Sierra Access through Local Firewalls

Updated 08/19/2022 03:04:30 PM by cspears@iii.com

Solution

What network access through our firewall does Innovative need?

Innovative requests access be granted through your firewall for connections originating from the list of IP addresses below and connecting to the Secure Shell (SSH) service on your Sierra Server(s). The IP addresses listed represent Innovative core support servers, which require that Innovative staff successfully authenticate to them before establishing connections to your site.

Required for Innovative Technical Support

205.227.88.253 - current until Oct 1 2022

192.33.187/24 - required after Oct 1 2022

In addition, Innovative requests that access be granted through your firewall for both inbound and outbound Secure Shell (SSH) and FTP services for the IP address listed below.

8.4.224.250

Encore

See Encore —Configuring Your Firewall.

Decision Center

To enable Decision Center, the following ports must be open between the Sierra application server and the hosted Decision Center server: port 80 (bidirectional), port 63000 (bidirectional), and port 63100 (bidirectional).

SMS Alerts

Allow Innovative [52.36.229.248 /smsdom.iii.com ] access to your library's server on ports 63000 and 63100 (SSL).

34.223.15.165 and 216.17.118.196 - new addresses required by August 26, 2022

After August 31st the IP of 52.36.229.248 can be removed.

Innovative Phone Alerts

Allow the following IP address ranges access to your Sierra App server on port 1031 (TCP inbound):

66.63.167.16/28

108.61.27.145/28

199.192.248.0/22

Innovative Mobile

Allow IP address 40.84.5.134 access to your Sierra App server on ports 443 and 5550 (if Selfcheck functions will be used)

Does the information in this FAQ apply to DMZs and private networks?

Yes. Whether your organization uses a private network, a DMZ, a standard firewall, or a combination of these, the information below on opening ports applies to all access control devices, if you want to provide access as outlined below.

How do I secure my system access?

You can limit access to your system in the Sierra Admin Corner. See Limiting Network Access in Sierra WebHelp.

My organization is an INN-Reach site and I want to change our IP address and/or install a firewall in front of the Innovative server. What do I have to do?

For information on changing your IP address and any requirements based on your firewall installation, see the IP Address Changes FAQ.

Failure to coordinate IP changes with Innovative Interfaces and your library's INN-Reach Central Server may result in unexpected issues, such as an inability for your library's server to successfully communicate with the INN-Reach Central Server.

What sort of timeout should I set on my firewall?

A library running Sierra should NOT have a timeout set on a firewall. If a site running Sierra has a timeout set on a firewall, users may be logged out during sessions when the desktop application is idle for a few minutes.

Does Innovative use User Datagram Protocol (UDP) services?

All network services provided by the Innovative server use TCP-based protocols. However, Innovative servers do initiate UDP-based DNS requests. For example, Network Time Protocol runs as an outbound UDP connection on port 123.

Where can I control access to my 2082 staging port?

The 2082 port currently shares its access settings with the default WebPAC (port 80).

How do I know which ports to open for traffic from searchers using our Z39.50 Client?

The administrators of the remote Z39.50 Server you want to search should be able to tell you. Port 210 is the standard, but some developers and vendors of Z39.50 Server software do use different ports.

Do I need to open ports for the Z39.50 Server for inbound traffic? Outbound? Or both?

Both.

Which ports should my library open for Innovative staff, the public, library staff, and other related groups such as partner libraries?

Refer to the following charts for all ports that you must open in your firewall for the appropriate parties.

If your organization allows Secure Shell (SSH) access, Innovative requires TCP/22 - Secure Shell (SSH) access through your organization's firewall to Sierra system and SFTP access between your server and upgrade.iii.com. Innovative can support the Sierra system and applications through SSH. For more information on Innovative's support access via SSH Tunneling, see the SSH (Secure Shell) FAQ.

Unless otherwise noted, both in-bound and out-bound access are required on the indicated port numb

Application Server (App Server)

