Hi Michael, We run a venueserver and run it within limited port ranges so that it is easier to manage firewalls. In general I think this is a good idea.
On our firewalls, we typically open up to specific machines and/or to specific ports on those machines. I think that our firewalls are open to connect to the NCSA bridge machine and venueserver on an IP number basis (all ports or at least a very large range of ports). This is the same for Argonne, the AGSC, and others... If we could limit the ports to a small fixed set of ports so we could clamp down on the firewall that would be much better from a security standpoint. I think the only issue is how often would there be changes in the IP number and ports used. Whenever this happens, anyone that has firewall setting that enables AG will need to make changes, which is a significant impact on the community. Thus you probably want to use a port range that is large enough to include room for growth and change but not too large to be a huge hole. Our servers currently use a port range that spans 200 ports... The important thing is to minimize the number of changes so that firewalls only need to changed very rarely. In terms of use of firewalls, we have some sites that do nothing and some that only open up the IP number and ports for a given bridge server and a given AG venue. They know they only use that room, and therefore they only open up those four ports to a specific bridge machine. Thus static ports on a per venue basis isn't a bad thing either... Cheers, Brian Michael Miller wrote: > We are considering consolidating the ports used on the NCSA AG Venue > Servers into a consecutive range of ports. We wanted to find out how > the AG community is currently dealing with firewalls and the ports used > for AG and what can be done to make a change like this go smoothly. We > are wondering how ports and multicast IPs were selected in the past as > well as who might be considering setting up venue servers in the near > future. > > We welcome your comments. > > Michael Miller > NCSA >