Number: TB0032

Availability: 8.02.01

Introduction

Firewalls restrict computers from receiving or sending traffic over a network.

While each firewall protects systems differently, you will need to understand how BuildProfessional sends data over a network to properly configure the firewall. This document provide a simplistic description of firewall and networking technologies. It allows describes how BuildProfessional programs are affected by those technologies.

Affected Programs
 

• BuildProfessional Session Manager (sessmgr.exe). The Session Manager listens on port 5111. This is the default port used by BuildProfessional and is configured in nimconf.ini / .conf.
   
• BuildProfessional Windows Client (winuix.exe and linkmon.exe). The Windows Client makes outgoing calls to the Session Manager and listens on a randomly available port number. Each client will listen on one port (or two if client side printing is used). While this can be hardwired to a single port number, that would only allow one client per PC.

  When the Windows Client connects to the Session Manager, the server then makes a new connection back to the client. This connection is originating on the server and can cause firewall problems.

  The Windows Client also includes a Link Monitor which sends periodic "alive" signals to the Session Manager. The Link Monitor only makes outgoing connections to the Session Manager.
   

• BuildProfessional Web-API Manager (webapimanager.exe). The Web-API Manager listens on port 3380. This is the default port used by BuildProfessional Web-API and is configured in webapimanager.ini.
   
• BuildProfessional Web-API Client (webapiclient.exe, webapiclient.dll, wintdyx.exe). The Web-API Client only makes outgoing connections to the Web-API Manager. This is normally not an for firewalls.

Remote Desktop / Citrix

If you are accessing BuildProfessional software from a Windows Remote Desktop or Citrix client you do not need to configure your firewall specifically for BuildProfessional. Please see the documentation on those products for firewall information.

NAT

Network Address Translation allows PCs and servers on a network to share a single IP address when communicating through a router (such as to connect to the Internet).

BuildProfessional Windows Client cannot connect to a Session Manager via NAT. The Client must have its own IP address that is accessible from the Session Manager. Use a VPN.

BuildProfessional Web-API Client can connect to a Web-API Manager over NAT.

VPN

A Virtual Private Network provides a connection between a computer and a remote network over the Internet. The computer therefore becomes part of the remote network and should not be restricted in any way.

All BuildProfessional program should work over the VPN.

Port Numbers

Network traffic is sent from a network port on one computer to a program "listening" on a remote computer. Firewalls normally stop traffic coming in on all expect a nominated list of ports.

See details above on different programs and port numbers.

Port Forwarding

Port forwarding allows incoming traffic on a specific port to be redirected to another port on the same or different host. This allows a host connected to the Internet (a computer or firewall device) to receive traffic on behalf of a server inside a network.

Traffic to BuildProfessional Web-API Manager can be port forwarded. For example, a firewall router (host1) may receive traffic on port 3300. The firewall can then redirect this traffic to a different server (host2) to port 3380. In this example the Web-API Client would be configured to connect to the host1 on port 3300. The firewall will forward all packets to host2/3380.

Traffic to BuildProfessional Session Manager can be port forwarded.

Traffic into the Windows Client cannot be forwarded as it listens on randomly available ports.