IRIS HOWTO: Using IRIS Through A Firewall

Because there are so many different types of firewalls & proxy servers on the market, we cannot offer support to help you get IRIS running through your specific firewall. The only support we can give is telling you the port number and IP protocol that we use. This should be sufficient for a competent firewall administrator to enable IRIS support. This document contains a quick overview of how we were able to get IRIS running through MS Proxy Server 2.0 as well as FreeBSD's ipfw packet filtering software and TIS's FWTK product. It is not intended to be complete nor does it mean that we will offer support for this advice.

Although there is no standard way to describe how to configure all firewalls, with a little information on how IRIS works, most people will be able to configure their firewall without much trouble. IRIS makes a TCP connection to the server specified in the login dialog box on port 7878. This is the default port number; other ports can be specified by apending a colon and port number - e.g., iris.propertykey.com:8888 will specify port 8888 on iris.propertykey.com instead of the default 7878. Unless you have a specific reason to use an alternate port, you should never need to specify the port number. All of the communication in IRIS occurs over this single network connection. The connection is initiated by the IRIS client and must stay open during the entire time that the user is logged in.

A generic TCP gateway or relay will usually be sufficent for this purpose and are almost always included in firewall products. If you use a gateway or pass-through style firewalling system, it should be sufficient to simply "open" the port to the IRIS server. If you use a relay or proxy style firewalling system, you may need to change the server name in the login dialog box in IRIS. This again depends on what type of firewall system you use -- a "transparent" proxy, for example, shouldn't need any change, others probably will. If you do need to change the server name, you'll want to change it to the name of the firewall machine. Normally, you'd want to set up the relay on the firewall to listen on port 7878. If you choose another port for the relay, you'll need to change the port number in the server name edit box using the method described above.

Specific Firewall Setup Information

Enabling IRIS to run through Microsoft Proxy Server 2.0

Here's a quick description of how we were able to get IRIS working through MS Proxy Server 2.0. Our experience with this product is limited to a couple of hours that it took to figure out the software enough to set it up properly, test that the setup worked and write this description. We may not be able to answer questions beyond what is described in this document. The fact that we chose MS Proxy Server should not be construed as a recommendation of the product or certification of compatibility.
  1. Open up the Internet Service Manager.
  2. Make sure the Winsock Proxy Service is installed and running.
  3. If you aren't using the Winsock Proxy Service for anything else, make sure that the Winsock Proxy Client is installed properly on the client computer.
  4. Double-click (or right click and select "Service Properties") on "Winsock Proxy" in the Internet Service Manager
  5. Test that the standard Winsock Proxy Protocols function properly (for example, test to see that "FTP" works). If the standard protocols don't work, check the permissions tab to see that they are set properly. If none of these protocols work, it is likely that IRIS will not work either, and there is a configuration issue that needs to be resolved before continuing. Check the online help or contact MS tech support.
  6. Once you are sure that the Winsock Proxy is working, add the IRIS protocol. To do this, select the Protocols tab from the Winsock Proxy Service Properties dialog box. Click on "Add". Enter "IRIS" in the protocol name, 7878 in the Port number, "TCP" for type, and "Outbound" for direction. Then click on OK.
  7. Now, test IRIS on the client computer; simply enter the standard information given to you by you local IRIS representative. If this doesn't work and the server address was given to you by name (i.e., iris.propertykey.com instead of 206.196.37.219), this may mean that the DNS protocol is not enabled by the Winsock Proxy. If this is the case, either enable the DNS protocol or ask your local IRIS representative for the numerical equivalent. If this does not solve the problem, it may be possible that there are multiple levels of firewall, and that another level of firewall is blocking the IRIS protocol.
Packet Filtering Firewall
The easiest way to alter a packet filtering firewall would be to add the appropriate rule(s) to the firewall to allow the client computers inside the firewall to establish a TCP connection and transfer packets back and forth over this connection. For example, the following rules will work with ipfw, the packet filtering firewall included with FreeBSD:

ipfw add pass tcp from iris.propertykey.com to any 7878 established
ipfw add pass tcp from any to iris.propertykey.com 7878 established
ipfw add pass tcp from any to iris.propertykey.com 7878 setup

In this example, we are allowing any computer inside the firewall to establish a connection to the IRIS server on the correct port (7878). Once this connection is established, packets coming from, or going to, the IRIS server on this port are allowed as long as the connection has been established. This is a minimal setup; very rarely is it advisable to use the "any" wildcard which will match all host names. IRIS should work as expected through this setup.

TIS's FWTK Proxy-Based Firewall

To enable IRIS to work through a proxy-based firewall, you will need to add a TCP gateway through the firewall. This functionality is called different things by different vendors; usually it's described in the documentation as a generic TCP proxy or gateway. The way this works is that the firewall host acts as a transparent relay point for the connection to the IRIS server by forwarding the information in both directions. This type of gateway is often used to allow connections to external NNTP news server, database systems, etc.

An example of configuring a TIS firewall on the host "firewall.yourdomain.com":

Add the following to /etc/services:
iris-gw 7878/tcp
 Add the follwing to /etc/inetd.conf:
iris-gw stream tcp nowait root /usr/local/etc/plug-gw plug-gw iris-gw
 In the netperm-table:
iris-gw: port 7878 your.domain.* -plug-to iris.propertykey.com -port 7878

You will need to change the server name in the IRIS login dialog box to "firewall.yourdomain.com". If you don't want to run the proxy on port 7878, you can specify an alternate port for the IRIS client software. Simply add a colon and a port number to the end of the server name in the IRIS login dialog box (e.g., "firewall.yourcompany.com:9000" will connect to the firewall host on port 9000 instead of the default 7878).

All Content © 2003 PropertyKey.com, Inc. All Rights Reserved. |  Questions or comments about this site? E-mail webadmin@propertykey.com