Access through Local Firewalls FAQ

thumbtack

To schedule an IP address change, use the IP Address Changes scheduling form.

thumbtack

If your library uses Sierra, please see Sierra Access through Local Firewalls.

What network access through our firewall does Innovative need?

Innovative requests access be granted through your firewall for connections originating from the list of IP addresses below and connecting to the Secure Shell (SSH) service on your Millennium Server(s). The IP addresses listed represent Innovative core support servers, which require that Innovative staff successfully authenticate to them before establishing connections to your site.

Support from Emeryville, CA, USA

205.227.88.253

In addition, Innovative requests that access be granted through your firewall for both inbound and outbound Secure Shell (SSH) and FTP services for the IP address listed below.

8.4.224.250

CASE Service

For libraries using the CASE service Innovative requests access on port 2000 for connections originating from this IP address:

66.171.203.184

Granting access to this server allows CASE to deliver the coverage data service file directly to your Millennium server.

Content Pro

To allow access to Content Pro, the following ports must be open on the Content Pro server. If your library uses Encore, Content Pro will be running on the Encore server; these ports must be open on the Encore server. If your library does not have the Encore product, allow access to the Content Pro server.

  • Allow III (205.227.88.253, 8.4.224.250) access to <Content Pro Server IP> on port 22 (ssh)
  • Allow WWW access to <Content Pro Server IP> on port 80 (http) , 443 (https)
  • Allow III (205.227.88.253) access to <Content Pro Server IP> on port 4601
  • Allow outbound access from <Content Pro Server IP> to WWW on port 25 (smtp)

Encore

See Encore: Configuring Your Firewall.

Online Training and Workshops (Millennium)

For libraries receiving online training or attending workshops in Innovative’s Virtual Lab the virtual lab requests access on the Millennium ports for connections originating from this IP address:

64.71.3.137

Granting access to this server allows participation in all online courses within the Virtual Lab directly to your server.

Reporter

To enable Reporter, the following ports must be open between the Millennium Data server (may be either Encore or Millennium) and the hosted Reporter server: port 80 (bidirectional) and port(s) 60000-60005 (outbound only).

Research Pro

See the Research Pro Firewall Requirements Summary.

SMS Alerts

Allow Innovative [74.217.196.23/smsdom.iii.com ] access to your library's server on ports 80 and 443 (SSL).

Does the information in this FAQ apply to DMZs and private networks?

Yes. Whether your organization uses a private network, a DMZ, a standard firewall, or a combination of these, the information below on opening ports applies to all access control devices, if you want to provide access as outlined below.

How do I secure my system access?

You can limit access to your system by using the N > Limit NETWORK access option in the character-based system. You will see choices such as TELNET, RLOGIN, MILLENNIUM, MILDATA, SSH (if set up), and others. Choose MILLENNIUM to manage access by staff and outside users.

My organization is an INN-Reach site and I want to change our IP address and/or install a firewall in front of the Innovative server. What do I have to do?

For information on changing your IP address and any requirements based on your firewall installation, see the IP Address Changes FAQ.

warning

Failure to coordinate IP changes with Innovative Interfaces and your library's INN-Reach Central Server may result in unexpected issues, such as an inability for your library's server to successfully communicate with the INN-Reach Central Server.

What sort of timeout should I set on my firewall if my library has Millennium client/server applications?

A library running Millennium should NOT have a timeout set on a firewall. If a site running Millennium has a timeout set on a firewall, users may be logged-out during sessions when the terminal is idle for a few minutes.

Does Innovative use User Datagram Protocol (UDP) services?

All network services provided by the Innovative server use TCP-based protocols. However, Innovative servers do initiate UDP-based DNS requests. For example, Network Time Protocol runs as an outbound UDP connection on port 123.

Where can I control access to my 2082 staging port?

The 2082 port currently shares its access settings with the default WebPAC (port 80).

How do I know which ports to open for traffic from searchers using our Z39.50 Client?

The administrators of the remote Z39.50 Server you want to search should be able to tell you. Port 210 is the standard, but some developers and vendors of Z39.50 Server software do use different ports.

Do I need to open ports for the Z39.50 Server for inbound traffic? Outbound? Or both?

Both.

