong between COMPDMZ60 and COMPCORP21. (I trust those are examples and not real names!)

                         

                        Int the Six fried Document follow the ports in the Server Side box (the bigger one on top in their diagram ) You need ports in the 16000 and 50003  range open. The ones that you have open now are for a client to server not Web Publishing engine to Database Server

                        • 9. Re: Two Machine Configuration - DMZ Ports?
                          jwmickelson

                          Thanks for pointing that out Don   I updated the diagram:

                          Network Topology.png

                          Two things remain unclear for FileMaker 14's use of ports:

                           

                          1) What is port 16000 is used for, and if it is needed for operations other than the Admin Console, which was it's primary listed purpose prior to FM14.  Ie.  If you were ONLY ever going to use the admin console from an RDP session on the server, ie. never from other computers on any network, does port 16000 need to be open to the Master Server? 


                          The ports Table lists the following about port 16000:

                          • Used by: Master machine, Admin Console users
                          • Purpose: HTTPS: Admin Console Start Page, Admin Helpers

                           

                          In the section for port 80 it refers to this port as follows:

                          • Purpose: (Port 80 used for) Progressive downloading of container data to all clients, redirects to port 16000 for Admin Console.



                          2) Does the Progressive Downloading or uploading of container data, remote or otherwise, require any ports other than port 80 / 443 to the Public web server?

                           

                          The ports Table lists the following about port 80:

                          • Used by: Master machine, end users and Admin Console users
                          • Purpose: Progressive downloading of container data to all clients, redirects to port 16000 for Admin Console.

                           


                          The ports Table lists the following about port 443:

                          • Used by: Master machine, end users and Admin Console users
                          • Purpose: HTTPS: Uploading databases from FileMaker Pro, inserting data in externally stored container fields from all clients


                          All that being the case it still seems like Web Clients should only ever see the Web Server correct?


                          Thanks for any further advice or clarification!

                          Jonathan

                           

                          databuzz

                          • 10. Re: Two Machine Configuration - DMZ Ports?
                            DonCollier

                            Check this page out as the web browsing ports are now changeable in FileMaker so that dynamic adds an additional layer:

                             

                            http://help.filemaker.com/app/answers/detail/a_id/14533/~/using-alternate-web-ports-in-filemaker-server-14

                             

                            also check this out

                             

                            http://help.filemaker.com/app/answers/detail/a_id/6427/related/1

                             

                            Note that is says in reference to 16000 "This port must be open on all machines in the configuration"  I have a recollection that there may be some PHP activity on this port although I can't recall at this moment exactly what it is and when it is needed.   Given that I can, using a proper firewall, restrict this exclusively between the two  machines in a two machine deployment I have always opened it in case there is a development that comes subsequently that it would kill.  I never permit WAN to LAN server control so it isn't an issue for a client.

                             

                            good luck

                            • 11. Re: Two Machine Configuration - DMZ Ports?
                              dandanthesushiman

                              Hi Jonathan, looking at the diagram we are not getting how the web server has 2  IP addresses, the 192 address appears to be an internal address on the web server which is in the DMZ, how is this achieved? It seems to us that having an internal address on a server in the DMZ would be a security concern? We are only asking because we would really like to set up a 2 machine environment in the configuration you have shown but have always struggled to get the communication working between the internal and DMZ machine.

                               

                              Any help would be really appreciated.

                               

                              Danny Dawson

                              The American School in London