Configure a firewall

If there is a firewall between the iSeries™ and the iSCSI network, then the firewall must be configured to allow incoming iSCSI and virtual Ethernet traffic to pass. The values that affect firewall configuration are listed below:

For storage paths and virtual Ethernet connections protected by the firewall:

• Remote IP address: Use the procedure described in Display remote system configuration properties to display the properties of the remote system configuration for the server. Go to the Network Interfaces tab and note the SCSI Internet Address and LAN Internet Address values.
• Local IP address and TCP port: Use the procedure described in Display network server host adapter properties to display the properties of the network server host adapter (NWSH). Go to the Local Interfaces tab to see information that is used by the NWSH. Record the following values:
  • Local SCSI interface: Internet address
  • Local SCSI interface: TCP port
  • Local LAN interface: Internet address
  • Local LAN interface: Base virtual Ethernet port
  • Local LAN interface: Upper virtual Ethernet port
    Note:
    Virtual Ethernet traffic is encapsulated in UDP packets. Each virtual Ethernet adapter is automatically assigned a UDP port from a range that begins at the specified base virtual Ethernet port number and ends at the base virtual Ethernet port number plus the number of configured virtual Ethernet adapters. Each virtual Ethernet adapter is also has a UDP port assigned at the Windows server. UDP ports for virtual Ethernet are normally automatically allocated by Windows. If you want to override automatic allocation, you can manually allocate a UDP port by performing the following steps at the Windows console.
    1. Navigate to the Network Connections Window.
    2. Double-click the IBM® iSeries Virtual Ethernet x adapter that you want to configure.
    3. Click Properties.
    4. Click Configure.
    5. Click Advanced.
    6. Click Initiator LAN UDP Port.
    7. Enter the UDP port that you want the virtual Ethernet adapter to use.
  
• TCP ports associated with all Local IP addresses:

  Using iSeries Navigator:

  1. Expand Expand Integrated Server Administration.
  2. Select Servers.
  3. Right-click the server from the list available and select Properties.
  4. Go to the System tab and click the Advanced button.
  5. Note the following values:
     • Shutdown TCP port
     • Virtual Ethernet control port

If IPSec is used, there are additional considerations for firewalls between an iSCSI HBA and the iSCSI network:

• Allow IPSec: This option is not available on all firewalls.
• Only IP addresses should be considered when configuring firewalls. TCP and UDP ports are encrypted by IPSec, and therefore the firewall cannot act on this information.