Configuring Firewalls to Enable the Easysoft Server Processes

Contents:

1.0 Easysoft Services and Programs affected by Firewalls in Windows

Easysoft distribute the following services and programs which either listen on the specified ports or connect to the specified remote ports.

Service/Program Port Connection type
ODBC-ODBC Bridge Server 8888 (for OOB clients) Listening services
ODBC-ODBC Bridge HTTP Admin 8890

Note that in pre 2.1 versions of OOB, the HTTP Admin Server was a separate process started by the ODBC-ODBC Bridge Server rather than a separate service.

Listening services
JDBC-ODBC Bridge Server 8031 (HTTP Admin Server) 8831 (for JOB clients) Listening services
ODBC-ODBC Bridge Client 8888 Outgoing connection to OOB Server
JDBC-ODBC Bridge Client 8031 Outgoing connection to JOB Server.
License Administrator 8884 Outgoing connection to license.easysoft.com

Notes:

This document describes how to enable the above services and programs in Windows Firewall (which comes with Windows XP (Service Pack 2), Windows 2003 (Service Pack 1) and Windows Vista and is by default enabled) and ZoneAlarm®. The same principles apply to other firewalls.

2.0 Windows XP

Windows XP contains a Firewall. From Windows XP Service Pack 2 the firewall is enabled by default unless you are using another recognised firewall like ZoneAlarm® (see ZoneAlarm®).

If you are using group policies in your network then a number of the fields in the Windows Firewall may be grayed out and in any case you should consult your system manager. Editing Windows firewall properties with group policies in effect is beyond the scope of this document.

2.1 Configuring firewall access in Windows Firewall

There are two ways to allow remote machines to access listening services on your machine with Windows Firewall. The first is defined in the exceptions and the second in the network connections. In both cases you need to logon to the machine hosting the service in an administrative role e.g. the local or domain administrator.

2.1.1 Defining an exception

You need to manually configure Windows Firewall to allow connections to a new service.

The quick way to do this is using "netsh firewall":

netsh firewall set portopening
    protocol=tcp
    port=8888
    name="Easysoft ODBC-ODBC Bridge Server"
    mode=enable
    scope=subnet

Set port and name as per the table here. "mode" can also be "disable" to disable this port specifically and "scope" can also be "all" (for from any computer) or "custom" (more specific but needs additional arguments).

You can also do this from the "Windows Security Center" by clicking on "Manage security Settings for", "Windows Firewall" which presents the following dialogue:

Windows Firewall dialogue box General tab

Then select the "Exceptions" tab:

Windows Firewall dialogue box Exceptions tab

Then click on "Add port" and specify the name of the service and the port (see the table above. The example below is for the OOB Server port which OOB clients connect to.

Add a Port dialogue box with esoobserver as the service name and 8888 as the port

If you want to allow connections to a second port (e.g. the OOB HTTP Administrator you need to repeat this process for the other port. The example below is for the OOB HTTP Administration server. However, if you don't want to use the OOB/JOB HTTP Administrator at all you can disable it in the HTTP Administrator and restart the OOB/JOB Service.

Edit a Port dialogue box with esoobserver_http as the service name and 8890 as the port

In addition you can change the scope of the definition:

Change Scope dialogue box

By default, the scope is set to "Any computer" but you can change it to just your current network or specify an exact list of machines.

Alternatively, you can allow connections to any port the service is listening on. The way to do this is using "netsh firewall":

netsh firewall set allowedprogram
    program=c:\windows\system32\esoobserver.exe
    name="Easysoft ODBC-ODBC Bridge Server"
    mode=enable
    scope=subnet

or through the graphical user interface by selecting "Add Program":

Add a Program dialogue box

and browsing to the program you want to allow access to.

Add a Program dialogue box with esoobserver selected in the list

The example above is for the OOB Server but you can use the same method for the JOB Server.

Note:

Once you've defined exceptions you can disable all exceptions in one go from the general tab (as below). You might want to do this if you connect your computer to a different network for instance (e.g. if it mobile). An alternative method is to define the access under network connections see "Defining ports under a network connection"

Windows Firewall dialogue box with Don't allow exceptions checked

2.1.2 Defining ports under a network connection

Define the ports and access under a network connection

Go to the Advanced tab of the Windows Firewall.

Windows Firewall dialogue box Advanced tab

Select the network connection and click on Settings:

Advanced Settings dialogue box

Click on "Add" to add a new service:

Service Settings dialogue box with localhost as the host name and 8888 as the service port

The example above is for the main OOB Server service but the same principle exists for the other services.

Note:

Even though "Don't allow exceptions" checkbox on the "General" tab is documented as only disabling entries in the "Exceptions" tab it appears to affect entries in the "Advanced" tab also.

2.1.3 Firewall Profiles

Be careful when defining exceptions in the Windows Firewall as the configuration is per profile. i.e. if you logon to the machine in your Windows domain, change the firewall and then logout and back in to the same machine but logging on locally the Windows Firewall profile is different.

2.2 Logging dropped connections

Windows Firewall does not throw a dialogue when a connection is blocked by the firewall. Neither does it log to the event log. If you want to see blocked connections you need to go to the "Windows Security Center" in Control Panel, select "Advanced" and select "Security Logging", "Settings". From here you can define what is logged and to which file. e.g.:

Windows Firewall dialogue box Advanced tab Log Settings dialogue box

Once firewall logging is enable you can examine the specified file to see what the firewall is blocking. It will show lines like this:

2004-09-07 21:31:32 DROP TCP 192.168.5.4 192.168.5.1 1027 8888 60 S 863130960 0 32120 - - - RECEIVE

for connection packets blocked to the OOB Server port 8888 and lines like this:

2004-09-07 21:42:41 DROP TCP 192.168.5.4 192.168.5.1 1030 8890 60 S 2151300017 0 32120 - - - RECEIVE

for packets blocked to the OOB HTTP administration server.

where "DROP" indicates the firewall threw the packets away.

2.3 Blocked connection popup dialogue

The OOB and JOB Servers are usually run as a service under the service manager in Windows. However, they can be run from the command prompt as well; although not recommended. If you attempt to do this without defining access under Windows Firewall then you may see a popup dialogue like this:

Blocked connection popup dialogue box

What happens next depends on which option you select:

3.0 ZoneAlarm®

If you are using ZoneAlarm to protect your computer you will need to tell ZoneAlarm about the OOB/ JOB Client and/or Server. The example below is for OOB but it is very similar for JOB.

3.1 Installation

ZoneAlarm pops up a warning dialogue when a program you have not registered with ZoneAlarm attempts to access the Internet or attempts to act as a server. During the OOB installation, a ZoneAlarm dialogue may appear at these points:

When you access an OOB Client data source, a Zone Alarm security alert will be displayed. For example, if you click Test when configuring an OOB Client data source, ZoneAlarm will throw up a dialogue similar to this:

ZoneAlarm Changed Program alert

You need to click on "Allow" and perhaps check "Remember this setting" if you do not want to be prompted about this again.

If you click on "Deny" you will see the following in the OOB Client's test dialogue:

Easysoft ODBC-ODBC Bridge Test DSN dialogue box

If you do not click on either "Allow" or "Deny" and leave the dialogue then after 30 seconds the OOB client will abort the attempt and the "Ok" button will be enabled in the OOB test connection dialogue without any error being displayed.

Appendix A - Resources