CONTENTS     

Configuring a Firewall

SAP J2EE Engine 6.20 can run behind a firewall to provide increased server security while processing clients requests. The firewall must be configured in accordance with the necessary free ports, which can be set as properties for the corresponding services (JMS, HTTP, P4, and so on). This secure system can be used when delivering client requests for execution. The module responsible for receiving requests must be separated from the processing one, because of the higher load factor and the firewall. For this reason, it is recommended that SAP J2EE Engine 6.20 Web Container work as a separate module. The Web Container is related closely to the EJB Container of the server. To implement the above concept, the administrator must configure the Web Container and EJB Container as two separate clusters.

Web Container and EJB Container as Two Clusters

This scenario can be implemented when all services except those related to Enterprise JavaBeans are started on the first cluster. Correspondingly, the second cluster must be configured to run all services except those related to application Web components.

This connection is available and accessible through a firewall if the following ports are free and the localhost is set:

• 80 – for HTTP Service
• 443 – for SSL Service
• 3333 – for IIOP Service
• 3011 – for P4 Service
• 3080 – for P4 with HttpTunneling
• 3044 – for P4 with SSL

This solution is recommended because of the full compatibility between the containers as parts of the integrated SAP J2EE Engine 6.20 system.

Using Tomcat and Apache

Another solution is to receive client requests using Tomcat (Web Container) and Apache (HTTP Server) instead of SAP J2EE Engine 6.20 Web Container. A firewall system can be set between these two components and the SAP J2EE Engine 6.20 cluster. The connection is made using P4. This configuration requires that the following ports are free:

• 3011 – for P4 Service
• 3080 – for P4 with HttpTunneling
• 3044 – for P4 with SSL
• 80 – for HTTP Service

When the requests are transferred to cluster dispatcher nodes, a firewall can be set between the dispatcher and server elements. The system administrator must set Cluster Manager  JoinPort property on a free port. The dispatcher listens to this port for requests from servers. Therefore, the firewall must be set with host localhost (representing the IP address of the machine where the dispatcher resides) and port 2077 (this is a default JoinPort value).

Note: For more information on configuring Apache Web Server to run with SAP J2EE Engine 6.20, refer to the Configuration Tasks -> Running Apache  Web Server with SAP J2EE Engine 6.20 section in this manual.