IBM iSeries Access for Windows and PC Firewall Products

Resolving The Problem

Firewall products are typically used to control incoming and outgoing connection attempts and blocking some or all. Because IBM Access for Windows relies on the ability to make outgoing and receive incoming connections, use of a firewall product to protect a PC can cause Access for Windows functions to fail. This document provides Access for Windows program and port information so that your firewall can be configured for Access for Windows outgoing and incoming connection requests.

Starting with Service Pack 2 of Microsoft Windows XP, Windows Firewall is enabled by default. Windows Firewall does not block outgoing connection attempts. However, by default it does block unsolicited incoming connection attempts to programs or ports, unless the proper exceptions are configured within Windows Firewall.

Scope and Purpose

Note: This document is not intended to be a tutorial on firewalls. Basic knowledge of firewalls is assumed.

This document does not discuss ports or applications on the server to which the client attempts to connect. For information about those, see Informational APAR II12227.

While some of the information in this document might be applicable when using an external firewall (for example, a properly configured router), the information herein should be read in the context of a PC software firewall product such as Windows Firewall or ZoneAlarm.

Introduction

IBM Access for Windows is mainly a client application designed to communicate with the IBM® i OS™ products across a network. In a few cases, Access for Windows functions also act as server programs as well servicing incoming requests that could originate from a different system on the network. Firewall products are typically used to control incoming and outgoing connection attempts, blocking some or all as necessary. This protects the PC from such things as unauthorized use, unauthorized data access, data loss, and unwanted resource utilization. Because Access for Windows relies on the ability to make outgoing and receive incoming connections, use of a firewall product to protect a PC can cause iAccess for Windows functions to fail.

Blocking outgoing connection attempts is one function a firewall might perform. The firewall you use might allow you to configure which programs are allowed to make outgoing connections. If so, it is important to know the names and locations of program (.exe) files associated with an installed product (for example, Access for Windows) so that you can recognize them and configure the firewall according to your needs. In this way, undesirable restriction of legitimate programs can be prevented in addition to the operation of rogue programs.

Blocking incoming connection attempts is another function a firewall might perform. A firewall that does this probably allows you to configure which programs can accept incoming connection requests and which ports can accept such requests. If so, it is important that you know the program name and port information for products you know are legitimately installed on your PC so normal operation of such products can continue without compromising the security of the PC.

Windows Firewall Specifics

Starting with Service Pack 2 of Microsoft Windows XP, Windows Firewall is enabled by default. Windows Firewall does not block outgoing connection attempts. However, by default it does block unsolicited incoming connection attempts to programs or ports that are not enabled to receive such connections via the Windows Firewall exceptions list. (See Microsoft documentation for their definition of "unsolicited" and for related details.) Some Access for Windows programs will not function properly because of this restrictive default state unless the proper exceptions are configured within Windows Firewall.

With Windows XP Service Pack 2, Microsoft also enhanced the netsh command-line tool, adding options to configure Windows Firewall. Using this command-line tool, administrators can create exceptions that will allow Access for Windows functions that require unsolicited incoming connections to work properly. Example uses of the netsh utility to create exceptions for specific Access for Windows functions are shown later in this document.

Note that Microsoft also documents other ways to prevent the loss of legitimate function after Windows XP SP2 has been installed. See Microsoft documentation for details. At the time of this writing, Microsoft provided a detailed document describing several ways an administrator might prevent unwanted failures due to Windows Firewall restrictions. It is called Deploying Windows Firewall Settings for Microsoft Windows XP with Service Pack 2. Search the Microsoft Web site using this title to access this document.

Access for Windows Programs

IBM Access for Windows program files that might require outgoing connections, incoming connections, or both, are listed below. If a firewall product alerts you that one of these programs is attempting to access the network, it is likely safe to allow it access. If the path for the program is not that shown below, beware, for it might be malware or a virus-infected version of the real program file. Note that use of a firewall program, even when configured optimally, does not remove the need for an anti-virus program on the PC. Potentially, any program file listed below, even in its correct location, could be infected with a virus.

