MicroStrategy ONE
Using Firewalls
A firewall enforces an access control policy between two systems. A firewall can be thought of as something that exists to block certain network traffic while permitting other network traffic. Though the actual means by which this is accomplished varies widely, firewalls can be implemented using both hardware and software, or a combination of both.
Firewalls are most frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. If you use MicroStrategy Web or Mobile products over the Internet to access projects on an Intelligence Server that is most likely on an intranet, there is the possibility that a malicious user can exploit the security hole created by the connection between the two systems.
Therefore, in many environments and for a variety of reasons you may want to put a firewall between your Web servers and the Intelligence Server or cluster. This does not pose any problems for the MicroStrategy system, but there are some things you need to know to ensure that the system functions as expected. Another common place for a firewall is between the Web clients and the Web or Mobile server.
Regardless of how you choose to implement your firewalls, you must make sure that the clients can communicate with MicroStrategy Web and Mobile Servers, that MicroStrategy Web and Mobile can communicate with Intelligence Server, and vice versa. To do this, certain communication ports must be open on the server machines and the firewalls must allow Web server and Intelligence Server communications to go through on those ports. Most firewalls have some way to specify this. Consult the documentation that came with your firewall solution for details.
To Enable Communication through a Firewall
- Client Web browsers communicate with MicroStrategy Web on port 80 (HTTP). So, if you have a firewall between your clients and MicroStrategy Web servers, you must make sure port 80 is allowed to send and receive requests through the firewall.
Depending on how you deployed Web Universal, it may communicate on a different port number.
- MicroStrategy Web products can communicate with Intelligence Server using any port that is greater than 1024. By default, the ports are 34952 and 34962. If you have a firewall between your Web servers and Intelligence Server, you must make sure port 34952 and 34962 are allowed to send and receive TCP/IP requests through the firewall.
You can change this port number. See the steps in the next procedure To Change the Port through which MicroStrategy Web and Intelligence Server Communicate to learn how.
- You must configure your firewall to allow MicroStrategy Web products to communicate with Intelligence Server using port 3333. This is in addition to the port configured in the previous step of this procedure.
- The MicroStrategy Listener Service communicates with MicroStrategy Web products and Intelligence Server on port 30172. So, if you are using the Listener Service, you must make sure port 30172 is allowed to send and receive TCP/IP and UDP requests through the firewall. You cannot change this port number.
-
The MicroStrategy Intelligence Server REST Listener listens on port 34962 for REST requests. So, if you have a firewall, you must make sure 34962 is allowed to receive TCP requests through the firewall. If you change this port (34962) to a different one through Configuration Wizard, you need to modify Inbound Rules for the Firewall accordingly.
-
MicroStrategy Messaging Services uses ports 2181, 9092, 2888, and 3888 to communicate with other MicroStrategy Services, such as the Intelligence Server, New Export Engine, MicroStrategy Identity Server and Platform Analytics. If you have a firewall between MicroStrategy Services you must make sure these four ports are allowed to send and receive TCP requests through the firewall.
-
MicroStrategy Topology uses ports 8300 and 8301 to communicate between agents. If you have a firewall between MicroStrategy Services you must make sure these two ports are allowed to send and receive TCP/UDP requests through the firewall.
The MicroStrategy Services are as follows:
- MicroStrategy Intelligence Server
- MicroStrategy Web Universal
- MicroStrategy Library
- MicroStrategy Mobile
- MicroStrategy Messaging Services
- MicroStrategy Platform Analytics
- MicroStrategy Certificate Store
- Usher Security Services
To Change the Port through which MicroStrategy Web and Intelligence Server Communicate
By default, MicroStrategy Web and Intelligence Server communicate with each other using port 34952 (Web Universal may use a different port depending on how you deployed it). If you want to change this, you must change it for both the Web servers and the Intelligence Servers. The port numbers on both sides must match.
If you are using clusters, you must make sure that all machines in the Web server cluster can communicate with all machines in the Intelligence Server cluster.
To Change the Port Number for Intelligence Server
- In Developer, log in to the project source that connects to the server whose port you want to change.
- In the Service Manager, click Options.
- On the Intelligence Server Options tab, type the port number you want to use in the Port Number box. Save your changes.
- A message appears telling you to restart Intelligence Server. Click OK.
- Restart Intelligence Server.
- In Developer, right-click the project source that connects to the Intelligence Server whose port number you changed and choose Modify Project Source.
- On the Connection tab, enter the new port number and click OK.
You must update this port number for all project sources in your system that connect to this Intelligence Server.
To Change the Port Number for MicroStrategy Web
- Open the Administrator page in MicroStrategy Web.
- If your MicroStrategy Web product is connected to the Intelligence Server whose port number you changed, click Disconnect to disconnect it. You cannot change the port while connected to an Intelligence Server.
It probably is not connected because the MicroStrategy Web product does not yet know the new port number you assigned to Intelligence Server.
- In the entry that corresponds to the appropriate Intelligence Server, click Modify (in the Properties column, all the way to the right).
- In the Port box, type the port number you want to use. This port number must match the port number you set for Intelligence Server. An entry of 0 means use port 34952 (the default).
- Click Save.
If the port numbers for your MicroStrategy Web product and Intelligence Server do not match, you get an error when the MicroStrategy Web product tries to connect to Intelligence Server.