By default the minimum and maximum dynamic port for OpenEdge (Enterprise) database is 3000 and 5000.
This default port range is large and IT specialists 'complain' that they have to set open so many ports on the firewall.
For IPsec it is not possible to give up port ranges (when using authentication) and therefore an IPsec rule per port is needed.
When there are many rules this could give performance problems.
How can one determine the best smallest port range? Is it possible to monitor an environment for 2 weeks for how many ports at any given time are used? If so, how? Are there other tips&tricks?
I have the same question for the port range of DataServer, AppServer and WebSpeed.
Here is the answer from my Cisco guy (20 years on very large scale networks):
Security folk complain because they need to justify their existence. For network guys we say "range tcp/3000-5000" and we are done.
I don't understand the IPsec part. If you are talking about an IPsec VPN tunnel, then again, we just open the range of ports. Do you have more context?
The minimum number of required ports is based on your -Mn and -Mpb parameters plus the number of brokers you start. For example:
_mprosrv toto -S 5000 -Mn 10 -Mpb 5 -Mi 1 -Ma 5 -n 100 -ServerType 4GL
_mprosrv toto -S 6000 -m3 -Mpb 2 -Mi 1 -Mn 10 -ServerType 4GL
This will start two brokers on ports 5000 and 6000. The first broker will spawn a maximum of 5 _mprosrv servers and the second broker will spawn a maximum of two _sqlsrv2 servers. This Progress DB will consume up to 9 ports.
The DB may open other ports (DBAgent, AdminServer) but those are only for intra-server connections.
The reason we request a wider range of open ports is simply because another UNIX process may come by and consume one or more ports in the designated port range. If you want to get fancy, on linux I believe setting net.ipv4.ip_local_port_range outside your minport/maxport will prevent Linux from randomly assigning ports in your range, though it won't prevent a process from specifically requesting a port in the range.
Here is the answer from my Cisco guy (20 years on very large scale networks):
Security folk complain because they need to justify their existence. For network guys we say "range tcp/3000-5000" and we are done.
I don't understand the IPsec part. If you are talking about an IPsec VPN tunnel, then again, we just open the range of ports. Do you have more context?
The minimum number of required ports is based on your -Mn and -Mpb parameters plus the number of brokers you start. For example:
_mprosrv toto -S 5000 -Mn 10 -Mpb 5 -Mi 1 -Ma 5 -n 100 -ServerType 4GL
_mprosrv toto -S 6000 -m3 -Mpb 2 -Mi 1 -Mn 10 -ServerType 4GL
This will start two brokers on ports 5000 and 6000. The first broker will spawn a maximum of 5 _mprosrv servers and the second broker will spawn a maximum of two _sqlsrv2 servers. This Progress DB will consume up to 9 ports.
The DB may open other ports (DBAgent, AdminServer) but those are only for intra-server connections.
The reason we request a wider range of open ports is simply because another UNIX process may come by and consume one or more ports in the designated port range. If you want to get fancy, on linux I believe setting net.ipv4.ip_local_port_range outside your minport/maxport will prevent Linux from randomly assigning ports in your range, though it won't prevent a process from specifically requesting a port in the range.
> How can one determine the best smallest port range?
As Paul pointed out that depends on how many remote connections (ABL / SQL) you have and how many remote servers you need to handle those connections. In his case you would need -minport/maxport range of 7. Plus 2 ports for primary and secondary broker, eg 9 port in total.
If the database is going to be remotely monitored by OE Management as scripted database, you need an extra port for _dbagent.
You can use TCPView from www.sysinternals.com to see what ports are opened and by what process and direction. On Unix, netstat, lsof, tcpdump.
For the appserver (more or less same for other unified brokers) - depends on the config. Following articles should be a good start:
knowledgebase.progress.com/.../P111654
> In his case you would need -minport/maxport range of 7. Plus 2 ports for primary and secondary broker, eg 9 port in total.
In this case because there are two brokers spawning remote servers, there would be two sets of -minport and -maxport parameters, set separately for each broker.
> You can use TCPView from www.sysinternals.com to see what ports are opened and by what process and direction.
If TCPView isn't available you can also look at TCP endpoints with Resource Monitor (perfmon /res), which is in the box.