Home	RDP Sales	Contact Us	Training
RDP Support		Open a Web Support Ticket
RDPWin Knowledge Base	RDP-DOS Knowledge Base	IRM and IRM.Net Knowledge Base	Crystal Knowledge Base

Pervasive Firewall Ports

Added 3/10/2006 - Article ID#: KWin0018

Overview

The RDP Internet Reservation Module is designed to communicate with the RDP data server to fetch rates and availability, and also to store the reservation directly on the data server.  As a result the IRM and the data server should both be behind the firewall.  See Hardware Requirements.

Some customers wish to put the Internet Reservation Module (IRM) in a DMZ, which puts the IRM "outside" the firewall and the RDP data server "inside" the firewall.   This is not supported by RDP, as many ports must be open to allow all the communication between the IRM and Data Server.  For those customers who wish to use a DMZ, a non-supported solution is below.

Non-Supported Solution for IRM in a DMZ

1. 1583
2. 3351

These ports will have to be open on the firewall, as all  other ports required by Microsoft for the Windows 2003 IRM server to communicate with the Windows 2003 Data Server.  Please contact Microsoft for details on what ports are required.

Diagram of Data Server,  IRM Server, and Workstations
One network card in the Internet Reservation Module (IRM) server, data server, and all workstations. A physical, separate firewall must be installed. The IRM must use a Windows 2003 or 2008 Server as the operating system (small business server not allowed for IRM) The data server can use a Windows 2003 or 2008 server The IRM and data server must be connected to the same hub/switch. The IRM and data server must be on the same internal subnet (i.e., 10.0.0.x). Anti-virus software must be set to "not scan Network Drives".  See Anti-Virus issues for more detail. The Microsoft default outgoing SMTP e-mail server must be installed on the IRM.  No other e-mail server software, such as Microsoft Exchange, can be installed on the IRM server.   See SMTP Server Installation for more detail. Warning:  Microsoft Small Business Server can not be used for the Internet Reservation Module (IRM), because Small Business Server installs Microsoft Exchange which does not work with the IRM.

