The components of a CollabNet
TeamForge installation listen on a number of operating
system ports.
A small subset must be exposed externally to enable users to access TeamForge services. Any port that is not absolutely needed
must be closed.
CAUTION:
Expose only the JBOSS and Tomcat ports that are
required for integration with another application, and open them only to that
specific host IP address, even within your internal network.
You can select your open ports in one of these ways:
- Use the firewall configuration GUI tool that comes with your operating system. It's
usually launched with a command like system-config-selinux.
- Open the /etc/sysconfig/iptables file and specify your open ports
by hand.
Ports open to the Internet
Open the following operating system level ports. All other ports must be firewalled off to
maintain security.
Important: Do not open port 7080 or port 8080 to the Internet. These ports are
only for communications between the TeamForge application and the source code integration
service, when those two site components are running on separate boxes.
-
22 (SSH)
- Port 22 is the default port for the secure shell (SSH). This is required for basic SSH
administrative functionality and for CVS, as all CVS transactions occur over SSH. If all
Teamforge repositories are in SVN (the default for Teamforge), then this port should be
closed to the public and only accessible to the system administrators.
If you have to
expose SSH to the Internet, the best way to protect it is to require SSH keys and not
allow password authentication, and do not permit root logins over SSH. If you must use
local authentication for SSH, enforce regular password changes and password
complexity.
Note:
- If you have to expose SSH internally, limit access to the port to a bastion host
if you can; otherwise limit it to specific trusted hosts or subnets.
- Do not expose cvspserver (the TCP protocol over port 2401) either internally or
to the Internet if there is any way you can avoid it.
-
25 (SMTP)
- Port 25 is the default port for SMTP (email). CollabNet
TeamForge discussion forums include mailing
list functionality that allows users to send email to the TeamForge server. The James mail server included with
TeamForge listens on port 25 to accept this
mail for processing.
- 80 (HTTP)
- Port 80 is the default port for Web data transfer. We strongly recommend that you set
up SSL and use port 80 only to redirect to port 443.
-
443 (https)
- Port 443 is the default port for encrypted Web data transfer (HTTPS). The Apache web
server should be configured to encrypt all data so that it cannot be compromised by a
third party with malicious intent. Apache can be configured to force all traffic to be
sent over HTTPS, even when a request is sent via port 80 (HTTP).
TeamForge can help you take care of this, if you
tell it to. See Set up SSL for your TeamForge site for details.
Ports for internal use only
Ports 7080 and 8080 have special internal uses for your site, but should not be exposed
externally.
-
7080
- On the source code integration server, if it is a separate physical server from the
TeamForge application server, expose a port
by which the application server can communicate with the SCM integration server. The
default is port 7080.
-
8080
- If you are running the source code (CVS or Subversion) integration
server on a separate physical server from the TeamForge application server, set port 8080 on the
TeamForge application box to accept connections from the server where your source code
integration service is running.
- 8500
- The default port for binary apps (such as Nexus OSS) integrated with TeamForge.
Important: Do not open port 7080 or port 8080 to the Internet. These ports are
only for communications between the TeamForge application and the source code integration
service, when those two site components are running on separate boxes.
Open the REPORTS_DATABASE_PORT if you are granting direct access to the datamart from
specific IPs using the REPORTS_DB_ACCESS_HOSTS site-options.conf
token.
Ports to be open in the firewall environment for TeamForge
8.1
Name |
Source Box |
Target Box |
Port |
Notes |
Apache |
ALL |
TeamForge App |
80 or 443 |
443 for ssl |
TeamForge Database |
TeamForge App |
TeamForge Database |
5432 |
|
SVN Integration |
TeamForge App |
SVN |
80 or 443 |
443 for ssl |
GIT Integration |
TeamForge App |
GIT |
80 or 443 |
443 for ssl |
GIT ssh |
ALL |
GIT |
29418 |
|
Indexer |
TeamForge App |
Indexer |
2099 |
|
Binaries |
TeamForge App |
Binaries |
8500 |
|
Reports DB |
TeamForge App |
Reports DB |
5632 |
|
Reports ETL |
TeamForge App |
Reports ETL |
7010 |
|
Codesearch |
ALL |
Codesearch |
9180 |
|
EventQ |
TeamForge
App |
EventQ App |
8844 |
|
EventQ Adapters |
ALL |
EventQ MQ |
5672 |
|
EventQ Messages |
EventQ App |
EventQ MQ |
22, 2572, 15672 |
15672 is for admin |
EventQ DB |
EventQ App |
EventQ DB |
22, 27017 |
|
Note: No manual port configuration is required for the following services if they are all
installed on the TeamForge App server:
- TeamForge Database
- SVN Integration
- Indexer
- Binaries
- Reports DB
- Reports ETL