FreeKB - IBM WebSphere Firewall
IBM WebSphere - Firewall

In my personal experience, both in my network at home and on the jobs, I've not had to do much of any configurations of firewalls to accomodate WebSphere traffic. And there is a reason for this. Let's consider a fairly common architecture. In this design, notice the firewall sit's outside of the internal LAN. After a clean installation of WebSphere, port 9080 will be used for HTTP traffic and port 9443 will be used for HTTPS traffic for applications deployed to WebSphere. In this scenario, it certainly would make sense to open ports 9080 and 9443 in the firewall. But, this is not commonly done. Read on.


Since port 9080 is not the default port for HTTP and 9443 is not the default port for HTTPS, when using these ports, you will need to include these ports in the URL being requested, like this.


This is not ideal. Instead, the preference is to use port 80 for HTTP and port 443 for HTTPS, so that the URLs can be used without having to include the port, like this:


To accommodate for this, your WebSphere application server could certainly be updated to use port 80 for HTTP and port 443 for HTTPS. However, this is not commonly done, and again, there is a reason for this. Let's say you are going to have two or more WebSphere application servers in your internal LAN. If both application servers are using port 80 for HTTP and port 443 for HTTPS, then each application server is going to need a unique hostname, like this. This is problematic, because then you have multiple different URLs that must be used, and this becomes a completely unreasonable design as say, you introduce 10 or 20 or 100 application servers into your LAN.


For these reasons, a common design is to place an IBM IHS web server between the firewall and your WebSphere application servers. The web server will handle traffic with a single hostname and port 80 for HTTP and port 443 for HTTPS. The WebSphere application servers that sit behind the web server will each have their own unique ports. In this way, the firewall only needs to have ports 80 and 443 open for traffic that will route to the WebSphere application servers. Check out how to configure an IHS web server to front a WebSphere application server.


If you are still not convinced, and you find yourself saying "just show me how to open the ports", take a look at the screen shot below. This is a view of the ports being used by a single WebSphere application server. Thus, if you were to update a firewall to accommodate a WebSphere application server, you would need to open up a number of ports. This is counter productive to having a scalable and efficient design. And this is just one application server. Imagine 10 or 20 or 100 different application servers, each with their own unique ports.


If you still insist that you just must open ports, and WebSphere is running on Linux:


Add a Comment

We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.

Please enter 4017c in the box below so that we can be sure you are a human.


Web design by yours truely - me, myself, and I   |   |