Notes:

1.	Within this document, wherever you see the following tags, replace them with whatever is appropriate for your PC: <INSTALL> represents the path where Access for Windows is installed <WINDOWS> represents the path where Microsoft Windows is installed
2.	Some of the descriptions noted below might have changed from one release of Access for Windows to another; however, such changes are not common. When in doubt, verify the exact path and filename.

Outgoing Connections

A fairly comprehensive list of .exe files that might be installed as part of Access for Windows, including path information, and the file descriptions, is shown below. Some require outgoing connections to do their jobs; some might or might not, depending on the scenario; and some do not.

Note that some files have descriptions different than the filename while others do not. Some firewall products can identify a program by its filename, others by the filename without the extension, and still others by the description of the file.

Filename : caupdt.exe
Location : <INSTALL>
Description : 'Directory Update'

Filename : cwb3uic.exe
Location : <INSTALL>
Description : 'CWB3UIC MFC Application'

Filename : cwbadgen.exe
Location : <INSTALL>
Description : 'iSeries Access Policy Template Generator'

Filename : cwbafdm.exe
Location : <WINDOWS>\cwbafp
Description : (none)

Filename : cwbback.exe
Location : <WINDOWS>
Description : 'Configuration Backup utility'

Filename : cwbcfg.exe
Location : <INSTALL>
Description : 'Global Configuration'

Filename : cwbckver.exe
Location : <INSTALL>
Description : 'Service Level Detection'

Filename : cwbcopwr.exe
Location : <INSTALL>
Description : 'iSeries Access Communication Power Tool'

Filename : cwbcossl.exe
Location : <INSTALL>
Description : 'CWBCOSSL - iSeries Access Secure Sockets Layer Utility'
Note : This file does not exist in V5R1 unless a service pack is installed.

Filename : cwbcotrc.exe
Location : <INSTALL>
Description : 'iSeries Access Communication Trace switch'

Filename : cwbdsk.exe
Location : <INSTALL>
Description : 'CWBDSK.EXE'

Filename : cwbemcup.exe
Location : <INSTALL>\Emulator
Description : (none)

Filename : cwbenv.exe
Location : <INSTALL>
Description : 'Client Access Connections Export/Import Utility'

Filename : cwbinarp.exe
Location : <INSTALL>
Description : 'Client Access Express Add/Remove Programs Wizard'

Filename : cwbinhlp.exe
Location : <INSTALL>
Description : 'Client Access Help Registry Update Function'

Filename : cwbinplg.exe
Location : <INSTALL>
Description : 'Client Access Express Single Plug-in Install'
Note : This file exists only in V5R2 and earlier.

Filename : cwbinsii.exe
Location : <INSTALL>
Description : 'CWBINSII.EXE'

Filename : cwbinww.exe
Location : <INSTALL>
Description : 'Client Access Welcome Wizard Function'

Filename : cwblmsrv.exe
Location : <INSTALL>
Description : (none)

Filename : cwblog.exe
Location : <INSTALL>
Description : 'cwblog.exe'

Filename : cwblogon.exe
Location : <INSTALL>
Description : 'cwblogon.exe'

Filename : cwbmptrc.exe
Location : <INSTALL>
Description : (none)
Note : This file exists only in V5R3 and later.

Filename : cwbmwsvr.exe
Location : <WINDOWS>
Description : 'cwbmwsvr.exe'
Note : This file exists only in V5R1 and earlier.

Filename : cwbnltbl.exe
Location : <INSTALL>
Description : 'Code page conversion table download utility'

Filename : cwbodbcreg.exe
Location : <INSTALL>
Description : (none)
Note : This file exists only in V5R3 and later.

