Setting Up a Firewall in Magic xpa (Magic xpa 3.x)

« Go Back


Created ByKnowledge Migration User
Approval Process StatusPublished

Setting Up a Firewall in Magic xpa (Magic xpa 3.x)

In a common architecture of a Magic xpa/Web application, the Magic internet requester will be loaded by the Web server and the Magic broker/enterprise servers will be located on a different machine (or machines). If there is a firewall between the Web server machine and the LAN, the following ports will be used by the Magic xpa modules:


The port defined for the broker in the Mgrb.ini (N).

Port N+1 (5116 using default broker settings) is also used by the broker but it is internally used and there is no need to open it in the firewall. This port is not used for communication between the Magic xpa modules.

Enterprise Servers

Each enterprise server (Magic Runtime engine) uses one port and this port will be used for direct communication between the requester and the server. The port number is a number from the range of TCP/IP ports defined in the Communication repository in Magic xpa.

Under Settings>Communications>Parameters: Define here the range of ports that the Magic xpa engines may use. It is best to allow a range of ports that is equal to the number of enterprise servers used by the application. For example, for 5 enterprise servers, set the range to: 1500-1505.

This range of ports should then be opened in the firewall for both directions between the Web server machine and the enterprise server's machine (the machine that runs the Runtime engines).


UDP Ports 137 and 138 (NBT Ports) should be opened between the Web server's machine and the enterprise server's machine to allow the resolving of Network addresses. This is required to enable the requester to connect directly to an enterprise server after receiving its address from the broker.

Note: In a typical scenario, if all ports are not opened as described in this topic, the broker will receive the request from the requester, will assign a Magic xpa engine for this request, flag it as "Executing Request" and send the engine's address back to the requester. Then, when the requester attempts to communicate with the engine, it will fail due to the firewall. After a short while, all enterprise servers will become "Executing Request".