Configuring Firewalls to Enable the Easysoft Server Processes
- 1.0 Easysoft Services and Programs affected by Firewalls in Windows
- 2.0 Windows XP
- 3.0 ZoneAlarm®
- Appendix A - Resouces
Easysoft distribute the following services and programs which either listen on the specified ports or connect to the specified remote ports.
|ODBC-ODBC Bridge Server||8888 (for OOB clients)||Listening services|
|ODBC-ODBC Bridge HTTP Admin||
Note that in pre 2.1 versions of OOB, the HTTP Admin Server was a separate process started by the ODBC-ODBC Bridge Server rather than a separate service.
|JDBC-ODBC Bridge Server||8031 (HTTP Admin Server) 8831 (for JOB clients)||Listening services|
|ODBC-ODBC Bridge Client||8888||Outgoing connection to OOB Server|
|JDBC-ODBC Bridge Client||8031||Outgoing connection to JOB Server.|
|License Administrator||8884||Outgoing connection to license.easysoft.com|
- The above table shows the default ports for Easysoft services. These may be changed during and after installation.
- The OOB installation program creates Windows Firewall exceptions that allow remote machines to access the Easysoft listening services. No further Windows Firewall configuration should be necessary.
- On Windows Vista, the Windows Firewall can block outgoing connections as well as incoming connections. By default, the Windows Firewall allows outgoing connections. If this setting is changed and you are using an Easysoft client, an outbound rule needs to be added in Windows Firewall with Advanced Security that allows the client to connect to the remote port shown in the table.
- The program names for the OOB and JOB servers are esoobserver.exe and esjobserver.exe. esoobserver.exe is usually found in %programfiles%\Easysoft\Easysoft ODBC-ODBC Bridge\Server (often C:\Program Files\Easysoft\Easysoft ODBC-ODBC Bridge\Server). esjobserver.exe is usually found in %programfiles%\Easysoft\Easysoft JDBC-ODBC Bridge\Server (often C:\Program Files\Easysoft\Easysoft JDBC-ODBC Bridge\Server). Pre 2.1 versions of esoobserver.exe and pre 1.5 versions of esjobserver.exe are usually found in %systemroot%\system32 (often c:\windows\system32).
This document describes how to enable the above services and programs in Windows Firewall (which comes with Windows XP (Service Pack 2), Windows 2003 (Service Pack 1) and Windows Vista and is by default enabled) and ZoneAlarm®. The same principles apply to other firewalls.
Windows XP contains a Firewall. From Windows XP Service Pack 2 the firewall is enabled by default unless you are using another recognised firewall like ZoneAlarm® (see ZoneAlarm®).
If you are using group policies in your network then a number of the fields in the Windows Firewall may be grayed out and in any case you should consult your system manager. Editing Windows firewall properties with group policies in effect is beyond the scope of this document.
There are two ways to allow remote machines to access listening services on your machine with Windows Firewall. The first is defined in the exceptions and the second in the network connections. In both cases you need to logon to the machine hosting the service in an administrative role e.g. the local or domain administrator.
You need to manually configure Windows Firewall to allow connections to a new service.
The quick way to do this is using "netsh firewall":
netsh firewall set portopening protocol=tcp port=8888 name="Easysoft ODBC-ODBC Bridge Server" mode=enable scope=subnet
Set port and name as per the table here. "mode" can also be "disable" to disable this port specifically and "scope" can also be "all" (for from any computer) or "custom" (more specific but needs additional arguments).
You can also do this from the "Windows Security Center" by clicking on "Manage security Settings for", "Windows Firewall" which presents the following dialogue:
Then select the "Exceptions" tab:
If you want to allow connections to a second port (e.g. the OOB HTTP Administrator you need to repeat this process for the other port. The example below is for the OOB HTTP Administration server. However, if you don't want to use the OOB/JOB HTTP Administrator at all you can disable it in the HTTP Administrator and restart the OOB/JOB Service.
In addition you can change the scope of the definition:
By default, the scope is set to "Any computer" but you can change it to just your current network or specify an exact list of machines.
