Summary
Solution
What network access through our firewall does Innovative need?
Innovative requests access be granted through your firewall for connections originating from the list of IP addresses below and connecting to the Secure Shell (SSH) service on your Sierra Server(s). The IP addresses listed represent Innovative core support servers, which require that Innovative staff successfully authenticate to them before establishing connections to your site.
Required for Innovative Technical Support
192.33.187/24
In addition, Innovative requests that access be granted through your firewall for both inbound and outbound Secure Shell (SSH) and FTP services for the IP address listed below.
8.4.224.250
Encore
See Encore —Configuring Your Firewall.
Decision Center
To enable Decision Center, the following ports must be open between the Sierra application server and the hosted Decision Center server: port 80 (bidirectional), port 63000 (bidirectional), and port 63100 (bidirectional).
SMS Alerts
Allow Innovative [52.36.229.248 /smsdom.iii.com ] access to your library's server on ports 63000 and 63100 (SSL).
34.223.15.165 and 216.17.118.196 - new addresses required by August 26, 2022
After August 31st the IP of 52.36.229.248 can be removed.
Innovative Phone Alerts
Allow the following IP address ranges access to your Sierra App server on port 1031 (TCP inbound):
66.63.167.16/28
108.61.27.145/28
199.192.248.0/22
Innovative Mobile
Allow IP address 40.84.5.134 access to your Sierra App server on ports 443 and 5550 (if Selfcheck functions will be used)
Does the information in this FAQ apply to DMZs and private networks?
Yes. Whether your organization uses a private network, a DMZ, a standard firewall, or a combination of these, the information below on opening ports applies to all access control devices, if you want to provide access as outlined below.
How do I secure my system access?
You can limit access to your system in the Sierra Admin Corner. See Limiting Network Access in Sierra WebHelp.
My organization is an INN-Reach site and I want to change our IP address and/or install a firewall in front of the Innovative server. What do I have to do?
For information on changing your IP address and any requirements based on your firewall installation, see the IP Address Changes FAQ.
Failure to coordinate IP changes with Innovative Interfaces and your library's INN-Reach Central Server may result in unexpected issues, such as an inability for your library's server to successfully communicate with the INN-Reach Central Server.
What sort of timeout should I set on my firewall?
A library running Sierra should NOT have a timeout set on a firewall. If a site running Sierra has a timeout set on a firewall, users may be logged out during sessions when the desktop application is idle for a few minutes.
Does Innovative use User Datagram Protocol (UDP) services?
All network services provided by the Innovative server use TCP-based protocols. However, Innovative servers do initiate UDP-based DNS requests. For example, Network Time Protocol runs as an outbound UDP connection on port 123.
Where can I control access to my 2082 staging port?
The 2082 port currently shares its access settings with the default WebPAC (port 80).
How do I know which ports to open for traffic from searchers using our Z39.50 Client?
The administrators of the remote Z39.50 Server you want to search should be able to tell you. Port 210 is the standard, but some developers and vendors of Z39.50 Server software do use different ports.
Do I need to open ports for the Z39.50 Server for inbound traffic? Outbound? Or both?
Both.
Which ports should my library open for Innovative staff, the public, library staff, and other related groups such as partner libraries?
Refer to the following charts for all ports that you must open in your firewall for the appropriate parties.
If your organization allows Secure Shell (SSH) access, Innovative requires TCP/22 - Secure Shell (SSH) access through your organization's firewall to Sierra system and SFTP access between your server and upgrade.iii.com. Innovative can support the Sierra system and applications through SSH. For more information on Innovative's support access via SSH Tunneling, see the SSH (Secure Shell) FAQ.
