Opening ports in a firewall for Sun Ray client access

    The Sun Ray architecture has many values when considered from a security perspective, and therefore that is often what drives a customer's interest in Sun Rays. As a result, sometimes when a customer looks to deploy Sun Rays in their existing infrastructure, they encounter firewalls that need to be traversed. I'm not making recommendations here about where the Sun Ray clients should sit in relation to the Sun Ray server these situations. And there are other ways, such as using a VPN router, to traverse a firewall between a Sun Ray client and server. I am providing an answer to a question that arises, which is what ports need to be opened in a firewall for a DTU to work with a Sun Ray server on the other side of the firewall.
    The following is a list of the minimum ports required for a Sun Ray client to function, although not all functionality will be possible, for example USB devices won't work. Always do plenty of testing in your environment to verify how best to balance your functionality requirements with your security requirements. For more on the full range of ports that the Sun Ray Server Software uses, check out the /etc/services file on a machine with Sun Ray Server Software installed.
tcp / udp ports 7009 tcp (inbound) / udp (outbound) ports > 32768 (ie. 32768-65535) The udp port range can be restricted if you define utservices-low and utservices-high in /etc/services as the lower and upper limits of the port number. Example: utservices-low 40000/udp # SUNWut start of UDP range utservices-high 42000/udp # SUNWut end of UDP range utservices-low and -high apply only to server-side port numbers on an SRSS 3.1 server. DTU firmware still takes dynamic port numbers from a much wider range, i.e. the tcp inbound ports are still in the 32768-65535 range.
    These ports are strictly Sun Ray port requirements, and do not include DHCP, DNS, etc that you may need depending on how you deploy the DTUs in relation to these services, i.e. if your DHCP server is on the other side of the firewall from your Sun Ray DTU, you need to open the ports to allow DHCP.
Comments:

Thanks for the information, it is always nice to have this data to keep the firewalls as tight as possible.

dl

Posted by Dan Lacher on November 02, 2006 at 04:55 AM PST #

Thanks for the information - it's been a great help, however I have another problem. I have 5 sunray servers in a failover group. What do I require to do on the firewall to allow the whole failover group through. Do I have to NAT each server externally?

Posted by Rodger on August 11, 2008 at 12:39 PM PDT #

Post a Comment:
Comments are closed for this entry.
About

Think Thin is a collection of bloggers that work with Oracle's Virtual Desktop portfolio of products.

Search

Archives
« April 2015
SunMonTueWedThuFriSat
   
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
  
       
Today