Product (Protocol)	Port Number(s)	Public (Internet / External)	Staff/ Partners (Internal)	Innovative (External)	Sierra Database Server	Other (External)
SSHD	22		X (for staff who access the 'Admin Corner')	X	X
Mail (SMTP, outbound), Content Pro (outbound to www)	25	X	X
HTTP (Including Patron Web Services)	80	X	X	Recommended	X
HTTP Alternate databases	81, 82, 83...	X	X
HTTP KidsOnline	90	X	X
AirPAC for Smartphones	91	X	X
Outbound UDP Connection (Network Time Protocol)	123					X
Z39.50 ServerPrimary database	210	X	X
WebPAC Z39.50 Client	211 (Your library may require additional ports if your system runs multiple character sets on multiple ports.)	X	X
Z39.50 Client(Z39.50)	Any (The remote organization specifies the port; for example ports 210, 2200 and 7090 are commonly used.)		X
INN-View Authority Access	212 (Outbound to Innovative Address [innview.iii.com])			X
LDAP Patron Authentication (LDAP)	389 (Outbound connections to your organization's LDAP server)					X
ArticleReach e-Delivery Integration service (Ariel)	422		X	X
HTTPS/SSL(Including Patron Web Services)	443	X	X	Recommended	X
HTTPS/SSL(Additional WebPAC servers)	444, 445, 446...	X	X	Recommended
OCLC ILL	499 ('Other' external access is for outbound connections to OCLC.)		X			X
LDAP Patron Authentication (LDAP/SSL)	636 (Outbound connections to your organization's LDAP server)					X
WebPAC FTP Access (FTP) and Quick Click Ordering	1021		X
MySQL (for statistics reporting, Innovative Phone Alerts)	1031		X	Recommended
WebPAC Staging Site	2082		X
WebPAC Staging Reference Databases	2083		X
WebPAC Staging Site - KidsOnline (HTTP)	2090		X
Collection Web Reports	4440		X
Circulation Statistics Web Report	4441		X
Patron Search Statistics Web Report	4442		X
Fund Management Web Report	4443		X
INN-Reach Patron Reports (INN-Reach Central Sites only)	4444 (See also 4454)		X
Vendor Performance Statistics Web Report	4445		X
Article Access Management Web Report	4446		X
Web Access Management Web Report	4447		X
Web Report Manager	4448		X
Patron Functions Web Reports	4449		X
INN-Reach Patron Reports (INN-Reach Central Sites only)	4454 (Alternative port used by libraries that don't wish to allow access to port 4444. See also 4444)		X
Telephone Renewal	4460 (Inbound from Telephone Renewal PC)		X
Pickup Anywhere	4465 & 4470		X
AirPAC and/or Wireless Workstation	4480	X	X
Patron API	4500		X
WebBridge (HTTP) OpenURL Linking	4550	X	X
Reference Databases	4601		X
INN-View Authorities	4991		X
INN-Reach Load Queue Daemon	5020		X
OCLC and SkyRiver bibliographic utilities	5500		X			X
Self Checkout (SIP2 and III Mobile)	5550		X	X
INN-Reach Circulation Daemon	6601	X	X
INN-Reach Article Reach	6621	X	X
ArticleReach e-Delivery Integration service (Odyssey)	7968		X	X
Research Pro Locally-hosted servers [See also Research Pro]	8000	X	X
System PrinterNote: Port 9100 is on the printer. The server communicates with the printer on port 9100.	9100		X
Research Pro Locally-hosted servers [See also Research Pro]	9797	X	X
SSL Self Checkout	45550			X
Sierra Data Server[See also Research Pro]	54605 (Inbound and outbound connections to the IP range 205.227.90 and 192.33.187/24)					X
Patron API Server via SSL	54620		X
Research Pro Locally-hosted servers [See also Research Pro]	61080 - 61087	X	X
Sierra Mobile(Mobile Worklists)	61125			Required Cloud Platform 54.183.40.224 54.67.111.221
Reporter & Decision Center, Staff Web Applications, Sierra Dashboard App, Sierra Desktop App	63000		X	Required Reporter & Decision Center server. Contact III if you are unsure what IP to use. Required SMS Alerts server 74.217.196.23 smsdom.iii.com Recommendedfor all libraries not using SMS Alerts	X	Requiredfrom hosted Reporter & Decision Center IP; Requiredfor book jacket vendors
Reporter & Decision Center, Staff Web Applications (SSL), Sierra Dashboard App, Sierra Desktop App	63100		X	Required SMS Alerts server 74.217.196.23 smsdom.iii.com Recommendedfor all libraries not using SMS Alerts	X	Requiredfrom hosted Reporter & Decision Center IP; Requiredfor book jacket vendors
RSS Feeds	63200	X	X
Sierra Dashboard App, Sierra Desktop App	64000		X	Recommended		Requiredfor book jacket vendors
Sierra Data Server	64001		X	Recommended
SSL Sierra Desktop App Available beginning with Sierra 4.1	64100		X	Recommended

Database Server (DB Server)

Product (Protocol)	Port Number(s)	Staff/ Partners (Internal)	Innovative (External)	Sierra Application Server	Other (External)
SSHD	22	X (for staff who access the 'Admin Corner')	X	X
Outbound UDP Connection (Network Time Protocol)	123				X
PostgreSQL [All products including Research Pro]	1032	X (staff who need direct SQL access)	Recommended	X
Advanced Keyword Searching Engine	62800		Recommended	X
Advanced Keyword Searching Engine	62900		Recommended	X
HTTP	63000		Recommended	X
HTTPS	63100		Recommended	X
Mail (SMTP, outbound)	25	X	X

Keywords

Sierra Firewall Access local Ports SDA

Sierra Access through Local Firewalls

Solution

Application Server (App Server)

Database Server (DB Server)

Keywords

Did this help?