...
- All network connections make use of HTTP
- Connections from a user browser to the JOC Cockpit
- Connections from the PowerShell CLI to the JOC Cockpit REST Web Service
- Connections from the JOC Cockpit REST Web Service to the JobScheduler Master
- Connections from the JobScheduler Master to Agents
- Port Usage
- The JOC Cockpit can be accessed at port 4446
- The JOC Cockpit REST Web Service can be accessed at port 4446
- The JobScheduler Master uses the following ports:
- Access to the JobScheduler Master Web Service at port 40444
- Access to the JobScheduler Master via TCP at port 4444
- Access to the JobScheduler Master via UDP at port 4444
- The TCP port 4444 and HTTP port 40444 enable access to the "classic" JOC GUI that ships without authentication and authorization.
- The JobScheduler Agent listens to port 4445
- Network Interface Usage
- By default JobScheduler components will listen to the above mentioned ports on all available network interfaces.
- Firewall Settings
- Open ports in your firewall exclusively for the hosts, protocols and ports as specified above. Consider allowing connections only for the directions indicated in the diagram above.
...
- Configure network connections to use HTTPS
- The use of HTTPS includes users providing valid certificates for the hosts that JobScheduler components are operated for. The use of self-signed certificates is a no-go.
- As HTTPS is restricted to secure the connection, in addition authentication is added to the configuration, e.g. when using HTTPS then a JobScheduler Master is configured to authenticate with an Agent in order to guarantee that the Master is what it claims to be and is entitled to access an Agent.
- For detailed instructions on the configuration see:
- JOC Cockpit - HTTPS Authentication explains HTTPS configuration for the JOC Cockpit and connection to the JobScheduler Master.
- JobScheduler Universal Agent - HTTPS Agent and Master Authentication
- Close Drop the JobScheduler Master UDP / TCP port:
- This port is not required for standard operation with releases starting from 1.11.
- This port is required for previous releases that include the "classic" JOC GUI running in the JobScheduler Master.
- Access to this port can be restricted with the
<allowed_host>setting in./config/scheduler.xml
- Access to this port can be restricted with the
- This port is required for all releases if a JobScheduler Supervisor is used.
- Restrict use of network interfaces
- Consider restricting JobScheduler components to only listen to specific network interfaces.
- The JobScheduler Master can be configured by use of the
http_portandhttps_portattributes in the./config/scheduler.xmlconfiguration file. - Configure the JobScheduler Universal Agent to use the
SCHEDULER_HTTP_PORTandSCHEDULER_HTTPS_PORTenvironment variables in the JobScheduler Agent instance script.
...