Exchange Agent Firewall requirements

book

Article ID: 50423

calendar_today

Updated On:

Products

DIRECTORY CA Identity Manager CA Identity Governance CA Identity Portal CA Risk Analytics CA Secure Cloud SaaS - Arcot A-OK (WebFort) CLOUDMINDER ADVANCED AUTHENTICATION CA Secure Cloud SaaS - Advanced Authentication CA Secure Cloud SaaS - Identity Management CA Secure Cloud SaaS - Single Sign On SECURITY MISC CODES SINGLE SIGN ON - LEGACY CA Data Protection (DataMinder) CA User Activity Reporting

Issue/Introduction

Description:

The exchange agent operates using CAM\CAFT (CA Message\CA File Transfer service).

When configuring the exchange remote agent it may be required to configure port(s) for communication if there is a firewall between the provisioning server and the exchange server.

Solution:

By default, CAM uses UDP to transfer messages. It can be forced to use TCP instead, which is needed when messages must be sent through firewalls.

Configure the paths on each machine to use TCP (port 4105) using the command:

camconfig paths "<destination> protocol=tcp"

However, CAM will revert back to using UDP if it tries to communicate with a CAM server that is still configures to use UDP. This can be avoided by using 'fixed path' or configuring the destination node to use TCP before communication begins.

Configure the server to use fixed paths using the command:

camconfig config "fixed_paths=yes"

This command will prevent the CAM Server from converting back to UDP mode.

If the end node is not the same protocol as the source node, an error will occur, stating that there has been a 'protocol mismatch'.

To configure CAM to use fixed path TCP between machine1 and machine2:

On machine1 type:

camconfig paths "machine2 protocol=tcp"
camconfig config "fixed_paths=yes"

On machine2 type:

camconfig paths "machine1 protocol=tcp"
camconfig config "fixed_paths=yes"

CAM TCP port (4105) must be open on the firewall in the direction in which connections are made. EG, if a machine inside the firewall only ever connects out, then the CAM TCP Port must be open for in==>out connections. The out==>in route can be closed.

Environment

Release:
Component: IDMGR