What network access through our firewall does Innovative need?
Innovative requests access be granted through your firewall for connections originating from the list of IP addresses below and connecting to the Secure Shell (SSH) service on your Millennium Server(s). The IP addresses listed represent Innovative core support servers, which require that Innovative staff successfully authenticate to them before establishing connections to your site.
Support from Emeryville, CA, USA
205.227.88.253
In addition, Innovative requests that access be granted through your firewall for both inbound and outbound Secure Shell (SSH) and FTP services for the IP address listed below.
8.4.224.250
CASE Service
For libraries using the CASE service Innovative requests access on port 2000 for connections originating from this IP address:
66.171.203.184
Granting access to this server allows CASE to deliver the coverage data service file directly to your Millennium server.
Content Pro
To allow access to Content Pro, the following ports must be open on the Content Pro server. If your library uses Encore, Content Pro will be running on the Encore server; these ports must be open on the Encore server. If your library does not have the Encore product, allow access to the Content Pro server.
- Allow III (205.227.88.253, 8.4.224.250) access to <Content Pro Server IP> on port 22 (ssh)
- Allow WWW access to <Content Pro Server IP> on port 80 (http) , 443 (https)
- Allow III (205.227.88.253) access to <Content Pro Server IP> on port 4601
- Allow outbound access from <Content Pro Server IP> to WWW on port 25 (smtp)
Encore
See Encore: Configuring Your Firewall.
Online Training and Workshops (Millennium)
For libraries receiving online training or attending workshops in Innovative’s Virtual Lab the virtual lab requests access on the Millennium ports for connections originating from this IP address:
50.207.105.200
Granting access to this server allows participation in all online courses within the Virtual Lab directly to your server.
To enable Decision Center, the following ports must be open between the Millennium Data server (may be either Encore or Millennium) and the hosted Decision Center server: port 80 (bidirectional) and port(s) 60000-60005 (outbound only).
See the Research Pro Firewall Requirements Summary.
SMS Alerts
Allow Innovative [74.217.196.23/smsdom.iii.com ] access to your library's server on ports 80 and 443 (SSL).
Does the information in this FAQ apply to DMZs and private networks?
Yes. Whether your organization uses a private network, a DMZ, a standard firewall, or a combination of these, the information below on opening ports applies to all access control devices, if you want to provide access as outlined below.
How do I secure my system access?
You can limit access to your system by using the N > Limit NETWORK access option in the character-based system. You will see choices such as TELNET, RLOGIN, MILLENNIUM, MILDATA, SSH (if set up), and others. Choose MILLENNIUM to manage access by staff and outside users.
My organization is an INN-Reach site and I want to change our IP address and/or install a firewall in front of the Innovative server. What do I have to do?
For information on changing your IP address and any requirements based on your firewall installation, see the IP Address Changes FAQ.
Failure to coordinate IP changes with Innovative Interfaces and your library's INN-Reach Central Server may result in unexpected issues, such as an inability for your library's server to successfully communicate with the INN-Reach Central Server.
What sort of timeout should I set on my firewall if my library has Millennium client/server applications?
A library running Millennium should NOT have a timeout set on a firewall. If a site running Millennium has a timeout set on a firewall, users may be logged-out during sessions when the terminal is idle for a few minutes.
Does Innovative use User Datagram Protocol (UDP) services?
All network services provided by the Innovative server use TCP-based protocols. However, Innovative servers do initiate UDP-based DNS requests. For example, Network Time Protocol runs as an outbound UDP connection on port 123.
Where can I control access to my 2082 staging port?
The 2082 port currently shares its access settings with the default WebPAC (port 80).
How do I know which ports to open for traffic from searchers using our Z39.50 Client?
The administrators of the remote Z39.50 Server you want to search should be able to tell you. Port 210 is the standard, but some developers and vendors of Z39.50 Server software do use different ports.
Do I need to open ports for the Z39.50 Server for inbound traffic? Outbound? Or both?
Both.
Which ports should my library open for Innovative staff, the public, library staff, and other related groups such as partner libraries?
Refer to the following chart for all ports that you must open in your firewall for the appropriate parties.
Unless otherwise noted, both in-bound and out-bound access are required on the indicated port number.