Filename : cwbopaoc.exe
Location : <INSTALL>\Aoc
Description : (none)

Filename : cwbopcon.exe
Location : <INSTALL>\Aoc
Description : (none)

Filename : cwbping.exe
Location : on 32-bit Windows, <WINDOWS>
on 64-bit Windows, both <INSTALL> and <WINDOWS>\system32
Description : 'Ping of iSeries Access Servers'

Filename : cwbrest.exe
Location : <WINDOWS>
Description : 'Configuration Restore utility'

Filename : cwbrunit.exe
Location : <INSTALL>
Description : 'Client Access RunOnce Program Launcher'

Filename : cwbrxd.exe
Location : <WINDOWS>
Description : 'TCP/IP Incoming Remote Command server'

Filename : cwbrxdsd.exe
Location : <WINDOWS>
Description : 'ShutDown of TCP/IP Incoming Rmt Cmd server'
Note : This file exists only in V5R2 and earlier.

Filename : cwbsreg.exe
Location : <INSTALL>
Description : 'Client Access Registration Server'

Filename : cwbsvd.exe
Location : <INSTALL>
Description : 'cwbsvd.exe'

Filename : cwbsvget.exe
Location : <INSTALL>
Description : 'cwbsvget.exe'
Note : This file exists only in V5R3 and later.

Filename : cwbsvstr.exe
Location : <INSTALL>
Description : 'cwbsvstr.exe'

Filename : cwbtf.exe
Location : <INSTALL>
Description : 'Client Access Data Transfer Program'

Filename : cwbuisxe.exe
Location : <INSTALL>
Description : 'CWBUISXE.EXE'

Filename : cwbujbld.exe
Location : <INSTALL>\Toolkit\Bin
Description : 'GBUILD MFC Application'

Filename : cwbujcnv.exe
Location : <INSTALL>\Toolkit\Bin
Description : 'GBUILD MFC Application'

Filename : cwbundbs.exe
Location : <INSTALL>\Shared
Description : 'cwbundbs.exe'

Filename : cwbundc2.exe
Location : <INSTALL>
Description : 'DCE Configuration'
Note : This file exists only in V5R2 and earlier.

Filename : cwbundce.exe
Location : <INSTALL>
Description : 'DCE Configuration'
Note : This file exists only in V5R2 and earlier.

Filename : cwbunfed.exe
Location : <INSTALL>
Description : 'cwbunfed.exe'

Filename : cwbunins.exe
Location : <INSTALL>
Description : 'Uninstall Utility'

Filename : cwbunnav.exe
Location : <INSTALL>
Description : 'cwbunnav.exe'

Filename : cwbunplp.exe
Location : on 32-bit Windows, <WINDOWS>\system32
on 64-bit Windows, <WINDOWS>\SysWOW64
Description : (none)
Note : This file exists only in V5R2 and later.

Filename : cwbunrse.exe
Location : <WINDOWS>
Description : 'cwbunrse.exe'

Filename : cwbviewd.exe
Location : <INSTALL>
Description : 'cwbviewd.exe'

Filename : cwbviewr.exe
Location : <WINDOWS>
Description : 'AFP Spooled File Viewer command line utility'

Filename : cwbvlog.exe
Location : <INSTALL>
Description : 'Client Access Virtual Device Logger'

Filename : cwbwlwiz.exe
Location : <INSTALL>
Description : 'CWBWLWIZ.EXE'

Filename : cwbzip.exe
Location : <INSTALL>
Description : (none)
Note : This file exists only in V5R3 and later.

Filename : cwbzztrc.exe
Location : <INSTALL>
Description : 'OLE DB Provider trace toggle tool'

Filename : doshll.exe
Location : <INSTALL>\Emulator
Description : 'doshll'
Note : This file exists only in V5R2 and earlier.

Filename : ez2.exe
Location : <INSTALL>\EZSetup
Description : (none)

Filename : ezcheck.exe
Location : <INSTALL>
Description : (none)
Note : This file exists only in V5R2 and later.

Filename : ezsetup.exe
Location : <INSTALL>\EZSetup
Description : 'EZSETUP.EXE'
Note : This file exists only in V5R1 and earlier.

