Designating Ports and Multicast Addresses

While you are creating operating system user accounts and groups, you need to review the set of ports that the SAS servers, third-party servers, and spawners in your system will use by default. If any of these ports are unavailable, select an alternate port and record the new port on the following ports pre-installation checklist Pre-installation Checklist for Ports for SAS.

You need to plan for designating IP multicast addresses for all of the machines in your SAS deployment. Multicasting simplifies the ongoing management and deployment of SAS web applications by providing the flexibility to customize the SAS middle tier and to distribute SAS web components to implement load balancing.

The SAS Deployment Wizard prompts you to supply a multicast address for inter-machine communication. The wizard provides you with a default multicast address that it generates based on the machine's IP address and the admin-local scope that is recommended in RFC 3171 (IPv4) or RFC 4291 (IPv6).

A multicast group communication protocol is used to communicate among middle-tier SAS applications in a single SAS deployment (the SAS applications connected to the same SAS Metadata Server). The combination of multicast IP address and multicast UDP port should be different for each SAS deployment and different from those used by other multicast applications at your site.

The IP multicast address must be valid for IP multicasting and should be in the range 224.0.0.0 to 239.255.255.255 for IPv4 or have the prefix ff00::/8 for IPv6. Typically, the chosen IP multicast address is in the admin-local scope block, which corresponds to 239/8 for IPv4 and ff14::/8 for IPv6. The sample address provided during configuration by the SAS Deployment Wizard conforms to these standards. The address should be unique to SAS applications for the subnet that they are installed on.

The IP multicast UDP port should be open and usable on any machine on which a middle-tier application is to be installed. This is a UDP port and does not conflict with any previous TCP port definitions such as the SAS Metadata Server. The multicast group communication is intended to be used only within your data center environment. Many sites keep their data center network separated from users via a firewall that will automatically isolate the multicast protocol. Alternatively, the time to live (TTL) parameter can be used to restrict the scope of multicast communication. Your network administrator can suggest a TTL setting to limit the scope of multicast. The TTL option and the authentication token option both have security implications.

The multicast TTL parameter (default = 1, range = 0–255) affects the number of network hops a multicast packet can take before being dropped. This TTL value must be greater than or equal to the highest number of hops between any two servers containing SAS products. In addition, some network router documentation recommends that multicast datagrams with initial TTL=0 are restricted to the same host, multicast datagrams with initial TTL=1 are restricted to the same subnet, and multicast datagrams with initial TTL=32 are restricted to the same site. Consult your network router documentation or your network administrator to determine the correct values for your environment.

Because the multicast protocol conveys credentials, it is protected via encryption. By default, the multicast group communication is protected only with a fixed encryption key that is built into the software. If your middle tier is running in an environment that is not well-isolated from user access, then you might want better protection against eavesdroppers and unauthorized group participants. In this case, choose an authentication token known only to your SAS middle-tier administrative users. The authentication token is a password-like string needed to connect to the multicast group and create a site-specific encryption key.

The deployment wizard default simplifies configuration by using the authentication token that is built into the software. This option is best used in development and other low-security environments. It might also be appropriate in higher-security environments where the multicast group communication is isolated from the user community, either via a firewall or TTL option, and where all data center administrative users and operational users have sufficient security approval.

If your multicast group communication is not within a well-isolated data center environment, or if the security procedures at your site require protection for administrative users and operational users in various roles, you should specify an authentication token that is known only to the administrators of the SAS environment. The same token string must be supplied on each tier in the configuration.

By default, there is a code-level authentication token shared between all SAS middle-tier applications to prevent access to the multicast group from unauthorized listeners. If you choose to use a customized authentication token, use the deployment wizard to enter an authentication token value that meets your organization's security guidelines. The authentication token can be any password-like string. In a multi-tier configuration, a prompt appears on each tier that has an application participating in the SAS multicast group. You must provide the same authentication token string to each tier in the same SAS deployment (that is, each tier associated with the same SAS Metadata Server).

Use the following pre-installation checklist to see what ports are used for SAS by default and to record the port numbers that you are actually using.

The last digit of the default port number reflects the configuration level that you select in the SAS Deployment Wizard. For example, if you select Lev1, the default port for the SAS Metadata Server is 8561. If you select another level, such as Lev2, the wizard changes the default port to 8562.