Considerations about Single Port TCP Communication

The most important (and typically challenging) leg of the communication route between remote data sources and a central data store, is between the data reading/forwarding component and the data processor (in system:inmation, the Connector and Core services respectively). This leg frequently involves crossing network layers and/or domain borders, and the associated authentication and security issues that go along with this makes communication difficult. To ensure that the communication route is secure yet easy to configure for network/firewall administrators, system:inmation was developed to support a single port TCP communication. With single port TCP communication, the TCP client always asks the TCP server to reply on a fixed single port and not on a randomly chosen one. Narrowing down the port range in this way simplifies the configuration of firewall rules, making life easier for network/firewall administrators as all firewall rules regarding the system:inmation traffic would be identifiable by the selected port. This technique allows for a very secure, and at the same time simple, configuration of any firewall between the two services, as only one single configured communication port needs to be opened in both directions.

In the smallest possible configuration of system:inmation in which all components, including the data source endpoint are hosted on one machine, the Connector service will listen on the configured TCP port, while the Core service will use random high ports.

When to use

Single port communication makes most sense in a distributed system, where the TCP client and the TCP server do not run on the same host. A single host environment works best without a pre-selection of the TCP client port. There is no benefit regarding security of firewall configuration and technically it is not possible to use the same port for the client and the server when running on one host (one port always can only be used by one component).

What to bear in mind

As noted above, standard TCP communication involves a randomly picked client port that is usually allocated by the operating system. The operating system internally maintains the list of used and open ports, making sure that ports are not assigned twice. By restricting an application’s client port access to a limited range (including down to one port) there is a chance that the operating system has already assigned a port in that range to another TCP communication process. In this case the single port TCP communication will not work, until the occupied port is released again.

To reduce the likeliness of encountering this error when using inmation, we recommend the following:

  • Use the default port 6510, or any other port that is not used inside the Registered Ports range (1024 – 49151) (see here for more details)

  • Install the Core service on a dedicated host, to minimize the number of TCP ports allocated to other 3rd party applications or processes

Advanced users could also exclude the ports used by inmation from the range of ports dynamically assigned by the operating system to random high port communication requests. Depending on the used operating system that can be achieved by changing the system configuration.

For details refer to:

Advanced TCP Communication

There are further considerations when planning a network infrastructure on a more distributed larger scale, but these details cannot be covered inside this manual. Topics like host name resolution when using dynamic IP-addresses (DNS), or network address translation (NAT) of firewalls or switches can be very important in order to setup proper TCP communication for system:inmation.

If you are planning an enterprise scale architecture with system:inmation and need consultancy on how system:inmation can fit to your network architecture, please contact our Solution Architects.