Filename : ezstart.exe
Location : <INSTALL>\EZSetup
Description : (none)

Filename : ftdwinvw.exe
Location : <INSTALL>
Description : 'IBM AFP Workbench Viewer'

Filename : ftdwprt.exe
Location : <INSTALL>
Description : (none)

Filename : fzzmcmw.exe
Location : <INSTALL>\Shared
Description : 'fzzmcmw.exe'

Filename : gaijicnv.exe
Location : <INSTALL>\Emulator
Description : 'GAIJICNV.EXE'

Filename : gsw32.exe
Location : on 32-bit Windows, <WINDOWS>\system32
on 64-bit Windows, <WINDOWS>\SysWOW64
Description : 'Graphics Server'

Filename : helper.exe
Location : <INSTALL>\JRE\Bin
Description : 'Java™ WebStart Helper Module'
Note : This file exists only in V5R3 and later.

Filename : IBMJavaPlugin141.exe
Location : <INSTALL>\JRE\Bin
Description : 'Java Plugin Control Panel'
Note : This file exists only in V5R3 and later.

Filename : ikeyman.exe
Location : <INSTALL>\JRE\Bin
Description : 'Java GUI key management utility'
Note : This file exists only in V5R3 and later.

Filename : JaasLogon.exe
Location : <INSTALL>\JRE\Bin
Description : 'Java security utility'
Note : This file exists only in V5R3 and later.

Filename : java.exe
Location : <INSTALL>\JRE\Bin
Description : 'Java launcher'

Filename : javaw.exe
Location : <INSTALL>\JRE\Bin
Description : 'Java launcher'

Filename : javaws.exe
Location : <INSTALL>\JRE\Bin
Description : (none)
Note : This file exists only in V5R3 and later.

Filename : jdaemont.exe
Location : <INSTALL>\JRE\Bin
Description : (none)
Note : This file exists only in V5R2 and earlier.

Filename : jextract.exe
Location : <INSTALL>\JRE\Bin
Description : 'Java dump extractor utility'
Note : This file exists only in V5R3 and later.

Filename : jinstall.exe
Location : <INSTALL>\JRE\Bin
Description : 'JInstall'

Filename : keytool.exe
Location : <INSTALL>\JRE\Bin
Description : 'Java key management utility'

Filename : kinit.exe
Location : <INSTALL>\JRE\Bin
Description : 'Java Kerberos init utility'
Note : This file exists only in V5R3 and later.

Filename : klist.exe
Location : <INSTALL>\JRE\Bin
Description : 'Java Kerberos list utility'
Note : This file exists only in V5R3 and later.

Filename : ktab.exe
Location : <INSTALL>\JRE\Bin
Description : 'Java Kerberos tab utility'
Note : This file exists only in V5R3 and later.

Filename : lstjbl.exe
Location : <INSTALL>
Description : 'lstjbl.exe'

Filename : lstjob.exe
Location : <INSTALL>
Description : 'lstjob.exe'

Filename : lstmsg.exe
Location : <INSTALL>
Description : 'lstmsg.exe'

Filename : lstprt.exe
Location : <INSTALL>
Description : 'lstprt.exe'

Filename : lstsplf.exe
Location : <INSTALL>
Description : 'lstsplf.exe'

Filename : manualwrapper.exe
Location : <INSTALL>\JRE\Bin
Description : 'manualwrapper'
Note : This file exists only in V5R3 and later.

Filename : miwiz.exe
Location : <INSTALL>
Description : 'MIWIZ.EXE'
Note : This file exists only in V5R2 and earlier.

Filename : oldjava.exe
Location : <INSTALL>\JRE\Bin
Description : (none)
Note : This file exists only in V5R2 and earlier.

Filename : oldjavaw.exe
Location : <INSTALL>\JRE\Bin
Description : (none)
Note : This file exists only in V5R2 and earlier.

