Manage Listen Ports
A listen port is a TCP port that "listens" for incoming messages that are then passed to the gateway message processor. The Manage Listen Ports task lets you define passive listeners, including HTTP(S) and FTP(S). (JMS message polling is handled by the JMS queuing capabilities of the Gateway, while email listeners are configured using the Manage Email Listeners task.)
A listen port is a TCP port that "listens" for incoming messages that are then passed to the
CA API Gatewaymessage processor. The Manage Listen Ports task lets you define passive listeners, including HTTP(S) and FTP(S). (JMS message polling is handled by the JMS queuing capabilities of the Gateway, while email listeners are configured using the Manage Email Listeners task.)
At least one administrative listen port is configured when the Gateway is first set up (see Gateway System Settings (Appliance). After this, you use the Manage Listen Ports task to add, modify, or delete ports.
Changes to the listen ports propagate through a Gateway cluster within 30 seconds—new ports are effective within 30 seconds, while deleted ports should be unavailable after 30 seconds or when the last "keep-alive" connection closes, whichever is later. A Gateway restart is not required after listen port changes.
You can only modify listen ports that the Policy Manager is not currently connected to.
Policy Manager Port Requirements
A listen port for the Policy Manager was defined when the Gateway was configured. If you need to create a new listen port, it must conform to the following characteristics:
- must be above port 1024
- must be SSL
- must not require a client certificate
- must have one of the following options enabled: [Policy Manager access] for the standard client, or [Browser-based administration] for the browser client; these are set in the [Basic Settings] tab of the listen port properties
Configuring listen ports is intended for advanced technical users. The default values delivered with the Gateway should be adequate in most cases.
To manage listen ports:
- In the Policy Manager, select[Tasks] > Transports > Manage Listen Portfrom the Main Menu (on the browser client, from the Manage menu).The Manage Listen Ports dialog appears.(1) Listen ports shown in red text indicate a possible conflict with another port. (2) Though the Manage Listen Ports dialog allows you to delete the predefined listen ports, you must ensure that the features are enabled in some other listener to ensure correct Gateway functionality.
- The following table describes each column (these are set in the listening port's properties):ColumnDescriptionEnabledIndicates whether the port is enabled for listening. If disabled, the Gateway treat the port as if it was removed from the system.The listen port is enabled or disabled in the [Basic Settings] tab of the Listen Port Properties.NameThe "friendly" name given to the port. This name is used only for logging and display purposes. The name is defined in the [Basic Settings] tab of the Listen Port Properties.ProtocolIndicates the transport protocol used by the listener. The following protocols are available:
Note:For HTTPS and FTPS, we recommend that you disableTLS 1.0andTLS 1.1.The protocols are defined in the [Basic Settings] tab of the Listen Port Properties.InterfaceLists the interfaces used by the listen port. This is configured in the [Basic Settings] tab of the Listen Port Properties.PortThe port number being monitored. Ports 1 to 1024 are reserved by the Gateway. The port number is specified in the [Basic Settings] tab of the Listen Port Properties.If the Policy Manager is connected to a software form factor of the Gateway , you must ensure that the firewall protecting the Gateway y host machine permits traffic through the ports specified here.For a list of the ports required, consult the file <Gateway_home>/var/firewall_rules on the Gateway machine. This file is a standard Linux firewall configuration file that can be used to automatically adjust the firewall if you are using the Linux RHEL version of the Gateway.If the Policy Manager will be connecting to the Gateway using a port other than the default 8443, the port number must be appended to the Gateway name. For more information, see Start the Policy Manager.
- HTTP: This is the standard HTTP interface to the Gateway. All available IP addresses are used, over port 8080.
- HTTPS: This is the SSL interface to the Gateway, used during mutual authentication. All available IP addresses are used, over port 8443.
- HTTPS (no client authentication): This endpoint is the same as the SSL Endpoint without client certificate challenges. All available IP addresses are used, over port 9443.
- FTP: This endpoint provides unsecured transport, similar to HTTP.
- FTPS: This endpoint provides secured transport, similar to HTTPS.
- SSH2: This endpoint provides secured transport via the SSH2 protocol.
- Select a task to perform:To...Do this...Add a new listen port
Clone an existing listen port
- Click [Create].
- Complete the Listen Port Properties.
Remove a listen port
- Select the port to clone.
- Click [Clone].
- Edit the Listen Port Properties as required.
View or edit the properties of a listen port
- Select the port to remove.
- Click [Remove].
Manage interfacesClick [Interfaces]. See Manage Interfaces for details.Manage Firewall RulesClick [Manage Firewall Rules]. See Manage Interfaces for details.Configure how services are resolvedClick [Service Resolution]. See Manage Service Resolution for details.You cannot remove or modify the port currently used to administer the Gateway. To move the admin listener to another port:1) Create a new admin listener on the new port.2) Reconnect the Gateway on the new port.3) Remove the old admin listener.
- Select the port to view.
- Click [Properties]. See Listen Port Properties for details.
- Click [Close] when done.