Which ports should my library open for Innovative staff, the public, library staff, and other related groups such as partner libraries?

Refer to the following chart for all ports that you must open in your firewall for the appropriate parties.

thumbtack

Unless otherwise noted, both in-bound and out-bound access are required on the indicated port number.

thumbtack

If your organization allows Secure Shell (SSH) access, Innovative requires TCP/22 - Secure Shell (SSH) access through your organization's firewall to the Millennium system(s) and SFTP access between your server and upgrade.iii.com. Innovative can support the Millennium system and applications through SSH. For more information on Innovative's support access via SSH Tunneling, see the SSH (Secure Shell) FAQ.

Product (Protocol) Port Number(s) Public
(Internet / External)
Staff/ Partners (Internal) Innovative (External) Other (External)
File Transfer Protocol (FTP)
thumbtack

Port 21 is closed to inbound ftp access. Note, this does not affect outgoing traffic on port 21 such as FTP ordering.

20 and 21

X

Secure Shell (SSH) and Secure FTP (SFTP) for full software upgrades, maintenance updates, and other system maintenance, such as application of patches

22

X
X

Content Pro [See Content Pro]

22

X
X

Telnet (Telnet)

23

X
X

Mail (SMTP), Content Pro (outbound to www); Research Pro and Encore (outbound emails to *.iii.com for automated status alerts)

25

X
X
X (outbound to *.iii.com)
WebPAC, Patron Web Services, Content Pro, Encore with EDS, Research Pro, and Reporter (HTTP) 80
X
X
X (SMS Alerts server
74.217.196.23
smsdom.iii.com)
X (Encore with EDS, outbound HTTP to eds-api.ebscohost.com)
WebPAC (HTTP) Alternate databases 81, 82, 83...
X
X
KidsOnline (HTTP) 90
X
X

AirPAC for Smartphones

91

X
X

Outbound UDP Connection (Network Time Protocol)

123

X
Z39.50 Server (z3950) Primary database 210
X
X
WebPAC Z39.50 Client (Z3950) 211
(Your library may require additional ports if your system runs multiple character sets on multiple ports.)
X
X
Z39.50 Client (Z3950) Any
(The remote organization specifies the port; for example ports 210, 2200 and 7090 are commonly used.)
X
INN-View Authority Access 212 (Outbound to Innovative Address [innview.iii.com])
X

LDAP Patron Authentication (LDAP)

389
(Outbound connections to your organization's LDAP server)

X

ArticleReach e-Delivery Integration service (Ariel)

422

X
X

WebPAC SSL (HTTPS/SSL), Patron Web Services, Content Pro (HTTPS), Encore with EDS, Research Pro, and Millennium Data Server

443

X
X
X (SMS Alerts server
74.217.196.23
smsdom.iii.com)
X (Encore with EDS, outbound HTTP to eds-api.ebscohost.com)
WebPAC SSL (HTTPS/SSL) Additional WebPAC servers
444, 445, 446...
X
X
OCLC ILL 499 ("Other" external access is for outbound connections to OCLC.)
X
X

LDAP Patron Authentication (LDAP/SSL)

636
(Outbound connections to your organization's LDAP server)

X

Millennium Web Applications (HTTP)

thumbtack

For related information see the Firewall Information section in the Apache Web Server document.

800

X

Millennium Web Applications (HTTPS/SSL) [Web Works Quick Edit]

843

X
WebPAC FTP Access (FTP) and Quick Click Ordering 1021
X
Database Server [Serves Electronic Resource Management, Millennium Cataloging, Millennium Circulation Notices, Teleforms, Millennium Statistics, Preferred Searches, View Cancelled Holds, View Outstanding Holds, WebBridge, Pickup Anywhere (Central Server Only), and Research Pro] 1030-1031
X
Innovative Application Ports [All products including Research Pro] 1032-1035
X
Millennium Client (Startup and Communication) 2000 (For customers with the CASE product, access is required inbound for case.iii.com)
X
WebPAC Staging Site 2082
X
WebPAC Staging Reference Databases 2083
X
WebPAC Staging Site - KidsOnline (HTTP) 2090
X
Collection Web Reports 4440
X
Circulation Statistics Web Report 4441
X
Patron Search Statistics Web Report 4442
X
Fund Management Web Report 4443
X
INN-Reach Patron Reports (INN-Reach Central Sites only) 4444 (See also 4454)
X
Vendor Performance Statistics Web Report 4445
X
Article Access Management Web Report 4446
X
Web Access Management Web Report 4447
X
Web Report Manager 4448
X
Patron Functions Web Reports 4449
X
INN-Reach Patron Reports (INN-Reach Central Sites only) 4454 (Alternative port used by libraries that don't wish to allow access to port 4444. See also 4444)
X
Telephone Renewal 4460
X
Pickup Anywhere 4465 & 4470
X
AirPAC and/or Wireless Workstation 4480
X
X
Patron API 4500
X

