Skip to main content

 
IBM Power Systems software  >  IBM i  > Advantages  > 

Windows Server 2003 Service Pack 1

  

Microsoft® Windows® Server™ 2003 Service Pack 1 (SP1) introduced some security changes that affect how the server interacts with network connections. For example, SP1 provides the Windows Firewall.

Note: The Windows Server 2003 SP1 security changes are also included in later Windows Server 2003 service packs (for example, SP2) and in Windows Server 2003 R2. The SP1 considerations listed below also apply to Windows servers with that software installed.

The IBM i integration support for Windows uses a private point-to-point (PTP) virtual Ethernet LAN to communicate between IBM i and Windows to perform various integration functions such as user enrollment, file level backup, serviceability, remote command, etc. The security changes introduced by SP1 affect these integration functions.

When using SP1 on an integrated Windows server, ensure the following requirements are met in order for the IBM i integration functions to work correctly:

  1. Install required V5R3 PTFs for iSeries™ Integration for Windows Server (5722-WSV).
  2. Configure Windows Firewall to allow the IBM i integration support to communicate over the private PTP virtual Ethernet LAN.
  
Install required V5R3 PTFs
 

Note: If you are not using IBM i V5R3, then you can skip this section.

Install the required iSeries Integration for Windows Server (5722-WSV) PTFs listed below before installing SP1 on any new integrated Windows servers or upgrading to SP1 on any existing integrated Windows servers.

  • Install iSeries Integration for Windows Server service pack PTF  SI18265 or a later superseding PTF on IBM i.
  • If you have existing integrated Windows servers, then after installing this service pack PTF on IBM i you need to install this service pack on each integrated Windows server before upgrading to SP1 on those servers.
Symptoms that will occur if SP1 is installed on an integrated Windows server before installing the above PTFs on the server:
  • The Service level information for the iSeries Integration for Windows Server code on the integrated Windows server is not updated properly. For example, when installing a new service pack PTF for the iSeries Integration for Windows Server code on IBM i, the new service pack PTF number will not be shown as available to install from the IBM® iSeries Integration for Windows Server Service snap-in on the Windows console.
  • When additional virtual Ethernets are configured for the Windows server in IBM i, they are not configured automatically on Windows.
  • New installs of Windows Server™ 2003 with SP1 slipped on the media will have incomplete registry information, which will cause some corruption of the IBM iSeries Integration for Windows Server Service snap-in.
Recovery is required if SP1 is installed on an integrated Windows server before installing the above PTFs on the server:
  1. Verify the required PTF is loaded and applied on IBM i.
  2. Ensure the NetServer guest user profile is configured and enabled OR ensure the user performing the following steps is enrolled to the server from the same IBM i logical partition that the server is managed from.
  3. On the Windows console, log in as administrator or log in using an enrolled user profile who has local administrative rights (a member of the Administrators group) on the Windows server.
  4. On the Windows console, select Start, then Run.
  5. On the Run dialog, type lvllogin.exe and press OK.
  6. When prompted, synchronize the server. If a service prompt does not appear within 30 seconds after running lvllogin.exe, go ahead and update the server manually via the IBM iSeries Integration for Windows Server Service snap-in.
 
  
Configure Windows Firewall
 

Included in Windows Server 2003 Service pack 1 is a software firewall, called Windows Firewall. This feature is not installed by default, but can be turned on by the customer after they have applied Service Pack 1 to their server. If enabled, the default configuration is to block all incoming connections on all network interfaces on the Server. Leaving the firewall in this configuration will prevent essential IBM i integration services (like user enrollment, file level backup, serviceability, remote command, etc.) from connecting to IBM i.

If the Windows Firewall is used, it must be disabled for the entire Virtual Ethernet PTP interface.

Note: Since there are only two systems connected to the Virtual Ethernet PTP LAN (the IBM i logical partition and the Windows server), it is inherently secure by design. The Virtual Ethernet PTP LAN should not be bridged or routed to other LANs, so no traffic but the IBM i integration functions flow on this LAN.

Here is a link to the Microsoft web site which describes how to disable the firewall for a specific interface/connection: Turn Windows Firewall On or Off for a Specific Connection

Here is a link to the Microsoft web site which describes the Windows Firewall in General: Windows Firewall Operations Guide
 
 
 
Trademark information
 
See the Trademark information page for information on IBM and other company trademarks.