Item	Explanation
Anti-Virus Software	Anti-virus software should be installed on the RDP data server, IRM server, and all workstations.  It is critical to configure the auto-protected mode of all anti-virus software to scan local drives only.  If anti-virus software is set to scan network drives, all network based software such as RDP will run slowly. See Do Not Scan Network Drives with Anti-virus Software.
Router	A router connects your firewall to the Internet.  For security reasons, it is critical to always connect the router to a firewall and not directly to a network card in any server or workstation.
Firewall	A firewall provides security when an internal network is connected to the Internet. The firewall must be a physically separate device (a "stand alone" firewall).  RDP software does not work with firewall software installed on the RDP data server or the IRM Bridge Server.  The firewall must be capable of "address redirection."  For example, the external IP address of 65.38.150.5 will be redirected to the internal address of the IRM server (10.0.0.4 in this example). See Linking Options From Your Marketing Website to the IRM and IRM.net.
Firewall Ports to Open DMZ setup for IRM Ports for Netmeeting	A physical firewall is required to secure the IRM from viruses and other attacks. The external IP address must be redirected to the internal address of the IRM Bridge for Ports 80, 443, and 3389.  Additionally, the firewall must be open to allow outgoing e-mail from the SMTP server installed on the IRM bridge on Port 25.  Do not, under any conditions, assign the external IP address directly to the IRM, as this creates a security loophole and also prevents proper communication from the IRM to the data server. Ports Reason 25 E-mails are sent out to guests from the IRM bridge server using Port 25.  See Installation of Outgoing SMTP E-mail Server 80 Internet traffic (HTTP) is required for all IRM systems. 443  Secure Internet (HTTPs) is required if IRM has Security Certificate. 3389  Terminal services are required for RDP support to access server. DMZ Only 1583 3351 Some customers want to set up the IRM in a Demilitarized Zone (DMZ).  RDP uses the Pervasive.SQL database, which uses two TCP ports when communicating from the client to the server, which are: 1583 and 3351. These ports will have to be open on the firewall, as all other ports required by Microsoft for the Windows 2003 IRM server to communicate with the Windows 2003 Data Server. Please contact Microsoft for details on what ports are required. 522, 389 1503, 1720 1731 Any workstation that connects to RDP with NetMeeting must open various ports.  For instructions on how to configure your firewall to allow workstations to connect to RDP using Net Meeting, see Microsoft article ID# 158623 How to Establish Net Meeting Connections Through a Firewall.
Switch or Hub	All workstations are connected to a hub or switch which must be a minimum of 100 megabits.  The RDP data server and IRM bridge server must be connected to the same hub or switch.  Ideally, all workstations that access RDP should be connected to the same hub or switch as the data server.  Multiple hubs or switches may be installed for larger installations.  Regardless of how many hubs or switches are used, all workstations that access the RDP data server must be on the same subnet.
Same Subnet and Domain	The RDP data server, IRM bridge server, and all workstations that access RDP must be on the same subnet and in the same domain.  For example, if the IP address assigned to the data server is 10.0.0.3, then the IRM bridge server and all workstations should have an internal IP address of 10.0.0.x, where x can range from 1-254.  The "Subnet mask" on all computers would be 255.255.255.0.
One and Only One Network Card	The RDP data server, IRM bridge server, and all workstations that access RDP should have one, and only one, network card.  When more than one network card is installed, various communication problems result.
Workstations	RDP supports Windows XP Professional or Windows Vista workstations.
Data Server Domain Controller or Peer-to-Peer	RDP is installed in a Windows 2003 "Active Directory" environment or "Peer-to-Peer".  For most installations, the RDP Windows 2003 or 2008 data server also serves as the domain controller.  However, if there is already a Windows 2003 or 2008 domain controller, the RDP data server can be a member server of the existing domain. If there are other applications that require a Windows 2003 or 2008 server, RDP suggests placing them on another Windows 2003 or 2008 server, not the RDP data server or IRM bridge server.  This maximizes performance and reduces conflicts. The RDP data server, IRM bridge server, and all workstations that access RDP must be members of the same domain.  In peer-to-peer environments, they must all be part of the same workgroup. See Details on Installation of RDP 2003 Data Server Installation
IRM Server	The Internet Reservation Module (IRM) is an optional product from RDP and requires a separate Windows 2003 or 2008 server.  This server is installed as a member server to the domain that contains the RDP data server.  In peer-to-peer environments the IRM server must be in the same workgroup as the Data Server.  All rates, availability, and reservations are stored on the data server.  Do NOT install active directory, or other applications, on the IRM Server.  Windows Small Business server or Windows XP Professional may not me used for the IRM Server - it must use Windows 2003 or 2008 server. See IRM Server Installation.
IRM Security	Security with the IRM has proven excellent and is divided into the following areas: A good firewall stops most intrusions. Microsoft security on the IRM server and data server is very strong. Anti-Virus software should be installed on the IRM server and must be set to NOT scan network drives. All credit card data is encrypted when sent to the guest using SSL technology. All sensitive data, such as credit card information, is stored on the data server and not the IRM.  If a hacker manages to get through the firewall and Microsoft security to the IRM server, they still have to get from the IRM server to the data server to retrieve data. The IRM has been installed at over 300 sites over the last 10 years, and there has not yet been an instance of someone "hacking" into the Data Server from the IRM.  However, there is always a first time; and there is some security risk. The only way to prevent all theoretical security problems is to completely remove the IRM from the Internet.  Unfortunately this would also prevent all reservations!
Outgoing SMTP E-mail Server Required	RDP sends e-mails to guests, owners, groups, travel agents, and others from the IRM and our RDPWin product. See Installation of Outgoing SMTP E-mail Server and RDP E-mail Marketing for more detail.

 

Home	RDPWin	RDP-DOS	IRM/IRM.Net	Open A  Web Support Ticket
	Version 2.xxx	Upgrade to RDPWin	Link to Marketing Site	Contact Us
	Training	Vendor Interfaces	Troubleshooting	RDP Sales Website