Filename : pcsbat.exe
Location : <INSTALL>\Emulator
Description : 'PCSBAT.EXE'

Filename : pcscm.exe
Location : <INSTALL>\Emulator
Description : 'PCSCM.EXE'

Filename : pcscmenu.exe
Location : <INSTALL>\Emulator
Description : 'PCSCMENU.EXE'

Filename : pcsdehli.exe
Location : <INSTALL>\Emulator
Description : 'PCSDEHLI'

Filename : pcsfe.exe
Location : <INSTALL>\Emulator
Description : 'pcsfe MFC Application'
Note : This file exists only in V5R2 or later.

Filename : pcsmc2vb.exe
Location : <INSTALL>\Emulator
Description : 'Macro to Script'

Filename : pcsmc2vb.exe
Location : <INSTALL>\Emulator
Description : 'Macro to Script'

Filename : pcsmon.exe
Location : <INSTALL>\Emulator
Description : (none)

Filename : pcspcoc.exe
Location : <INSTALL>\Emulator
Description : 'PCSPCOC.EXE'

Filename : pcspfc.exe
Location : <INSTALL>\Emulator
Description : 'PCSPFC.EXE'

Filename : pcssnd.exe
Location : <INSTALL>\Emulator
Description : 'pcssnd'
Note : This file exists only in V5R3 and later.

Filename : pcsthunk.exe
Location : <INSTALL>\Emulator
Description : 'PCSTHUNK.EXE'

Filename : pcsws.exe
Location : <INSTALL>\Emulator
Description : 'PCSWS.EXE'

Filename : policytool.exe
Location : <INSTALL>\JRE\Bin
Description : 'Java utility'

Filename : receive.exe
Location : <INSTALL>\Emulator
Description : 'receive'
Note : This file exists only in V5R1 and earlier.

Filename : rfrompcb.exe
Location : <INSTALL>
Description : 'Client Access Data Transfer from PC to AS/400 (batch)'

Filename : rmid.exe
Location : <INSTALL>\JRE\Bin
Description : 'Java RMI utility'

Filename : rmiregistry.exe
Location : <INSTALL>\JRE\Bin
Description : 'Java RMI utility'

Filename : rmtcmd.exe
Location : <WINDOWS>
Description : 'Remote Command Program'

Filename : rtopcb.exe
Location : <INSTALL>
Description : 'Client Access Data Transfer from AS/400 to PC (batch)'

Filename : rxferpcb.exe
Location : <INSTALL>
Description : 'Client Access Data Transfer (rxferpcb)'
Note : This file did not exist in V5R1 prior to service pack SI10376.
This file did not exist in V5R2 prior to service pack SI09809.

Filename : send.exe
Location : <INSTALL>\Emulator
Description : 'send'
Note : This file exists only in V5R1 and earlier.

Filename : srvview.exe
Location : <INSTALL>
Description : 'Service Viewer'

Filename : strapp.exe
Location : <INSTALL>
Description : 'STRAPP.EXE'

Filename : sysctbl.exe
Location : <INSTALL>\Emulator
Description : 'SYSCTBL.EXE'

Filename : tnameserv.exe
Location : <INSTALL>\JRE\Bin
Description : 'Java utility'

Filename : trcgui.exe
Location : <INSTALL>\Emulator
Description : 'Independent Trace Facility'

Filename : unregbean.exe
Location : <INSTALL>\JRE\Bin
Description : (none)
Note : This file exists only in V5R2 and earlier.

Filename : wrkmsg.exe
Location : <INSTALL>
Description : 'WRKMSG.EXE'

Filename : wrkprt.exe
Location : <INSTALL>
Description : 'WRKPRT.EXE'

Filename : wrksplf.exe
Location : <INSTALL>
Description : 'WRKSPLF.EXE'

Filename : wrkusrj.exe
Location : <INSTALL>
Description : (none)

Filename : wunregbean.exe
Location : <INSTALL>\JRE\Bin
Description : 'WUnregBean'
Note : This file exists only in V5R2 and earlier.

