DOCUMENT:Q276476 11-JUN-2002 [sna] TITLE :TN3270 Cannot Restrict Access Through Ports for Specific Request PRODUCT :Microsoft SNA Server PROD/VER::3.0 (all SP),4.0,4.0 SP1,4.0 SP2,4.0 SP3 OPER/SYS: KEYWORDS:kbDSupport kbsna300sp1 kbsna300sp2 kbsna300sp3 kbsna300sp4 sna4 kbsna400sp1 kbsna400sp2 ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft SNA Server, versions 3.0 SP1, 3.0 SP2, 3.0 SP3, 3.0 SP4, 4.0, 4.0 SP1, 4.0 SP2, 4.0 SP3 ------------------------------------------------------------------------------- IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base: Q256986 Description of the Microsoft Windows Registry SUMMARY ======= The TN3270 service that is included with SNA Server allows each TN3270 logical unit (LU) and/or Pool to be configured to listen over specific Transfer Control Protocol/Internet Protocol (TCP/IP) ports. This makes it possible to restrict access to TN3270 LUs/Pools through ports, in addition to using TCP/IP address and workstation names. However, the use of specific ports for TN3270 LUs/Pools is only checked/enforced for "generic" session requests. A generic session request is a session request for a TN3270 LU/Pool that does not explicitly specify the name of the requested TN3270 LU/Pool. If the TN3270 client sends a "specific" session request, the client can access the requested TN3270 LU/Pool even if the client is configured to use a different port than the LU/Pool, as long as the TN3270 LU/Pool name is specified correctly. A specific session request is one that explicitly specifies the name of a TN3270 LU/Pool. The TN3270 service is not designed to validate TCP/IP ports for specific TN3270 session requests. For additional information about the latest service pack for SNA Server 4.0, click the article number below to view the article in the Microsoft Knowledge Base: Q215838 How to Obtain the Latest SNA Server Version 4.0 Service Pack MORE INFORMATION ================ WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk. When the TN3270 service receives a session request, it first determines whether the request is generic (no device name specified) or specific (device name specified). If the request is generic, the TN3270 service checks the port number and then it checks for TCP/IP address and/or host name restrictions. If the request is specific, it reads and validates the device name. After the device name is validated, the TN3270 service checks for TCP/IP address and/or host name restrictions. The TN3270 service never checks for any port restrictions for these specific requests. After you apply the update, the TN3270 service enforces port-based restrictions for specific session requests by adding the following registry entry: 1. Start Registry Editor (Regedt32.exe). 2. Locate the following key in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TN3270\Parameters NOTE: The above registry key is one path; it has been wrapped for readability. 3. On the Edit menu, click Add Value, and then add the following registry value: Value Name: RestrictLUAAccessByPort Data Type: REG_SZ Value: YES 4. Quit Registry Editor. If the RestrictLUAAccessByPort value is set to YES, the TN3270 service only allows access to a TN3270 LU/Pool for specific session requests if the TN3270 client specifies the device name (that is, TN3270 LU/Pool name) and is configured to use the same port as the requested TN3270 LU/Pool. If this registry entry is not defined (or is defined with any value other than YES), the default behavior remains the same as it was prior to making the change, such that ports are not validated for specific session requests. Additional query words: Tn3servr sp ====================================================================== Keywords : kbDSupport kbsna300sp1 kbsna300sp2 kbsna300sp3 kbsna300sp4 sna4 kbsna400sp1 kbsna400sp2 kbsna400sp3 Technology : kbAudDeveloper kbSNAServSearch kbSNAServ400 kbSNAServ300SP3 kbSNAServ300SP1 kbSNAServ400SP1 kbSNAServ400SP2 kbSNAServ400SP3 kbSNAServ300SP2 kbSNAServ300SP4 Version : :3.0 (all SP),4.0,4.0 SP1,4.0 SP2,4.0 SP3 Issue type : kbinfo ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2002.