JBoss Port Configuration Overview
JBoss comes with many socket based services that open listening ports. In this section we list the services that open ports that might need to be configured to work when accessing JBoss behind a firewall. The following table, shows the ports, socket type, associated service and link to the service configuration for the services in the default configuration file set.
| Port | Type | Service Descriptor | Service Name | Attribute Name |
| 1098 | TCP | conf/jboss-service.xml | jboss:service=Naming | RmiPort |
| 1099 | TCP | conf/jboss-service.xml | jboss:service=Naming | Port |
| 4444 | TCP | conf/jboss-service.xml | jboss:service=invoker,type=jrmp | RMIObjectPort |
| 4445 | TCP | conf/jboss-service.xml | jboss:service=invoker,type=pooled | ServerBindPort? |
| 8083 | TCP | conf/jboss-service.xml | jboss:service=WebService | Port |
| 8009 | TCP | deploy/jbossweb-tomcat55.sar/server.xml | Connector port | port on AJP Connector |
| 8080 | TCP | deploy/jbossweb-tomcat55.sar/server.xml | Connector port | port on HTTP Connector |
| 8093 | TCP | deploy/jms/uil2-service.xml | jboss.mq:service=InvocationLayer?,type=UIL2 | ServerBindPort? |
| 0(a) | TCP | deploy/jms/rmi-il-service.xml | jboss.mq:service=InvocationLayer?,type=RMI | NONE |
| 0(b) | UDP | deploy/snmp-adaptor.sar/META-INF/jboss-service.xml | jboss.jmx:name=SnmpAgent?,service=snmp,type=adaptor | NONE |
(a) This service binds to an anonymous TCP port and does not support configuration of the port or bind interface. Remove the rmi-il-service.xml to disable it NOTE: this RMI invoker service is deprecated since the beginning of 2005 (b) This service binds to an anonymous UDP port and does not support configuration of the port or bind interface. Remove the snmp-adaptor.sar to disable it
Additional ports found in the all configuration:
| Port | Type | Service Descriptor | Service Name | Attribute Name |
| 1100 | TCP | deploy/cluster-service.xml | jboss:service=HAJNDI | Port |
| 1101 | TCP | deploy/cluster-service.xml | jboss:service=HAJNDI | RmiPort |
| 1102 | UDP | deploy/cluster-service.xml | jboss:service=HAJNDI | AutoDiscoveryGroup |
| 1161 | UDP | deploy/snmp-adaptor.sar/META-INF/jboss-service.xml | jboss.jmx:name=SnmpAgent?,service=snmp,type=adaptor | Port |
| 1162 | UDP | deploy/snmp-adaptor.sar/META-INF/jboss-service.xml | jboss.jmx:name=SnmpAgent?,service=trapd,type=logger | Port |
| 3873 | TCP | deploy/ejb3.deployer/META-INF/jboss-service.xml | jboss.remoting:type=Connector,name=DefaultEjb3Connector?,handler=ejb3 | InvokerLocator? |
| 3528 | TCP | conf/jacorb.properties | OAPort | |
| 4447 | TCP | deploy/cluster-service.xml | jboss:service=invoker,type=jrmpha | RMIObjectPort |
One possible configuration for RMI through a firewall
NOTE: this was only tested in version 3.2.5 with java 1.4, but information in the forums indicate that this method has worked for several years. Search for NAT to find related information.
Open three ports through your firewall, one for the naming service, a second for the naming service RmiPort, and a third for the jrmp RMIObjectPort. These ports must be “fixed” on the system behind the firewall so that communications always happen on ports opened through the firewall. This is done in the jboss-service.xml file.
<mbean code="org.jboss.naming.NamingService"
name="jboss:service=Naming">
<!-- The listening port for the bootstrap JNP service. Set this to -1
to run the NamingService without the JNP invoker listening port.
-->
<attribute name="Port">1099</attribute>
<attribute name="RmiPort">1098</attribute>
</mbean>
and
<!-- RMI/JRMP invoker -->
<mbean code="org.jboss.invocation.jrmp.server.JRMPInvoker"
name="jboss:service=invoker,type=jrmp">
<attribute name="RMIObjectPort">4444</attribute>
<!--
<attribute name="ServerAddress">${jboss.bind.address}</attribute>
<attribute name="RMIClientSocketFactory">custom</attribute>
<attribute name="RMIServerSocketFactory">custom</attribute>
<attribute name="SecurityDomain">ssl-domain-name</attribute>
-->
<depends>jboss:service=TransactionManager</depends>
</mbean>
Then, on the system behind the firewall, the following parameters need to be added to the java command line in the run.sh script to pass back the “correct” RMI information to the system outside of the firewall. “Correct” in this case means the hostname that the outside system refers to when addressing the system behind the firewall.
- Djava.rmi.server.hostname=<external_host_name>
- Djava.rmi.server.useLocalHostname=false
This solves the problem of the machine behind the firewall passing back it's local IP address that the machine outside the firewall cannot get to. NOTE: this assumes a pretty simple setup where everything outside the firewall references the machine behind the firewall with the same host name.
In more complex configurations, it may be necessicary for the system running behind the firewall to be able to resolve <external_host_name>.
In the client code, the provider URL should be set to “jnp://<external_host_name>:1099” when the initial context is created for the RMI access.