Incoming Connections

The IBM Access for Windows program files that might require accepting an unsolicited INCOMING connection request are listed below, along with their description and file system location. Each listing also includes information about which port is required for accepting incoming connections, and which protocol is used when communicating on that port. This information can be useful when configuring a firewall to allow these programs to function properly. For example, configuring the firewall to allow unsolicited incoming TCP connection attempts on port 512 will allow the Incoming Remote Command function to work.

Incoming Remote Command

Filename : cwbrxd.exe
Location : <WINDOWS>
Description : 'TCP/IP Incoming Remote Command server'
Function : 'Access for Windows Remote Command' service (Incoming Remote Command)
Failure symptoms :
When the Access Remote Command service is started, you might be notified by the firewall that the service is trying to receive connections. There will be no Access for Windows-specific indication of a problem on the PC. The service will start successfully. No errors will appear in any of the Access for Windows logs. On the system from which a remote command request is sent, the request will fail in the same way it would if the PC were not started or were disconnected from the network. For example, when using RUNRMTCMD on an IBM i OS System to send a command to a PC running IRC, the following message will result:

CPE3447 - A remote host did not respond within the timeout period.

and if rexec is used to send a command request from a Windows PC, the following messages will result:

rexec:connect:Connection timed out
rexec: can't establish connection

If the firewall provides logging of blocked connection attempts and the logging is enabled, the log should contain a record of a blocked connection attempts to the PC on port 512 from the system on which the request was made.

Recovery

The firewall product must be configured to allow incoming connections to port 512 or incoming connections to cwbrxd.exe, whether specifying port 512 or not.

Exception	Port	Protocol	Comment(s)
1	512	TCP	Well known port used for the TCP "exec" service. Any remote machine running the "rexec" client or compatible program might attempt to connect to this port, if open.

Operations Console

Filename : cwbopcon.exe
Location : <INSTALL>
Function : Operations Console
Description : 'cwbopcon'
Symptoms :
When Operations Console is started and no exceptions for it have been configured in the firewall product, you might be notified by the firewall that the program is trying to receive connections. Further symptoms might include the following:

o	When connecting an LCS (local connection), the status might not progress beyond "connecting console".
o	When connecting an RCS (remote connection) to an LCS that has not had all needed firewall exceptions configured, it fails to connect; or it connects, but fails to authenticate. The failure reason noted at the RCS might be that the local system is not configured to receive calls.

Recovery

In the case of RCS dial-up to LCS, exception (4) below must be configured on the LCS, and no exceptions are needed on the RCS. In the case of a direct or LAN connection, exceptions (2) and (3) must be configured on the LCS. Or, you can configure (4) if you think it more secure to open ports only for a specific application rather than specific ports for any application.

Exception	Port	Protocol	Comment(s)
2	67	UDP	This is the well known port used for the "bootp" service (bootps) and receives connections from remote System i servers.
3	2112	TCP	This port is used for communications within the PC and, therefore, must accept only connection requests from address 127.0.0.1 (loopback).
4	"any"	N/A	Used only in the case of an LCS accepting connections from an RCS. A listening port on the LCS can be any in the range 1025 to 5000. For this reason, do not set up PORT exceptions for this case; set up an APPLICATION exception for cwbopcon.exe. This also covers the above exceptions; therefore, they are not required.

Management Central

In addition to the applications described above as needing to accept incoming connection attempts, specific functions of Management Central require this ability. A separate document regarding use of Management Central in conjunction with firewalls is available in the IBM i Information Center. Refer to:

http://publib.boulder.ibm.com/infocenter/iseries/v7r1m0/index.jsp?topic=/experience/mcfirewallabstract.htm


Creating Windows Firewall Exceptions Using the NETSH Utility

You might want to manually configure Windows Firewall to allow incoming connection attempts to succeed. One way exceptions can be configured is by using the version of the netsh utility provided by Microsoft as part of Windows XP SP2. The invocations of netsh required to create the same-numbered exceptions described above are shown below. These calls create and enable exceptions that grant access to any system that can get to your PC across the network. You might want to narrow the scope of access. To do so, modify the commands below accordingly. See documentation for the netsh command as provided by Microsoft.