FileMaker 5 through a firewall???

[netadmin]

Has anyone ever successfully ported filemaker through a firewall? I have spent many hours attempting to acomplish this for my database people to no avail. I have the specific settings from filemaker.com with the correct port # and filtering schemes for UDP and TCP filtering. I am now starting to think that my firewall is correct and that the server is not. Configuration is as follows: port 5003 for all filemaker traffic.

Block port 5003 for UDP in both directions but allow TCP.

Export services for port 5003 to the filemaker host.

We are using NAT so a static IP is not possible.

Thoughts anyone????

[Tom Collins]

With NAT, you should just have to forward TCP traffic from port 5003 on the external interface to port 5003 of your server.

Don't forward UDP, but you shouldn't have to block it either.

[WBlanchard]

Found this in the FMP TIL:

Article #106727

Host And Files Not Showing In Host Window

ISSUE

On a Wide Area Network (WAN), such as the WWW internet, using TCP/IP and the Specify Host does not show the host computer or any open files.

RESOLUTION

Assign the host computer a valid TCP/IP address for internet connection. This address cannot utilize a Network Address Translation (NAT) or proxy type address.

Alternative: Selectively block UDP packet routing for port 5003 but allow TCP. On the router set up a stack filter on port 5003 so UDP is not passed in either direction. Export services for port 5003 to the FileMaker Pro host computer.

Note middle paragraph.

[This message has been edited by WBlanchard (edited July 24, 2000).]

[cinolas]

I am having the very same problem but with a twist...

We are on a SDSL network (similar to ADSL) and therefore, according to the Article #106727, I would have to apply the alternative solution:

"Alternative: Selectively block udp packet routing for port 5003 but allow TCP. On the router set up a stack filter on port 5003 so udp is not passed in either direction. Export services for port 5003 to the FileMaker Pro host computer."

So I have changed the forwarding rule on our router to "Selectively block udp packet routing for port 5003 but allow TCP". So effectively, the firewall is "On" on our BEFSR41 Linksys router and I have a forwarding rule to forward the port 5003, on TCP only, to our FMP Server box.

I don't understand why I would have to "On the router set up a stack filter on port 5003 so udp is not passed in either direction." but I did set a packet filter to do just that....I think...not to sure how to set it up properly.

And I have no idea what they mean by "Export services for port 5003 to the FileMaker Pro host computer." ....

But in the end I know for sure that port 5003 of our external IP is being forwarded to our FMP Server while UDP is not being forwarded.

The result is a bit confusing:

It seems that I can get the list of open files only once every five minutes... Meaning I can see the list to start with, so I open a file. I try to open another file from the same location and the host list is blank. I have to wait 5 minutes and try again, then the list is shown once, then I have to wait again...

At first I though the whole problem was with querying the server for a list of open files and not actually connecting to the files, so I made a local database opener file that runs a startup script that opens all the files I need opened. But it turns out that I can only open 1 file (even through a script) every 5 minutes, the second Open script steps returns a "File cannot be found". This is weird as the communication is fine once a file is open...

Can someone please help me figure out how to "On the router set up a stack filter on port 5003 so udp is not passed in either direction." and "Export services for port 5003 to the FileMaker Pro host computer" ?

I am using PCs. FMP Server 5.0 is on a Win2kServer box behind a BEFSR41 Linksys router (firmware 1.44.3, firewall "On"), connected to the internet through a SDSL connection. I am trying to connect through the WAN using a PC running XPPro (firewall disabled) and FMPUnlimited 5.0v3, this PC is on the same SDSL connection (same subnet, different external IP) connected directly to the SDSL modem (no router). For sake of simplicity, you can consider that I am trying to connect from outside the LAN.

Thanks a lot !

[ernst]

>>And I have no idea what they mean by "Export services for port 5003

>>to the FileMaker Pro host computer." ....

This means that you have to setup your router to forward all incoming traffic for port 5003 to the -fixed- internal IP adress of your Filemaker server.

And from your story I understand that you've done that already.

>>"On the router set up a stack filter on port 5003 so udp is not passed in either direction."

Is the same as the "Selectively block udp packet routing for port 5003 but allow TCP" setting that you made in your router. So that should be fine as well.

Personally I would start by trying to reach the server from a computer that is *really* outside your LAN. Some routers are known to behave strange when you try to reach another computer on the same LAN, via an external IP adress.

Regards,

Ernst.

[ernst]

Hello all,

I received a private email asking me to hi-lite 'to the list' that blocking outgoing UDP traffic on port 5003 is really necessary in order for Filemaker Server to function behind a firewall. The sender of the email had tried both with and without UDP blocking and experienced that some clients would NOT see the list of databases when outgoing UDP was NOT blocked.

What I wrote back...

Filemaker uses UDP traffic on port 5003 to 'announce' itself on the local network.

This is the mechanism that allows you to see all available servers on a network when clicking the hosts button in Filemakers Open dialog.

When connecting to a Filemaker server over a lower speed connection it could happen that this UDP traffic -when allowed to pass the firewall- uses all available bandwidth.

That could be the reason some of your clients did not see the list of files when you did not block UDP.

Hope this is usefull for somebody, somewhere...

Regards,

Ernst