What configuration will allow CA XCOM traffic to pass through a firewall?

Document ID : KB000056317
Last Modified Date : 14/02/2018
Show Technical Document Details

The firewall must allow routing for destination IP-Number=any and IPPort=8044.

The reason you can't filter based on incoming IP number is that it is random. The partner CA XCOM must request a socket from the local machine's IP-stack when sending a transfer. The IPstack will give the next available socket. CA XCOM has no way of predicting which IPPORT and which IPADDRESS comprise that socket. This process is similar to the way many other TCP-based applications function.

If we look at an example of how CA XCOM goes through the process of getting an IP Socket, opening the socket and getting an IP session in starting a transfer, it becomes clear why a firewall filter can be configured in just the one way if XCOM traffic is to flow through.

Note: This is only valid for TCP/IP based communication - SNA-based transfers will not directly use IP-functionality - except for the Client-Server Communication for the SNA-Server to the SNA-client.

When CA XCOM processes a locally initiated IP-transfer, it requests the "next available socket" from the IP-stack via an IP-system call - Get Socket. It cannot request a specific socket from TCPIP. Assume that the IP-stack returns successfully with "Socket-Identifier" -- "Port-Number" = 1546. Using that "port/socket" then the next step is to open the socket. If the open is successful CA XCOM will request a TCP session with the remote partner.

This means that the request always addresses the remote IP-number, Port=8044 based on the local parameter IP-Number, Available-Port. From the session perspective of an IP-based CA XCOM transfer, the IP parameters will look like:

Looking via a "netstat"-command this will show:

 Active Connections
   Proto  Local Address Foreign Address       State
   TCP    abcyz02:1546 rmtsys:8044      ESTABLISHED
   TCP    abcyz02:8044 rmtsys:3062 ESTABLISHED

This netstat output above shows 2 currently active transfers. One transfer is locally initiated on "abcyz02" and it setup a TCP session to rmtsys:8044 while at the same time a totally different transfer also ran from the "rmtsys" against "abcyz02". You can see that the "rmtsys" provided a different "next available" socket/port value (3062) which was in session with the 8044-served port on the "abcyz02".

Based on the above, you can see that the only way you can filter traffic at a firewall and let all CA XCOM transfers through, is to allow TCP-session establishment for Destination-Port 8044. Additionally you could add rules permitting certain, valid IP-ranges, but under no circumstance can you specify a rule for the local socket/port. The local socket/port is always requested from the local IP-stack and the value is random.