WebBridge (HTTP) OpenURL Linking

4550

X
X
Millennium Data Server 4600
X
Millennium Cataloging Reference Databases, Content Pro 4601 (+ one for each additional reference database)
X
Millennium Data Server [See also Research Pro] 4605
(Inbound and outbound connections to the IP range 205.227.90)
X
Millennium ILL Data Server 4666
X

INN-View Authorities

4991

X
(Outbound connections to your organization's Encore server) 5000
X
INN-Reach Load Queue Daemon 5020
X
OCLC and SkyRiver bibliographic utilities 5500
X
X
Self Checkout 5550
X
INN-Reach Circulation Daemon 6601
X
X

INN-Reach Article Reach

6621
X
X

ArticleReach e-Delivery Integration service (Odyssey)

7968

X
X

Research Pro Locally-hosted servers [See also Research Pro]

8000
X
X
Web Access Management Server (WAM) 8080
X
X

System Printer

[See System Printer] Note: Port 9100 is on the printer. The server communicates with the printer on port 9100.

9100

 
X

Research Pro Locally-hosted servers [See also Research Pro]

9797

X
X
Encore Circulation Daemon [See Encore]

52085

X
Millennium Data Server [See also Research Pro] 54605
(Inbound and outbound connections to the IP range 205.227.90)
X

Patron API Server via SSL

54620

X

Reporter

60000-60005

X

Research Pro Locally-hosted servers [See also Research Pro]

61080 - 61087
X
X

RSS Feeds

63200
X
X

Are there any known issues related to running the Millennium clients through a Cisco firewall?

Yes. Cisco PIX firewalls and ASA devices have the ability to alter certain connections as they traverse the firewall. Cisco PIX refers to this as a "fixup," which can be enabled or disabled for several network services including the Skinny Client Control Protocol (SCCP/skinny). Unfortunately both SCCP and Millennium use port 2000/TCP. When a Cisco firewall sees traffic on port 2000/TCP it assumes it is a SCCP connection and attempts to alter the traffic. This creates problems with Millennium connections.

Innovative recommends that you or your firewall administrator configure your Cisco products to disable SCCP fixup using the following commands:

Cisco Product Command
PIX Firewall no fixup protocol skinny 2000
ASA Devices policy-map global_policy| class inspection_default| no inspect skinny

Cisco PIX firewalls may need to add a command for continued Quick Click Ordering support on the 1021 port.

Cisco Product Command
PIX Firewall fixup protocol ftp 1021

For more information, consult your Cisco documentation.

Are there any known issues related to running the Juniper firewall product?

If your organization has purchased the Juniper firewall product, you must turn the ALG feature off. Juniper firewalls create Application Layer Gateways(ALG) for some applications and it can mistake Innovative traffic for SCCP traffic.

Are there any known issues related to running the Millennium clients through a Sonic firewall?

Yes, Sonicwall uses content filtering on ports 2000 and 4600, also port 6601 (INN-Reach product) and ports 4465 and 4470 (INN-Reach Pickup Anywhere). If Sonicwall determines that incoming data is non-RFC compliant, it drops packets. Since portions of the Millennium traffic that go through those ports are compressed for both performance and security reasons, Sonicwall can treat these transmissions as malformed TCP traffic and consequently prevent data from getting through. The workaround with a Sonic firewall is to turn off content filtering for ports 2000 and 4600. Contact the manufacturers of Sonicwall for assistance with turning off content filtering.

Last updated: Thursday, September 17, 2015

Full-Text Search

Topic Pages