Firewalls


Question from : Bob Waldstein <[email protected]> Thu, 4 Feb 1999 11:14:08 -0500
Question:
How may Z39.50 clients more easily deal with firewalls?

Background:
Networks often have "screening 'firewalls" for security. These can present problems for Z39.50 clients. In a screening firewall the system allows traffic only on specific port numbers. Various common internet services communicate on specific port, for example, the web uses port 80, FTP uses port 20 and 21, Telnet uses port 23, etc.

The officially registered internet IP port for Z39.50 is 210. Although the majority of servers use this port, there are dozens of other port numbers used worldwide by Z39.50 (e.g. 2100, 2200, 2210, 2213, 3520, to name a few; in one case, a server has assigned ports 2101 and up for different databases).

It is quite typical that port 80 is "enabled" to allow web communication, as well as other commonly recognized ports. This often confuses Z39.50 client users because even though they have "internet access", Z39.50 clients don't work, because Z39.50 ports are disabled. The only remedy is to convince the firewall administrator to enable ports corresponding to the desired Z39.50 servers.


Response:
Target system developers and implementors are urged to configure targets to use the officially registered Z39.50 port number, 210. This will not completely solve the problem, however it will be easier to convince firewall adminstrators to enable a single port, 210, and in particular, a port that is officially registered, than to enable arbitrarily configured Z39.50 ports.

Status: Approved (1/00)
Library of Congress