This Knowledgebase article provides information about configuring a firewall to allow Neverfail Heartbeat Management Client and Exchange to operate properly.
When the network architecture incorporates firewalls, it is important to configure any firewalls to permit traffic via the configured TCP ports on the Neverfail Channel. The Neverfail Channel is used during installation for cloning operations and is used to carry data replication traffic during normal operation of Neverfail Heartbeat. Firewalls operating on the Neverfail Channel will prevent Neverfail Heartbeat from successfully installing.
The Neverfail Heartbeat Management Client uses ephemeral TCP ports. Neverfail recommends that if the Neverfail Heartbeat Management Client is run from another computer (for example, not one of the protected servers), that it should be on the same LAN subnet which permits traffic through the TCP ephemeral ports.
Note: For more information about Neverfail Heartbeat and the use of ephemeral ports, see Knowledgebase article #1347 - Neverfail Client Connection Ports .
If the Neverfail Heartbeat Management Client cannot operate in the same subnet as the server cluster, Neverfail recommends that firewalls be configured to permit traffic based upon the Neverfail Heartbeat process rather than configuring for specific client connection ports.
The Neverfail Heartbeat Management Client will not function properly if a firewall is employed and specific ports are not configured to allow both inbound and outbound packets originating from Neverfail Heartbeat and one or more Exchange servers. Please see Knowledgebase article #206 - 'A List of Default Neverfail Heartbeat Ports' for further information on port and firewall requirements.
Neverfail uses the following standard ports:
Channel: 57348 (firewall need only be configured in a WAN)
SCOPE: 41000, 61000 (from V5.2.0 onwards)
Note: Both the default Neverfail client and channel ports can be changed via Configure Server wizard if in use by another application.
How to configure the ports depends on the type of firewall in use.
Firewalls not employing NAT (Network Address Translation):
If the firewall is non-NAT, (Neverfail Server has an internet routable IP) then firewall configuration is simply a matter of enabling outgoing and incoming traffic for TCP port 52267.
Firewalls using NAT:
If the firewall is NAT based (Neverfail Server has a Class A,B or C address in the private ranges: 192.168.1.x-192.168.255.x (C) / 172.16.x.x-172.31.x.x (B)/ 10.x.x.x - 10.x.x.x (A)) you will need to configure the port forwarding section of your router to forward TCP port 52267 to the machine on your LAN that is running Neverfail.
Note: When using NAT, it is not possible to port forward to two Neverfail servers with the same port (A port can only be used by one program at a time. Using the same port on two machines at the same time violates the program rule. Most NAT enabled device requires an internal IP Address to forward the port to, just for same reason). Ordinarily, access to the passive will be via the active, but if you have two Neverfail server pairs, then, for the second pair, your port-forwarding rule will have to specify a different external port.
Internet IP: 184.108.40.206
Class C Subnet: 192.168.1.0
NF pair 1 Public IP: 192.168.1.200
NF pair 2 Public IP: 192.168.1.201
NAT-Enabled Device LAN Address
- 220.127.116.11:52267 --> 192.168.1.200:52267
- 18.104.22.168:52268 --> 192.168.1.201:52267
From an external location, access to the active server on the first pair is then via 22.214.171.124:52267 while access to the active server on the 2nd pair is on 126.96.36.199:52268. Of course, to keep the same external and internal ports, you can change the ports used by the second server using the Configure Server wizard to 52268.
If you apply firewall rules to your NAT network, then you will need to open the ports in each direction for TCP traffic. Note that the firewall usually sits between your internal network and your NAT, so the ports that are specified in the Configure Server wizard are the ones that you need to open.
In our example, just port 52267. You can normally specify the internal machine(s) that are allowed to send/receive traffic on these ports so as not to allow all internal machines to make outgoing connections on port 52267.
Most firewalls also let you specify a range of external (internet) IPs that can push data into your network on these ports. Using these facilities will help to maintain the integrity of your network.
Your firewall GUI will allow you to make all these changes - please consult its documentation.
As Indicated Above