Unless otherwise noted, both in-bound and out-bound access are required on the indicated port numb
Application Server (App Server)
| Product (Protocol) | Port Number(s) | Public | Staff/ Partners (Internal) | Innovative (External) | Sierra Database Server | Other (External) |
| SSHD | 22 | X (for staff who access the 'Admin Corner') | X | X | ||
| Mail (SMTP, outbound) | 25 | X | X | |||
| HTTP (Including Patron Web Services) | 80 | X | X | Recommended | X | |
| HTTP Alternate databases | 81, 82, 83... | X | X | |||
| HTTP KidsOnline | 90 | X | X | |||
| AirPAC for Smartphones | 91 | X | X | |||
| Outbound UDP Connection (Network Time Protocol) | 123 | X | ||||
| Z39.50 ServerPrimary database | 210 | X | X | |||
| WebPAC Z39.50 Client | 211 (Your library may require additional ports if your system runs multiple character sets on multiple ports.) | X | X | |||
| Z39.50 Client(Z39.50) | Any (The remote organization specifies the port; for example ports 210, 2200 and 7090 are commonly used.) | X | ||||
| INN-View Authority Access | 212 (Outbound to Innovative Address [innview.iii.com]) | X | ||||
| LDAP Patron Authentication (LDAP) | 389 (Outbound connections to your organization's LDAP server) | X | ||||
| HTTPS/SSL(Including Patron Web Services) | 443 | X | X | Recommended | X | |
| HTTPS/SSL(Additional WebPAC servers) | 444, 445, 446... | X | X | Recommended | ||
| OCLC ILL | 499 ('Other' external access is for outbound connections to OCLC.) | X | X | |||
| LDAP Patron Authentication (LDAP/SSL) | 636 (Outbound connections to your organization's LDAP server) | X | ||||
| WebPAC FTP Access (FTP) and Quick Click Ordering | 1021 | X | ||||
| MySQL (for statistics reporting, Innovative Phone Alerts) | 1031 | X | Recommended | |||
| WebPAC Staging Site | 2082 | X | ||||
| WebPAC Staging Reference Databases | 2083 | X | ||||
| WebPAC Staging Site - KidsOnline (HTTP) | 2090 | X | ||||
| Telephone Renewal | 4460 (Inbound from Telephone Renewal PC) | X | ||||
| Pickup Anywhere | 4465 & 4470 | X | ||||
| AirPAC and/or Wireless Workstation | 4480 | X | X | |||
| Patron API | 4500 | X | ||||
| WebBridge (HTTP) OpenURL Linking | 4550 | X | X | |||
| Reference Databases | 4601 | X | ||||
| INN-View Authorities | 4991 | X | ||||
| INN-Reach Load Queue Daemon | 5020 | X | ||||
| OCLC and SkyRiver bibliographic utilities | 5500 | X | X | |||
| Self Checkout (SIP2 and III Mobile) | 5550 | X | X | |||
| INN-Reach Circulation Daemon | 6601 | X | X | |||
| Research Pro Locally-hosted servers [See also Research Pro] | 8000 | X | X | |||
| System PrinterNote: Port 9100 is on the printer. The server communicates with the printer on port 9100. | 9100 | X | ||||
| Research Pro Locally-hosted servers [See also Research Pro] | 9797 | X | X | |||
| SSL Self Checkout | 45550 |
|
| X |
|
|
| Sierra Data Server[See also Research Pro] | 54605 (Inbound and outbound connections to the IP range 205.227.90 and 192.33.187/24) | X | ||||
| Patron API Server via SSL | 54620 | X | ||||
| Research Pro Locally-hosted servers [See also Research Pro] | 61080 - 61087 | X | X | |||
| Sierra Mobile(Mobile Worklists) | 61125 | Required Cloud Platform 54.183.40.224 54.67.111.221 | ||||
| Reporter & Decision Center, Staff Web Applications, Sierra Dashboard App, Sierra Desktop App | 63000 | X | Required | X | Requiredfrom hosted Reporter & Decision Center IP; Requiredfor book jacket vendors | |
| Reporter & Decision Center, | 63100 | X | Required | X | Requiredfrom hosted Reporter & Decision Center IP; Requiredfor book jacket vendors | |
| RSS Feeds | 63200 | X | X | |||
| Sierra Dashboard App, Sierra Desktop App | 64000 | X | Recommended | Requiredfor book jacket vendors | ||
| Sierra Data Server | 64001 | X | Recommended | |||
| SSL Sierra Desktop App Available beginning with Sierra 4.1 | 64100 |
| X | Recommended |
|
|
Database Server (DB Server)
| Product (Protocol) | Port Number(s) | Staff/ Partners (Internal) | Innovative (External) | Sierra Application Server | Other (External) |
| SSHD | 22 | X (for staff who access the 'Admin Corner') | X | X | |
| Outbound UDP Connection (Network Time Protocol) | 123 | X | |||
| PostgreSQL [All products including Research Pro] | 1032 | X (staff who need direct SQL access) | Recommended | X | |
| Advanced Keyword Searching Engine | 62800 | Recommended | X | ||
| Advanced Keyword Searching Engine | 62900 | Recommended | X | ||
| HTTP | 63000 | Recommended | X | ||
| HTTPS | 63100 | Recommended | X | ||
| Mail (SMTP, outbound) | 25 | X | X |