If your organization allows Secure Shell (SSH) access, Innovative requires TCP/22 - Secure Shell (SSH) access through your organization's firewall to the Millennium system(s) and SFTP access between your server and upgrade.iii.com. Innovative can support the Millennium system and applications through SSH. For more information on Innovative's support access via SSH Tunneling, see the SSH (Secure Shell) FAQ.
| Product (Protocol) | Port Number(s) | Public (Internet / External) |
Staff/ Partners (Internal) | Innovative (External) | Other (External) |
|---|---|---|---|---|---|
| File Transfer Protocol(FTP)
Port 21 is closed to inbound ftp access. Note, this does notaffect outgoing traffic on port 21 such as FTP ordering. |
20 and 21 |
|
X
|
|
|
|
Secure Shell (SSH) and Secure FTP (SFTP) for full software upgrades, maintenance updates, and other system maintenance, such as application of patches |
22 |
|
X
|
X
|
|
|
Content Pro [See Content Pro] |
22 |
|
X
|
X
|
|
|
Telnet (Telnet) |
23 |
X
|
X
|
|
|
|
Mail (SMTP), Content Pro(outbound to www); Research Pro and Encore(outbound emails to *.iii.com for automated status alerts) |
25 |
X
|
X
|
X (outbound to *.iii.com)
|
|
| WebPAC, Patron Web Services, Content Pro, Encore with EDS, Research Pro, and Decision Center (HTTP) | 80 |
X
|
X
|
X (SMS Alerts server
74.217.196.23 smsdom.iii.com) |
X (Encore with EDS, outbound HTTP to eds-api.ebscohost.com)
|
| WebPAC (HTTP) Alternate databases | 81, 82, 83... |
X
|
X
|
|
|
| KidsOnline (HTTP) | 90 |
X
|
X
|
|
|
|
AirPAC for Smartphones |
91 |
X
|
X
|
|
|
|
Outbound UDP Connection (Network Time Protocol) |
123 |
|
|
|
X
|
| Z39.50 Server (z3950) Primary database | 210 |
X
|
X
|
|
|
| WebPAC Z39.50 Client(Z3950) | 211 (Your library may require additional ports if your system runs multiple character sets on multiple ports.) |
X
|
X
|
|
|
| Z39.50 Client (Z3950) | Any (The remote organization specifies the port; for example ports 210, 2200 and 7090 are commonly used.) |
|
X
|
|
|
| INN-View Authority Access | 212 (Outbound to Innovative Address [innview.iii.com]) |
|
|
X
|
|
|
LDAP Patron Authentication (LDAP) |
389 |
|
|
|
X
|
|
ArticleReach e-Delivery Integration service (Ariel) |
422 |
|
X
|
X
|
|
|
WebPAC SSL(HTTPS/SSL), Patron Web Services, Content Pro(HTTPS), Encore with EDS, Research Pro, and Millennium Data Server |
443 |
X
|
X
|
X (SMS Alerts server
74.217.196.23 smsdom.iii.com) |
X (Encore with EDS, outbound HTTP to eds-api.ebscohost.com)
|
| WebPAC SSL (HTTPS/SSL)Additional WebPAC servers | 444, 445, 446... |
X
|
X
|
|
|
| OCLC ILL | 499 ("Other" external access is for outbound connections to OCLC.) |
|
X
|
|
X
|
|
LDAP Patron Authentication (LDAP/SSL) |
636 |
|
|
|
X
|
|
Millennium Web Applications (HTTP) For related information see the Firewall Information section in the Apache Web Serverdocument. |
800 |
|
X
|
|
|
|
Millennium Web Applications (HTTPS/SSL) [Web Works Quick Edit] |
843 |
|
X
|
|
|
| WebPAC FTP Access (FTP) and Quick Click Ordering | 1021 |
|
X
|
|
|
| Database Server [Serves Electronic Resource Management, Millennium Cataloging, Millennium Circulation Notices, Teleforms, Millennium Statistics, Preferred Searches, View Cancelled Holds, View Outstanding Holds, WebBridge, Pickup Anywhere (Central Server Only), and Research Pro] | 1030-1031 |
|
X
|
|
|
| Innovative Application Ports [All products including Research Pro] | 1032-1035 |
|
X
|
|
|
| Millennium Client(Startup and Communication) | 2000 (For customers with the CASE product, access is required inbound for case.iii.com) |
|
X
|
|
|
| WebPAC Staging Site | 2082 |
|
X
|
|
|
| WebPAC Staging Reference Databases | 2083 |
|
X
|
|
|
| WebPAC Staging Site - KidsOnline (HTTP) | 2090 |
|
X
|
|
|
| Collection Web Reports | 4440 |
|
X
|
|
|
| Circulation Statistics Web Report | 4441 |
|
X
|
|
|
| Patron Search Statistics Web Report | 4442 |
|
X
|
|
|
| Fund Management Web Report | 4443 |
|
X
|
|
|
| INN-Reach Patron Reports (INN-Reach Central Sites only) | 4444 (See also 4454) |
|
X
|
|
|
| Vendor Performance Statistics Web Report | 4445 |
|
X
|
|
|
| Article Access Management Web Report | 4446 |
|
X
|
|
|
| Web Access Management Web Report | 4447 |
|
X
|
|
|
| Web Report Manager | 4448 |
|
X
|
|
|
| Patron Functions Web Reports | 4449 |
|
X
|
|
|
| INN-Reach Patron Reports (INN-Reach Central Sites only) | 4454 (Alternative port used by libraries that don't wish to allow access to port 4444. See also 4444) |