Alternatively, you can allow connections to any port the service is listening on. The way to do this is using "netsh firewall":
netsh firewall set allowedprogram program=c:\windows\system32\esoobserver.exe name="Easysoft ODBC-ODBC Bridge Server" mode=enable scope=subnet
or through the graphical user interface by selecting "Add Program":
and browsing to the program you want to allow access to.
Once you've defined exceptions you can disable all exceptions in one go from the general tab (as below). You might want to do this if you connect your computer to a different network for instance (e.g. if it mobile). An alternative method is to define the access under network connections see "Defining ports under a network connection"
Define the ports and access under a network connection
Go to the Advanced tab of the Windows Firewall.
Select the network connection and click on Settings:
Click on "Add" to add a new service:
The example above is for the main OOB Server service but the same principle exists for the other services.
Even though "Don't allow exceptions" checkbox on the "General" tab is documented as only disabling entries in the "Exceptions" tab it appears to affect entries in the "Advanced" tab also.
Be careful when defining exceptions in the Windows Firewall as the configuration is per profile. i.e. if you logon to the machine in your Windows domain, change the firewall and then logout and back in to the same machine but logging on locally the Windows Firewall profile is different.
Windows Firewall does not throw a dialogue when a connection is blocked by the firewall. Neither does it log to the event log. If you want to see blocked connections you need to go to the "Windows Security Center" in Control Panel, select "Advanced" and select "Security Logging", "Settings". From here you can define what is logged and to which file. e.g.:
Once firewall logging is enable you can examine the specified file to see what the firewall is blocking. It will show lines like this:
2004-09-07 21:31:32 DROP TCP 192.168.5.4 192.168.5.1 1027 8888 60 S 863130960 0 32120 - - - RECEIVE
for connection packets blocked to the OOB Server port 8888 and lines like this:
2004-09-07 21:42:41 DROP TCP 192.168.5.4 192.168.5.1 1030 8890 60 S 2151300017 0 32120 - - - RECEIVE
for packets blocked to the OOB HTTP administration server.
where "DROP" indicates the firewall threw the packets away.
The OOB and JOB Servers are usually run as a service under the service manager in Windows. However, they can be run from the command prompt as well; although not recommended. If you attempt to do this without defining access under Windows Firewall then you may see a popup dialogue like this:
What happens next depends on which option you select:
Blocks the process and adds an entry into your Firewall configuration under exceptions but with this entry unchecked. This prevents the dialogue from popping up again.
Unblocks the process and adds an entry into your Firewall configuration under exceptions but the this entry checked. This means the process is permanently unblocked and you will not be asked again.
The entry added has a scope of "Any Computer" so anyone who can connect to this computer has access to this service.
Ask me Later
The process remains blocked but not entries are added to your firewall configuration.
ZoneAlarm pops up a warning dialogue when a program you have not registered with ZoneAlarm attempts to access the Internet or attempts to act as a server. During the OOB installation, a ZoneAlarm dialogue may appear at these points:
If you elect to install the OOB Server Service, the installation will create and attempt to start the OOB Server service and HTTP Admin Server service. By default, these services listen on ports 8888 (for OOB client connections) and 8890 (for HTTP requests) respectively. (In pre 2.1 versions of OOB, the HTTP Admin Server was a separate process that listened on port 8890 rather than a separate service.) Each attempt by the OOB Server to listen on these ports will cause ZoneAlarm to throw a dialogue like the ones shown below:
You need to click on "Allow" and probably "Remember this setting" (to avoid future alerts) to allow the OOB Server to work correctly. If you "Deny" either then the OOB Server will be blocked from receiving connections from OOB Clients and browsers using the OOB HTTP Administration server.
If you elect to install the OOB Server, the installation will start the Easysoft License Administrator. If you attempt to obtain a license automatically ZoneAlarm will pop up a dialogue like this:
When you access an OOB Client data source, a Zone Alarm security alert will be displayed. For example, if you click Test when configuring an OOB Client data source, ZoneAlarm will throw up a dialogue similar to this:
You need to click on "Allow" and perhaps check "Remember this setting" if you do not want to be prompted about this again.
If you click on "Deny" you will see the following in the OOB Client's test dialogue:
If you do not click on either "Allow" or "Deny" and leave the dialogue then after 30 seconds the OOB client will abort the attempt and the "Ok" button will be enabled in the OOB test connection dialogue without any error being displayed.