Securing Your Network with Firewalls and Ports
This section provides information about how the distributed architecture in Commerce Server enhances the security of the deployment. The enterprise deployment provides separate environments (run-time and design-time) for external site visitors and internal business users. These separate environments help create a level of security because the two user segments are isolated—they access the site and its resources on different servers separated by a firewall.
Additionally, each environment includes separate Web and data tiers. This helps create another level of security because the presentation services are isolated from the database services.
You help secure the database content during site deployment by using the staging server to update the run-time databases. This deployment approach helps prevent direct exposure of the design-time database server to the run-time environment and its associated external clients.
Firewall settings on Windows Sever 2003 and Windows Server 2008 must be set to allow traffic to pass through TCP/IP ports without being blocked. The firewall is on by default under Windows Server 2008 so you must run the process to unblock the required ports prior to using Commerce Server in a live environment. The unblocking of firewall ports is done automatically during the installation of Commerce Server 2009 on Windows Server 2008.
Firewalls
On the firewalls used in the enterprise deployment, you open only specific ports for network communication and discard requests received on all other ports. This topic lists the ports that you must open on the following firewalls:
External firewall
Internal firewall
Corporate firewall
In this topic, inbound refers to the direction from which incoming client requests, such as those from external site visitors, access your deployment. Outbound refers to the direction in which your deployment sends data externally, beyond the deployment: for example, outbound to the Internet.
External Firewall
The external firewall that separates the deployment from the Internet makes sure that the only types of network traffic allowed into the deployment are requests for the retail Web site: incoming requests received on TCP port 80 and TCP port 443. The system discards requests received on any other port.
The following table lists the ports that you must open on the external firewall that separates your deployment from the Internet.
Direction |
Port |
Description |
|---|---|---|
Inbound |
TCP port 80 |
HTTP |
Inbound |
TCP port 443 |
HTTPS/Secure Sockets Layer (SSL) |
Internal Firewall
To prevent site visitors from accessing sensitive data on the database servers directly, the enterprise deployment uses a second firewall that separates the Web tier from the data tier in the run-time environment. This second firewall lets only specific types of internal communication pass between the Web and database servers, and helps protect the database resources from malicious Internet users who manage to compromise the Web tier.
The following table lists the ports that you must open on the internal firewall that separates the Web tier from the data tier.
Direction |
Port |
Description |
|---|---|---|
Inbound and outbound |
UDP port 53 |
Domain Name System (DNS). DNS is a distributed Internet directory service that resolves domain names and IP addresses, and controls Internet e-mail delivery. |
Inbound and outbound |
UDP port 88 |
Kerberos. Kerberos is a network authentication protocol that provides strong authentication for client/server applications by using secret-key cryptography. The domain controller and SQL Server require this port, as does any client with which you want to use Kerberos. |
Inbound and outbound |
TCP port 88 |
Kerberos. Same as mentioned earlier. |
Inbound and outbound |
TCP port 389 |
Lightweight Directory Access Protocol (LDAP). |
Inbound and outbound |
UDP port 445 |
Microsoft Common Internet File System (CIFS) for file sharing. |
Inbound |
TCP port 445 |
From the DMZ SharePoint servers to the management SharePoint server (service is SMB). |
Inbound and outbound |
TCP port 507 |
Commerce Server Staging (CSS). CSS uses this port to deploy site updates (such as Web content and business data) between different servers. |
Inbound and outbound |
TCP port 1433 |
SQL Server. By default, instances of SQL Server use TCP port 1433. |
Inbound and outbound |
TCP port 3268 |
Global catalog. Global catalog is a directory database that applications and clients can query to locate any object in a domain forest. |
Inbound and outbound |
TCP ports 5000 through 5030 |
Microsoft Distributed Transaction Coordinator (MSDTC). The base for MSDTC is on the OLE Transactions interface protocol. This provides a simple, object-oriented interface to initiate and control transactions. |
Corporate Firewall
The third firewall separates the deployment from the corporate network and helps isolate the corporate network from any security risks in the retail deployment. The types of network communication that pass through this firewall depend on the architecture and requirements of the specific corporation or business.
The following table lists some example ports that you might open on the corporate firewall that separates your deployment from your corporate network.
.gif "Important note") Important Note: |
|---|
Do not enable SQL port 1433 for the corporate firewall. If you enable this port, business users can bypass all business management security and directly access the computer that is running SQL Server. |
Direction |
Port |
Description |
|---|---|---|
Inbound |
TCP port 80 |
HTTP. |
Inbound |
TCP port 443 |
HTTPS/SSL. |
Inbound and outbound |
TCP port 2725 |
Online Analytical Processing (OLAP). |
Inbound and outbound |
TCP port 53 |
DNS. |
Inbound and outbound |
TCP port 88 |
Kerberos. |
Inbound and outbound |
UDP port 88 |
Kerberos. |
Inbound and outbound |
TCP port 389 |
LDAP. |
Inbound and outbound |
UDP port 445 |
Microsoft Common Internet File System (CIFS) for file sharing. |
Inbound and outbound |
TCP port 507 |
CSS. |
Inbound and outbound |
TCP port 2393 |
Microsoft OLAP1. Business analytics and reporting use this port. |
Inbound and outbound |
TCP port 2394 |
Microsoft OLAP2. Business analytics and reporting use this port. |
Inbound and outbound |
TCP port 2725 |
Microsoft OLAP PTP2. Business analytics and reporting use this port. |
Inbound and outbound |
TCP port 3268 |
Global catalog. |
Ports
The following tables list inbound and outbound ports for the Web tier, the data tier, and the development, test, and data tier.
Web tier to Web domain controller |
Web domain controller to Web tier |
Web tier to Data tier |
Data tier to Web tier |
|---|---|---|---|
TCP 53 |
TCP 53 |
TCP 1433 |
TCP 1433 |
TCP 88 |
TCP 88 |
TCP 507 |
TCP 507 |
UDP 88 |
UDP 88 |
||
TCP 135 |
TCP 135 |
||
UDP 137 |
UDP 137 |
TCP 5000 to 5030 |
TCP 5000 to 5030 |
UDP 138 |
UDP 138 |
||
TCP 139 |
TCP 139 |
||
UDP 139 |
UDP 139 |
||
TCP 389 |
TCP 389 |
||
UDP 445 |
UDP 445 |
||
TCP 3268 |
TCP 3268 |
Web tier domain controller to data tier domain controller |
Data tier domain controller to Web tier domain controller |
Data tier domain controller to development/test/business domain controller |
Development/test/business domain controller to data tier domain controller |
|---|---|---|---|
TCP 53 |
TCP 53 |
TCP 53 |
TCP 53 |
TCP 80 |
|||
TCP 88 |
TCP 88 |
TCP 88 |
TCP 88 |
UDP 88 |
UDP 88 |
UDP 88 |
UDP 88 |
TCP 135 |
TCP 135 |
TCP 135 |
TCP 135 |
UDP 137 |
UDP 137 |
UDP 137 |
UDP 137 |
UDP 138 |
UDP 138 |
UDP 138 |
UDP 138 |
TCP 139 |
TCP 139 |
TCP 139 |
TCP 139 |
UDP 139 |
UDP 139 |
UDP 139 |
UDP 139 |
TCP 389 |
TCP 389 |
TCP 389 |
TCP 389 |
UDP 445 |
UDP 445 |
UDP 445 |
UDP 445 |
TCP 2393 |
|||
TCP 2394 |
|||
TCP 2725 |
|||
TCP 3268 |
TCP 3268 |
TCP 3268 |
TCP 3268 |
TCP 507 |
TCP 507 |
TCP 507 |