|
X
|
|
|
| Telephone Renewal | 4460 |
|
X
|
|
|
| Pickup Anywhere | 4465 & 4470 |
|
X
|
|
|
| AirPAC and/or Wireless Workstation | 4480 |
X
|
X
|
|
|
| Patron API | 4500 |
|
X
|
|
|
|
WebBridge (HTTP) OpenURL Linking |
4550 |
X
|
X
|
|
|
| Millennium Data Server | 4600 |
|
X
|
|
|
| Millennium Cataloging Reference Databases, Content Pro | 4601 (+ one for each additional reference database) |
|
X
|
|
|
| Millennium Data Server[See also Research Pro] | 4605 (Inbound and outbound connections to the IP range 205.227.90) |
|
|
|
X
|
| Millennium ILL Data Server | 4666 |
|
X
|
|
|
|
INN-View Authorities |
4991 |
|
X
|
|
|
| (Outbound connections to your organization's Encoreserver) | 5000 |
|
|
|
X
|
| INN-Reach Load Queue Daemon | 5020 |
|
X
|
|
|
| OCLC and SkyRiver bibliographic utilities | 5500 |
|
X
|
|
X
|
| Self Checkout | 5550 |
|
X
|
|
|
| INN-Reach Circulation Daemon | 6601 |
X
|
X
|
|
|
|
INN-Reach Article Reach |
6621 |
X
|
X
|
|
|
|
ArticleReach e-Delivery Integration service (Odyssey) |
7968 |
|
X
|
X
|
|
|
Research Pro Locally-hosted servers [See also Research Pro] |
8000 |
X
|
X
|
|
|
| Web Access Management Server (WAM) | 8080 |
X
|
X
|
|
|
|
System Printer [See System Printer]Note: Port 9100 is on the printer. The server communicates with the printer on port 9100. |
9100 |
|
X
|
|
|
|
Research Pro Locally-hosted servers [See also Research Pro] |
9797 |
X
|
X
|
|
|
| Encore Circulation Daemon [See Encore] |
52085 |
|
|
|
X
|
| Millennium Data Server[See also Research Pro] | 54605 (Inbound and outbound connections to the IP range 205.227.90) |
|
|
|
X
|
|
Patron API Server via SSL |
54620 |
|
X
|
|
|
|
60000-60005 |
|
X
|
|
|
|
|
Research Pro Locally-hosted servers [See also Research Pro] |
61080 - 61087 |
X
|
X
|
|
|
|
RSS Feeds |
63200 |
X
|
X
|
|
|
Are there any known issues related to running the Millennium clients through a Cisco firewall?
Yes. Cisco PIX firewalls and ASA devices have the ability to alter certain connections as they traverse the firewall. Cisco PIX refers to this as a "fixup," which can be enabled or disabled for several network services including the Skinny Client Control Protocol (SCCP/skinny). Unfortunately both SCCP and Millennium use port 2000/TCP. When a Cisco firewall sees traffic on port 2000/TCP it assumes it is a SCCP connection and attempts to alter the traffic. This creates problems with Millennium connections.
Innovative recommends that you or your firewall administrator configure your Cisco products to disable SCCP fixup using the following commands:
| Cisco Product | Command |
|---|---|
| PIX Firewall | no fixup protocol skinny 2000 |
| ASA Devices | policy-map global_policy| class inspection_default| no inspect skinny |
Cisco PIX firewalls may need to add a command for continued Quick Click Ordering support on the 1021 port.
| Cisco Product | Command |
|---|---|
| PIX Firewall | fixup protocol ftp 1021 |
For more information, consult your Cisco documentation.
Are there any known issues related to running the Juniper firewall product?
If your organization has purchased the Juniper firewall product, you must turn the ALG feature off. Juniper firewalls create Application Layer Gateways(ALG) for some applications and it can mistake Innovative traffic for SCCP traffic.
Are there any known issues related to running the Millennium clients through a Sonic firewall?
Yes, Sonicwall uses content filtering on ports 2000 and 4600, also port 6601 (INN-Reach product) and ports 4465 and 4470 (INN-Reach Pickup Anywhere). If Sonicwall determines that incoming data is non-RFC compliant, it drops packets. Since portions of the Millennium traffic that go through those ports are compressed for both performance and security reasons, Sonicwall can treat these transmissions as malformed TCP traffic and consequently prevent data from getting through. The workaround with a Sonic firewall is to turn off content filtering for ports 2000 and 4600. Contact the manufacturers of Sonicwall for assistance with turning off content filtering.
Comments
1 comment
On May 22nd we discovered that Heather Hillaker no longer had access to WAM Reports. We found out it was because ports were closed on the firewall. On May 23rd, we let IT know and Tyler Sears opened up ports 4440-4449 and it started working again.
III Ticket in reference to this is: #643547
Please sign in to leave a comment.