Last Updated 01/23/08

T E C H N O T E
T
TT E
EE C
CC H
HH N
NN O
OO T
TT E
EE T E C H N O T E
T
TT E
EE C
CC H
HH N
NN O
OO T
TT E
EE T E C H N O T E
T
TT E
EE C
CC H
HH N
NN O
OO T
TT E
EE T E C H N O
T E
Pharos Systems
illuminate
TCP/IP Ports and Firewalls in Pharos
The Pharos suite of products uses TCP/IP for all client/server communications. This document
lists the ports that the various Pharos components use by default, and discusses issues that
arise when Pharos components attempt to communicate through firewalls using these ports.
Default Ports
The following table summarizes the ports that the main Pharos components listen on. This
information can be viewed (and altered if necessary) in Pharos Administrator on the Network tab of
the System > System Settings context.
Listening port Component
515 Pharos LPD Server, Popup Service
2351 SignUp Service
2352 License Service
2353 Print Service
2355 Database Service
28201 Notify Service
28202 SignUp Client (Windows & Mac OS X)
28203 Popup Service
28205 Database Service Change Control port
28206 Print Service Change Control port
28207 SignUp Service Change Control port
In addition:
! LPR communication (port 515) is always required for Pharos Popups.
! Web-based components, such as Pharos Remote and the Pharos EDI Server, listen on the
ports used for HTTP communication (usually 80, or 443 if SSL is used). These ports are not
automatically opened by the Pharos installers, and so must be opened manually.
! Pharos Reports communicates with SQL Server using the TCP/IP ports that SQL Server has
been set up to use. By default these are 1433 (TCP) and 1434 (UDP).
! Pharos Blueprint (2.1 and earlier) uses port 2349 for communications between the Tracker
(client) and Collector (server).
! Pharos Blueprint Enterprise (3.0 and later) communicates using SOAP requests via HTTP.
Communication ports are specified during install—the defaults (808, 8080 and 8081) should
be suitable.
! PS20 Terminals use port 31000 by default.
! Virtual Cash Controller (VCC) terminals use ports 1234 and 1235.
! When configuring a Pharos Gateway for the first time, a listening port must be chosen. The
suggested default is 2111 for Billing Gateways and 2222 for Logon Gateways.
Pharos Systems International
Tec
hNote: TCP/IP Ports and Firewalls in Pharos
______________________________________________________________________
_______________________________________
2
T
TT E
EE C
CC H
HH N
NN O
OO T
TT E
EE T E C H N O T E
T
TT E
EE C
CC H
HH N
NN O
OO T
TT E
EE T E C H N O T E
T
TT E
EE C
CC H
HH N
NN O
OO T
TT E
EE T E C H N O
T E
Client/Server Communications
The following table lists which Pharos components communicate with each other using the ports
listed above:
Component (Client) Communicates with (Server)
SignUp Server Database Server, License Server (+ Gateways), Pharos Notify
on client PC, SignUp Client
Print Server Database Server, License Server (+ Gateways), Pharos Notify
on client PC
Popup Server Database Server, License Server, Print Server
LPD Server Database Server (on the same PC as Print Server)
EDI Server Database Server, License Server, Print and SignUp Servers
Pharos Remote (7.2 and earlier) Print Server, SignUp Server
Pharos Station Database Server, License Server, Print and SignUp Servers
SignUp Client SignUp Server
Nerve Center Web server
Web Server Database Server, Print Server, SignUp Server
Reports License Server, MSSQL Server, Database Server
Administrator Database Server, MSSQL Server, Print Server*, License Server
Popup Client Popup Server
Notify Database Server
* Administrator must be able to contact Print Servers in order to create install packages. If this
communication is blocked (e.g. by a firewall), the Package Builder will display error messages.
The Windows Firewall
The Windows Firewall (or Internet Connection Firewall) included in Windows XP and later blocks
ports used by the Pharos components. When Pharos 6.1 or later is installed on a PC running the
Windows Firewall, it automatically opens the ports for Pharos client and server components, as
required.
Note: Ports used by web-based components are not automatically opened by the Pharos installers.
If any web-based components are used, the appropriate ports (typically port 80 or 443, depending
on whether SSL has been configured) must be opened manually.
Firewalls and SignUp Vx
Problems can arise when communication between SignUp Clients and the SignUp Server is taking
place through a firewall. These problems are discussed below with possible solutions.
Client/Server Communication in SignUp
All communications between SignUp Clients and the SignUp Server begin as follows:
Pharos Systems International
Tec
hNote: TCP/IP Ports and Firewalls in Pharos
______________________________________________________________________
_______________________________________
3
T
TT E
EE C
CC H
HH N
NN O
OO T
TT E
EE T E C H N O T E
T
TT E
EE C
CC H
HH N
NN O
OO T
TT E
EE T E C H N O T E
T
TT E
EE C
CC H
HH N
NN O
OO T
TT E
EE T E C H N O
T E
1. Client sends ICMP ping to server
2. Server responds
3. Client opens random port for TCP/IP communication
4. Client connects to port 2351 on the server
5. Server connects to client’s port, and communications begin
Problems with ICMP
The SignUp Client begins all communications to the SignUp Server with an ICMP ping to verify that
the Server is still contactable (TCP/IP is impractical for this purpose, due to the relatively long
timeout period that would have to be waited out if the server were not there). Once the ICMP ping
verifies that the server is available, the client then makes a standard TCP/IP connection to the server
using port 2351.
This can cause problems if there is a firewall between the SignUp Client and the SignUp Server, as
many firewalls do not allow ICMP by default. Any firewalls in between the client and server must
therefore be configured to allow ICMP pings to pass through.
Network Address Translation Services
The SignUp Client records the IP address of the last server it received communications from, and
uses that address in subsequent communications. If a there is a firewall providing Network Address
Translation services (NAT) in between the SignUp Client and the SignUp Server, the client will
receive the firewall’s IP address, and send any communications to the firewall, not the server.
The client still uses the SignUp Server’s listening port (2351), so to avoid this problem, the firewall
must be configured to forward any communications it receives on port 2351 to the SignUp Server.
NAT and ICMP
The SignUp Client’s ICMP ping is directed to the SignUp Server’s IP address. If the server is behind
a NAT firewall, however, its address will be obscured, and the ping will be directed to the firewall’s
address (which will return the ping). This will not necessarily interfere with communications between
the client and the server, but it means that if the server is not actually contactable, the Client will be
unaware of this, due to the ICMP ping being successfully returned by the firewall. The Client will
attempt to begin communications, which will fail after a relatively long timeout period.
The only way to avoid this problem is to configure the firewall so that the SignUp Server’s IP address
is visible to an ICMP ping, if this is possible.
" 2008 Pharos Systems International. All rights reserved. Pharos and Uniprint are registered trademarks and SignUp, Off-
The-Glass and Blueprint are trademarks of Pharos Systems International. All other brands and their products are
trademarks of their respective holders and should be noted as such.