Securing Your Network with Firewalls and Ports

This section provides information about how the distributed architecture in Commerce Server enhances the security of the deployment. The enterprise deployment provides separate environments (run-time and design-time) for external site visitors and internal business users. These separate environments help create a level of security because the two user segments are isolated—they access the site and its resources on different servers separated by a firewall.

Additionally, each environment includes separate Web and data tiers. This helps create another level of security because the presentation services are isolated from the database services.

You help secure the database content during site deployment by using the staging server to update the run-time databases. This deployment approach helps prevent direct exposure of the design-time database server to the run-time environment and its associated external clients.

Firewall settings on Windows Sever 2003 and Windows Server 2008 must be set to allow traffic to pass through TCP/IP ports without being blocked. The firewall is on by default under Windows Server 2008 so you must run the process to unblock the required ports prior to using Commerce Server in a live environment. The unblocking of firewall ports is done automatically during the installation of Commerce Server 2009 on Windows Server 2008.

Firewalls

On the firewalls used in the enterprise deployment, you open only specific ports for network communication and discard requests received on all other ports. This topic lists the ports that you must open on the following firewalls:

  • External firewall

  • Internal firewall

  • Corporate firewall

In this topic, inbound refers to the direction from which incoming client requests, such as those from external site visitors, access your deployment. Outbound refers to the direction in which your deployment sends data externally, beyond the deployment: for example, outbound to the Internet.

External Firewall

The external firewall that separates the deployment from the Internet makes sure that the only types of network traffic allowed into the deployment are requests for the retail Web site: incoming requests received on TCP port 80 and TCP port 443. The system discards requests received on any other port.

The following table lists the ports that you must open on the external firewall that separates your deployment from the Internet.

Direction

Port

Description

Inbound

TCP port 80

HTTP

Inbound

TCP port 443

HTTPS/Secure Sockets Layer (SSL)

Internal Firewall

To prevent site visitors from accessing sensitive data on the database servers directly, the enterprise deployment uses a second firewall that separates the Web tier from the data tier in the run-time environment. This second firewall lets only specific types of internal communication pass between the Web and database servers, and helps protect the database resources from malicious Internet users who manage to compromise the Web tier.

The following table lists the ports that you must open on the internal firewall that separates the Web tier from the data tier.

Direction

Port

Description

Inbound and outbound

UDP port 53

Domain Name System (DNS). DNS is a distributed Internet directory service that resolves domain names and IP addresses, and controls Internet e-mail delivery.

Inbound and outbound

UDP port 88

Kerberos. Kerberos is a network authentication protocol that provides strong authentication for client/server applications by using secret-key cryptography. The domain controller and SQL Server require this port, as does any client with which you want to use Kerberos.

Inbound and outbound

TCP port 88

Kerberos. Same as mentioned earlier.

Inbound and outbound

TCP port 389

Lightweight Directory Access Protocol (LDAP).

Inbound and outbound

UDP port 445

Microsoft Common Internet File System (CIFS) for file sharing.

Inbound

TCP port 445

From the DMZ SharePoint servers to the management SharePoint server (service is SMB).

Inbound and outbound

TCP port 507

Commerce Server Staging (CSS). CSS uses this port to deploy site updates (such as Web content and business data) between different servers.

Inbound and outbound

TCP port 1433

SQL Server. By default, instances of SQL Server use TCP port 1433.

Inbound and outbound

TCP port 3268

Global catalog. Global catalog is a directory database that applications and clients can query to locate any object in a domain forest.

Inbound and outbound

TCP ports 5000 through 5030

Microsoft Distributed Transaction Coordinator (MSDTC). The base for MSDTC is on the OLE Transactions interface protocol. This provides a simple, object-oriented interface to initiate and control transactions.

Corporate Firewall

The third firewall separates the deployment from the corporate network and helps isolate the corporate network from any security risks in the retail deployment. The types of network communication that pass through this firewall depend on the architecture and requirements of the specific corporation or business.

The following table lists some example ports that you might open on the corporate firewall that separates your deployment from your corporate network.

Dd327932.alert_caution(en-US,CS.90).gifImportant Note:

Do not enable SQL port 1433 for the corporate firewall. If you enable this port, business users can bypass all business management security and directly access the computer that is running SQL Server.

Direction

Port

Description

Inbound

TCP port 80

HTTP.

Inbound

TCP port 443

HTTPS/SSL.

Inbound and outbound

TCP port 2725

Online Analytical Processing (OLAP).

Inbound and outbound

TCP port 53

DNS.

Inbound and outbound

TCP port 88

Kerberos.

Inbound and outbound

UDP port 88

Kerberos.

Inbound and outbound

TCP port 389

LDAP.

Inbound and outbound

UDP port 445

Microsoft Common Internet File System (CIFS) for file sharing.

Inbound and outbound

TCP port 507

CSS.

Inbound and outbound

TCP port 2393

Microsoft OLAP1. Business analytics and reporting use this port.

Inbound and outbound

TCP port 2394

Microsoft OLAP2. Business analytics and reporting use this port.

Inbound and outbound

TCP port 2725

Microsoft OLAP PTP2. Business analytics and reporting use this port.

Inbound and outbound

TCP port 3268

Global catalog.

Ports

The following tables list inbound and outbound ports for the Web tier, the data tier, and the development, test, and data tier.

Web tier to Web domain controller

Web domain controller to Web tier

Web tier to Data tier

Data tier to Web tier

TCP 53

TCP 53

TCP 1433

TCP 1433

TCP 88

TCP 88

TCP 507

TCP 507

UDP 88

UDP 88

TCP 135

TCP 135

UDP 137

UDP 137

TCP 5000 to 5030

TCP 5000 to 5030

UDP 138

UDP 138

TCP 139

TCP 139

UDP 139

UDP 139

TCP 389

TCP 389

UDP 445

UDP 445

TCP 3268

TCP 3268

Web tier domain controller to data tier domain controller

Data tier domain controller to Web tier domain controller

Data tier domain controller to development/test/business domain controller

Development/test/business domain controller to data tier domain controller

TCP 53

TCP 53

TCP 53

TCP 53

TCP 80

TCP 88

TCP 88

TCP 88

TCP 88

UDP 88

UDP 88

UDP 88

UDP 88

TCP 135

TCP 135

TCP 135

TCP 135

UDP 137

UDP 137

UDP 137

UDP 137

UDP 138

UDP 138

UDP 138

UDP 138

TCP 139

TCP 139

TCP 139

TCP 139

UDP 139

UDP 139

UDP 139

UDP 139

TCP 389

TCP 389

TCP 389

TCP 389

UDP 445

UDP 445

UDP 445

UDP 445

TCP 2393

TCP 2394

TCP 2725

TCP 3268

TCP 3268

TCP 3268

TCP 3268

TCP 507

TCP 507

TCP 507

See Also

Other Resources

Configuring Network Settings for the Enterprise Deployment

Configuring the Commerce Server Network