Exchange Agent Firewall requirements

Document ID : KB000050423
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

The exchange agent operates using CAM\CAFT (CA Message\CA File Transfer service).

When configuring the exchange remote agent it may be required to configure port(s) for communication if there is a firewall between the provisioning server and the exchange server.

Solution:

By default, CAM uses UDP to transfer messages. It can be forced to use TCP instead, which is needed when messages must be sent through firewalls.

Configure the paths on each machine to use TCP (port 4105) using the command:

camconfig paths "<destination> protocol=tcp"

However, CAM will revert back to using UDP if it tries to communicate with a CAM server that is still configures to use UDP. This can be avoided by using 'fixed path' or configuring the destination node to use TCP before communication begins.

Configure the server to use fixed paths using the command:

camconfig config "fixed_paths=yes"

This command will prevent the CAM Server from converting back to UDP mode.

If the end node is not the same protocol as the source node, an error will occur, stating that there has been a 'protocol mismatch'.

To configure CAM to use fixed path TCP between machine1 and machine2:

On machine1 type:

camconfig paths "machine2 protocol=tcp"
camconfig config "fixed_paths=yes"

On machine2 type:

camconfig paths "machine1 protocol=tcp"
camconfig config "fixed_paths=yes"

CAM TCP port (4105) must be open on the firewall in the direction in which connections are made. EG, if a machine inside the firewall only ever connects out, then the CAM TCP Port must be open for in==>out connections. The out==>in route can be closed.