Opening Network Ports for Clients

The Yellowbrick client applications (ybtools) run on customer computers and need to communicate with the Yellowbrick appliance in order to send or receive data, using the customer's existing network infrastructure. The appliance is usually installed in a server room or a data center, while the clients run on desktop machines throughout the company or on other servers that may or may not be in the same physical location as the appliance.

The network infrastructure is usually protected by firewalls (and/or Layer 3 switches) that filter traffic, mainly for security or performance reasons. These firewalls are typically configured to allow access only to critical services, such as web servers, mail servers, and existing databases. Therefore you will need to open up access to Yellowbrick traffic through specific ports. If you don't make these firewall changes, you are likely to see the following errors or other "could not connect" errors:
  • Connection Refused: the firewall rejected the traffic and sent a response to the client indicating that it was rejected.
  • Connection Timeout: the firewall dropped the traffic without sending a response to the client.
For example, if database port 5432 is not open, ybsql returns the following error:
$ ybsql -h premdb yellowbrick
ybsql: could not connect to server: No such file or directory
	Is the server running locally and accepting
	connections on Unix domain socket "/tmp/.s.PGSQL.5432"?

Port Numbers

Yellowbrick client tools communicate with the appliance by specifying both a hostname (or IP address) and a port. The reserved ports are as follows:
  • 5432: normal database port (used by all clients)
  • 11111: control port, unsecured HTTP (used by ybload, ybunload, ybbackup, ybrestore)
  • 11112: control port, secured HTTPS (used by ybload, ybunload, ybbackup, ybrestore when SSL-only mode is in effect or the --secured option is specified via one of the Yellowbrick client tools)

    When SSL-only mode is used for client connections, both 11111 and 11112 need to be open. Connections may be automatically redirected from 11111 to 11112.

  • 31000-32000: ports for sending and receiving data (used by ybload, ybunload, ybbackup, ybrestore, and so on)

Configure the network firewall to allow traffic from the client computer to the appliance on these ports (for example, by opening up the ports using source and destination filters in routing tables). The corporate IT staff should be familiar with this process and should only need to be informed about the port requirements listed on this page. In most cases, a VPN should not be necessary to send Yellowbrick client traffic through corporate firewalls.