Configuring SAS/CONNECT for Use with a Firewall |
Overview of Firewall Configurations |
The supported firewall configurations are distinguished by these characteristics:
A range of restricted ports is available for client/server connections across a firewall.
A single port is available for all client/server connections across a firewall.
Setting Up a Firewall Configuration That Uses Restricted Ports |
The example configuration includes an external SAS client, a firewall, and a SAS/CONNECT server session and a spawner program that run on the local area network. Each external client connects to the server using a range of restricted ports.
Firewall Configuration That Uses Restricted Ports
Here are the steps for setting up a firewall configuration:
At each external SAS client, the user must configure the firewall port, 5010, in its services file.
fireport 5010/tcp # Firewall computer port
FIREPORT is a defined service in the client's services file that is associated with port 5010. FIREPORT is the single port through which all external SAS clients will access SAS servers in the internal network.
The administrator of the firewall server must configure these ports:
the restricted ports that are used by the external SAS clients and a mapping to the equivalent port numbers on the SAS/CONNECT server
the firewall port, 5010, and a mapping to 5010 on the SAS/CONNECT server or another port number on the SAS/CONNECT server
Note: Restricted ports are implemented using the TCPPORTFIRST= and TCPPORTLAST= system options that are specified in the SAS start-up file (see step 4).
For example, if the external SAS clients use restricted ports 2040 through 2044, the administrator of the firewall server must configure those ports on the firewall server. Also, the administrator must map those ports to the same port numbers on the SAS/CONNECT server.
Specific details about configuring and mapping ports on the firewall server vary according to the specific firewall software that is used.
The administrator of the SAS/CONNECT server must configure these ports in its services file:
the port that is used by the external SAS client to communicate with the spawner
the ports that are used by the spawner to communicate with the SAS/CONNECT server
spawnport 5060/tcp # Port for external SAS client to spawner servport 5080/tcp # Port for spawner and SAS/CONNECT server
SPAWNPORT is a defined service in the services file that is associated with port 5060. SERVPORT is associated with port 5080.
The administrator of the SAS/CONNECT server must configure one or more restricted ports in the SAS start-up file that executes when the spawner starts the SAS/CONNECT session.
sas.exe -tcpportfirst 2040 -tcpportlast 2040 %*
SAS is started and the restricted port is 2040. In this example, all communications between external SAS clients and the SAS/CONNECT server are restricted to port 2040.
A range of ports could be specified by increasing the values assigned to the TCPPORTFIRST= and TCPPORTLAST= system options. For details about the system options under Windows, see TCPPORTFIRST= and TCPPORTLAST=; for UNIX, see TCPPORTFIRST= and TCPPORTLAST=.
The administrator of the SAS/CONNECT server must start the spawner using a command that disables socket inheritance:
spawner -noinheritance -service spawnport -sasdaemonservice servport -sascmd mysas.cmd
Note: Windows uses the spawner command; UNIX uses the sastcpd command.
The restricted port that is used by the SAS client and the SAS/CONNECT server is specified in the mysas.cmd script via the TCPPORTFIRST= and TCPPORTLAST= system options.
Here is an explanation of the spawner command:
For details about spawner options, see SAS/CONNECT Spawners.
To test the configuration, start a SAS session on a computer that is outside the firewall and sign on to the server that is inside the firewall. Here is an example:
options comamid=tcp; signon firewall.fireport username="myuser" password="mypass";
Setting Up a Firewall Configuration That Uses a Single Port |
The example configuration includes an external SAS client, a firewall, and a SAS/CONNECT server session and a spawner program that run on the local area network. Each external client connects to the server using a single port, which is enabled by socket inheritance.
Firewall Configuration That Uses a Single Port
Here are the steps for setting up a firewall configuration:
At each external SAS client, the user must configure the firewall port, 5010, in its services file.
fireport 5010/tcp # Firewall computer port
FIREPORT is a defined service in the TCP/IP services file that is associated with port 5010. FIREPORT is the single port through which all external SAS clients will access SAS servers in the internal network.
Note: The firewall server does not necessarily have to run SAS software.
The administrator of the firewall server must configure the firewall port, 5010, and map it to another port number on the SAS/CONNECT server.
Specific details about configuring and mapping ports on the firewall server vary according to the specific firewall software that is used.
The administrator of the SAS/CONNECT server must configure these ports in its services file:
the port that is used by the external SAS client to communicate with the spawner
the ports that are used by the spawner to communicate with the SAS/CONNECT server
spawnport 5060/tcp # Port for external SAS client to spawner servport 5080/tcp # Port for spawner and SAS/CONNECT server
SPAWNPORT is a defined service in the services file that is associated with port 5060. SERVPORT is associated with port 5080.
The administrator of the SAS/CONNECT server starts the spawner using a command that enables socket inheritance:
spawner -inheritance -service spawnport -sasdaemonservice servport -sascmd mysas.cmd
Note: Windows uses the spawner command; UNIX uses the sastcpd command.
The -INHERITANCE option can be omitted from the command because the option is enabled, by default. Socket inheritance implements the use of a single port.
Here is an explanation of the spawner command:
For details about spawner options, see SAS/CONNECT Spawners.
To test the configuration, start a SAS session on a computer that is outside the firewall and sign on to the server that is inside the firewall. Here is an example:
options comamid=tcp; signon firewall.fireport username="myuser" password="mypass";
Copyright © 2008 by SAS Institute Inc., Cary, NC, USA. All rights reserved.