cancel
Showing results for 
Search instead for 
Did you mean: 

Afaria Access Control / ISAPI Filter network communication

Former Member
0 Kudos

Hello together,

I need to know some more detailed network information for the mentioned function, since we have two providers and 3 different data centers - and inbetween firewalls.

The story:

We have a MS TMG Server as gateway (I don't know the version exactly) and MS Exchange 2010  - in two data centers.

In one of these we are also hosting two Afaria relay servers (which mustn't be used necessarily).

In another data center we are hosting Afaria servers and databases.

The Afaria testsystems are running SP4 HF11, Relayserver V16, the production systems SP4 HF7 Relayserver V12.

Since the Afaria Servers are in another data center the firewalls inbetween have to be configured very precisely and I can't find this information on the SAP and Sybase knowledgebases or in documentations.

So I need to know the exact ways of the communication: Source, Destination, Outbound or Inbound, Protocol and Port.

Also if HTTPS is the content and the Port is 3009 we might have to setup https-exceptions for the firewalls since a TMG server will block HTTPS-communication that uses other ports as 443 if not properly configured.

Btw.: The communication with the domain controller via LDAPS does work already, I'm only troubled with the ISAPI-Filter / Access Control netowrking information.

What I do know:

In the installation documentation I read so far that these components are involved:

ISAPI-Filter, that includes the filter that captures EAS traffic on the gateway and a reverse pipeserver.

Data Handler Services, that includes httpsclient and pipeserver, which will be installed on this gateway too.

Afaria filter listener on the Afaria application server.

What I think I do know:

ISAPI-Filter and Datahandler communicate with each other through the reverse pipeserver and the pipeserver component

The Datahandler talks to the Afaria filter listener (Afaria application server) via the httpsclient component.

It is planned to setup the above components on the same server, but the firewall might have to be configured anyways.

Afaria filter listener actually is the Access Control Server option on the Afaria application server.

What I don't know:

The Access Control Server is actually listening on Port 3010. Is the connection from the data handlers httpsclient outbound or inbound?

Is this the only connection that will be used for transferring the device list to the pipeserver or does the Afaria server initiate a connection as well?

The Access Control Server-option in the Afaria AdminUI is set to http, so there's also the question if the data handlers httpsclient will communicate with the Afaria filter listener in http or if it HAS to be https.

Do the data handler's httpsclient and (reverse) pipeserver component communicate via network?

I've seen pictures for a setup with domino where port 3012 is mentioned between these two components, now I'm kind of confused (since I don't expect the communication between these components to be very different depending on the Mailserver used).

The Afaria Server and database are communicating with each other, so there should be no problem. However, I've read in a Sybase KB entry that The Exchange Server does query the Afaria SQL database directly on port 1433, since it was for Afaria Version 5.5 I hope I can totally forget that. http://frontline.sybase.com/support/resolutionDetails.aspx?KBID=3908

Is there the necessity of using the relay servers in this process if they are actually in use for the mobile clients?

I have the slight feeling I forgot something anyway, so there might be a lot of more stuff I don't know and I'll be always happy to get to know more stuff.

Thanks for reading and best regards,

Benjamin

Accepted Solutions (0)

Answers (1)

Answers (1)

keith_nunn
Active Participant
0 Kudos

Hi, Benjamin.

Traffic to the XSISAPIServer.exe process on port 3009 or 3010 is all inbound to the Afaria Server.  The Afaria Server doesn't reach out to the data handler, only replies to inbound requests.

The data handler can use HTTP or HTTPS.  No requirement for either specifically at an app level.  You can choose whichever you need for your environment.

When hosting the filter and data handler on separate machines, there is a filter proxy service that gets installed on the machine hosting the filter (TMG/IIS).  This proxy service listens on 3012.  The data handler and the filter itself both send outbound requests to that process over 3012.  For the filter, that would just be localhost traffic.

One the Afaria Server connects to the database.  Neither the filter nor the data handler talk directly to the database.

The Relay Server need comes from the connection from the data handler outbound to the Afaria Server.  If you don't have the ability to do an outbound over 3009/3010 from the data handler machine to the Afaria Server then you can use the Relay Server to proxy that request.  Then the outbound would go to the Relay Server and the Outbound Enabler would reside on the Afaria Server to handle that traffic.  It's not necessary but just an option depending on network configuration.

After all of that, it would be negligent of me to fail to mention that tour recommendation is to bypass the use of the ISAPI filter entirely and use the MS Exchange Powershell cmdlets ("Access Control Remote" in SP5 terminology) whenever possible.  The filter version is fully supported but the cmdlet version offers more features (especially in SP5) and doesn't require a filter to be installed to function.

Thanks,

Keith Nunn
SAP Active Global Support
SAP Canada