Internet Firewall Support in SNA Server

The information in this article applies to:

• Microsoft SNA Server for Windows NT, version 2.11

SUMMARY

This article discusses the new SNA Server ability to support Internet Firewalls and then gives instruction on the following:

• How to allow SNA Server clients and SNA Servers to interoperate with screening routers, where the client does know the address of the SNA Server(s).
• How to allow SNA Server clients and SNA Servers to interoperate with full-blown Internet firewalls, where the end user is not allowed to know the IP address of the SNA Server(s).

OVERVIEW

SNA server can be configured to use specific software port numbers. Specific port numbers are commonly defined in software components to allow administrators of Internet firewalls to filter packets based on port number, thereby denying/accepting their propagation to the private network. By assigning specific destination port numbers to SNA Server components, SNA Server can interoperate with screening routers and full-blown firewalls to meet the requirement that users of the public network should not know the IP address of the SNA Server.

I. SNA Server Clients and SNA Servers Interoperation with

Screening Routers (Client knows the address of the SNA Server(s))

The following are the instructions on how to allow SNA Server clients and SNA Servers to interoperate with screening routers, where the client does know the address of the SNA Server(s).

Destination port numbers are configurable in SNA Server on the following platforms:

• Windows NT
• Windows 95
• Windows 3.x

• TCP/IP
• IPX/SPX
• Vines IP

• DatagramPort.

  This port is used for datagram (mostly broadcast or multicast) traffic. Use the Server Broadcasts dialog in SNA Server Admin to control which transport is used for Server to Server communication.

• SnaBasePort.

  This is the port where the server SnaBase listens for new client sponsor connections. Sponsor connections are used by the SNA Server client to learn about the SNA Server subdomain in which it participates.

• SnaServerPort.

  This is the port where the SNASERVR.EXE waits for new application session requests.

   Port            TCP/IP   IPX/SPX     Vines
   --------------------------------------------
   DatagramPort    1478     0x84C8      381
   SnaBasePort     1478     0x84C8      381
   SnaServerPort   1477     0x84C9      dynamic

NOTE: The DatagramPort must be the same in every server in a subdomain.

On Windows NT, the ports are configured in the registry under the subtree HKEY_LOCAL_MACHINE under the subkey:

   System\CurrentControlSet\Services\SnaBase\Parameters\<transport>\

Add the following value name under the <transport> subkey:

   Value Name: <port>
   Data Type:  REG_DWORD

On Windows 95, the ports are configured in the registry under the subtree HKEY_LOCAL_MACHINE under the subkey:

   Software\Microsoft\SnaBase\Parameters\<transport>\

Add the following value name under the <transport> subkey:

   Value Name: <port>
   Data Type:  REG_DWORD

On Windows 3.x, the ports are configured in the WIN.INI file under the [WNAP] section:

   [WNAP]
   <port>=<value>

Remote TCP/IP Clients

For TCP/IP it is not enough just to add one SnaBasePort number to the WIN.INI file or registry in Windows NT or Windows 95. Because every SNA Server in the subdomain is potentially using a different destination port number, every sponsor server requires its own entry. To make this possible, the port names can be prefixed with a server name. For example, if the SnaBase service on the server Server_A is using destination port 1234 and the server Server_B is using destination port number 5678, you need to add the following entries into the WIN.INI file or registry:

Windows NT or Windows 95 registry:

   Server_ASnaBasePort:REG_DWORD:1234
   Server_BSnaBasePort:REG_DWORD:5678

   Server_ASnaBasePort=1234
   Server_BSnaBasePort=5678

OtherServers

When you use the OtherServers parameter, use the following convention in the WIN.INI file under the [WNAP] section:

   [WNAP]
   <server_nameX>SnaServerPort=3333
   <server_nameY>SnaServerPort=4444

   Otherservers=<server_nameX> <servernameY>

Internet firewalls (Client Cannot Know the IP address of the SNA Server(s))

The following are the instructions on how to allow SNA Server clients and SNA Servers to interoperate with full-blown Internet firewalls, where the client is not allowed to know the IP address of the SNA Server(s).

First, follow directions in section I. above. Then, add the following entry to the respective platform:

Windows NT:

1. In the registry, go to the subtree HKEY_LOCAL_MACHINE under the following subkey:

         System\CurrentControlSet\Services\SnaBase\Parameters\SnaTcp\
   

2. Add the following information:

   Value Name: FireWall Data Type: REG_MULTI_SZ

      Data:       <list of firewall IP addresses>
   
   

1. In the registry, go to the subtree HKEY_LOCAL_MACHINE under the following subkey:

         Software\Microsoft\SnaBase\Parameters\SnaTcp\
   

2. Add the following information:

   Value Name: FireWall Data Type: REG_SZ

      Data:       <list of firewall IP addresses>
   
      Note: The list can be separated by spaces, commas, or semicolons.
   
   

1. Add the following information in the WIN.INI file under the [WNAP] section:

         [WNAP]
         FireWall =<list of firewall IP addresses>
   

Microsoft has updated the following files:

   LIBS\WIN32\SNAIP.DLL
   LIBS\WIN32\SNANW.DLL
   LIBS\WIN32\SNABV.DLL
   LIBS\WIN95\SNACIP.DLL
   LIBS\WIN95\SNACNW.DLL
   LIBS\WIN95\SNACBV.DLL
   EXE\WIN16\IPCLI.DLL
   EXE\WIN16\NWCLI.DLL
   EXE\WIN16\BVCLI.DLL
   EXE\TWIN16\IPCLI.DLL
   EXE\TWIN16\NWCLI.DLL
   EXE\TWIN16\BVCLI.DLL

STATUS

This feature is included in the latest U.S. Service Pack for SNA Server for Windows NT, version 2.11. For information on obtaining the Service Pack, query on the following word in the Microsoft Knowledge Base (without the spaces):

   S E R V P A C K