Firewall Configurations

Overview of Firewall Configurations

The supported firewall configurations are distinguished by these characteristics:
  • A range of restricted ports is available for client/server connections across a firewall.
  • A single port is available for all client/server connections across a firewall.

Setting Up a Firewall Configuration That Uses Restricted Ports

The example configuration includes an external SAS client, a firewall, and a SAS/CONNECT server session and a spawner program that run on the local area network. Each external client connects to the server using a range of restricted ports.
Firewall Configuration That Uses Restricted Ports
Firewall Configuration That Uses Restricted Ports
Here are the steps for setting up a firewall configuration:
  1. At each external SAS client, the user must configure the firewall port, 5010, in its services file.
    fireport                5010/tcp             # Firewall computer port 
    FIREPORT is a defined service in the client's services file that is associated with port 5010. FIREPORT is the single port through which all external SAS clients will access SAS servers in the internal network.
  2. The administrator of the firewall server must configure these ports:
    • the restricted ports that are used by the external SAS clients and a mapping to the equivalent port numbers on the SAS/CONNECT server
    • the firewall port, 5010, and a mapping to 5010 on the SAS/CONNECT server or another port number on the SAS/CONNECT server
    Note: Restricted ports are implemented using the TCPPORTFIRST= and TCPPORTLAST= system options that are specified in the SAS start-up file. (See step 4).
    For example, if the external SAS clients use restricted ports 2040 through 2044, the administrator of the firewall server must configure those ports on the firewall server. Also, the administrator must map those ports to the same port numbers on the SAS/CONNECT server.
    Specific details about configuring and mapping ports on the firewall server vary according to the specific firewall software that is used.
  3. The administrator of the SAS/CONNECT server must configure these ports in its services file:
    • the port that is used by the external SAS client to communicate with the spawner
    • the ports that are used by the spawner to communicate with the SAS/CONNECT server
    Here is an example of these entries in the services file:
    spawnport          5060/tcp       # Port for external SAS client to spawner  
    servport           5080/tcp       # Port for spawner and SAS/CONNECT server
    SPAWNPORT is a defined service in the services file that is associated with port 5060. SERVPORT is associated with port 5080.
  4. The administrator of the SAS/CONNECT server must configure one or more restricted ports in the SAS start-up file that executes when the spawner starts the SAS/CONNECT session.
    sas.exe -tcpportfirst 2040 -tcpportlast 2040 %*
    SAS is started and the restricted port is 2040. In this example, all communications between external SAS clients and the SAS/CONNECT server are restricted to port 2040.
    A range of ports could be specified by increasing the values assigned to the TCPPORTFIRST= and TCPPORTLAST= system options. For details about the system options under Windows, see TCPPORTFIRST= and TCPPORTLAST=; for UNIX, see TCPPORTFIRST= and TCPPORTLAST= .
  5. The administrator of the SAS/CONNECT server must start the spawner using a command that disables socket inheritance:
    spawner -noinheritance -service spawnport -sasdaemonservice servport
    -sascmd mysas.cmd 
    Note: Windows uses the spawner command; UNIX uses the sastcpd command.
    The restricted port that is used by the SAS client and the SAS/CONNECT server is specified in the mysas.cmd script via the TCPPORTFIRST= and TCPPORTLAST= system options.
    Here is an explanation of the spawner command:
    Explanation of Spawner Command
    Command
    Description
    spawner
    Starts the Windows spawner.
    -noinheritance
    Specifies that sockets cannot be inherited.
    -service spawnport
    Specifies the service or its port, 5060, at which the spawner listens for requests from SAS clients to connect to a SAS/CONNECT server.
    -sasdaemonservice servport
    Specifies the service or port, 5080, through which the spawner relays the SAS client's request to connect to the SAS/CONNECT server.
    -sascmd mysas.cmd
    Specifies the script that starts the SAS/CONNECT session. The script might contain SAS options that restrict ports.
    For details about spawner options, see SAS/CONNECT Spawners.
  6. To test the configuration, start a SAS session on a computer that is outside the firewall and sign on to the server that is inside the firewall. Here is an example:
    options comamid=tcp;
    signon firewall.fireport username="myuser" password="mypass";

Setting Up a Firewall Configuration That Uses a Single Port

The example configuration includes an external SAS client, a firewall, and a SAS/CONNECT server session and a spawner program that run on the local area network. Each external client connects to the server using a single port, which is enabled by socket inheritance.
Firewall Configuration That Uses a Single Port
Firewall Configuration That Uses a Single Port
Here are the steps for setting up a firewall configuration:
  1. At each external SAS client, the user must configure the firewall port, 5010, in its services file.
    fireport                5010/tcp             # Firewall computer port 
    FIREPORT is a defined service in the TCP/IP services file that is associated with port 5010. FIREPORT is the single port through which all external SAS clients will access SAS servers in the internal network.
    Note: The firewall server does not necessarily have to run SAS software.
  2. The administrator of the firewall server must configure the firewall port, 5010, and map it to another port number on the SAS/CONNECT server.
    Specific details about configuring and mapping ports on the firewall server vary according to the specific firewall software that is used.
  3. The administrator of the SAS/CONNECT server must configure these ports in its services file:
    • the port that is used by the external SAS client to communicate with the spawner
    • the ports that are used by the spawner to communicate with the SAS/CONNECT server
    Here is an example of these entries in the services file:
    spawnport          5060/tcp       # Port for external SAS client to spawner  
    servport           5080/tcp       # Port for spawner and SAS/CONNECT server
    SPAWNPORT is a defined service in the services file that is associated with port 5060. SERVPORT is associated with port 5080.
  4. The administrator of the SAS/CONNECT server starts the spawner using a command that enables socket inheritance:
    spawner -inheritance -service spawnport -sasdaemonservice servport 
    -sascmd mysas.cmd 
    Note: Windows uses the spawner command; UNIX uses the sastcpd command. The -INHERITANCE option can be omitted from the command because the option is enabled, by default. Socket inheritance implements the use of a single port.
    Here is an explanation of the spawner command:
    Explanation of Spawner Command
    Command
    Description
    spawner
    Starts the Windows spawner.
    -inheritance
    Specifies that sockets are inherited. Socket inheritance implements the use of a single port.
    The omission of this option implies socket inheritance.
    -service spawnport
    Specifies the service or its port, 5060, at which the spawner listens for requests from SAS clients to connect to a SAS/CONNECT server.
    -sasdaemonservice servport
    Specifies the service or port, 5080, through which the spawner relays the SAS client's request to connect to the SAS/CONNECT server.
    -sascmd mysas.cmd
    Specifies the script that starts the SAS/CONNECT session.
    For details about spawner options, see SAS/CONNECT Spawners.
  5. To test the configuration, start a SAS session on a computer that is outside the firewall and sign on to the server that is inside the firewall. Here is an example:
    options comamid=tcp;
    signon firewall.fireport username="myuser" password="mypass";