Progress' position on the use of port scanners

What is Progress' position on the use of port scanners?
Are port scanners acceptable for monitoring ports being used by Progress Server executables?
Is it okay to use port scanner packages with Progress?

Progress Software does not recommend the use of port scanning software.

Port scanning software can send packets to a remote host as a TCP ping. These types of packets could cause Progress database servers to terminate. The Progress database server verifies each message it receives on the socket it is listening on. If that message does not contain the identifiers that confirm the expected origin of the message (a remote client), the server considers the socket unreliable and will close down the connection. Handling a port scanner gracefully is not viewed as a "security concern on our product", but rather a concern on our product's ability to work with other security products.

Port Scanning Product Enhancements:

We understand that port scanners are used due to required vulnerability checks by various compliance ordinances, where regulatory requirements, corporate policy and security best practices require vulnerability scanning to run periodically against all systems without exclusions. To prevent business interruption, not scanning our (OpenEdge) ports is becoming less of an option in order to workaround OpenEdge's ability to work with security products.

1. Upgrade to at least OpenEdge 11.5.1 or later

Enhancements specific to port-scanning software have been added to some Server products:

Enhancement PSC00319199; OpenEdge 11.5.1 / 11.6.0: SQLSRV communication layers harden the Server from failing when unexpected messages are received:

• Broker detects death of a server (_sqlsrv2) process  
• Database crashes with errors 1280, 1055, and 2526 after port scanning of _sqlsrv2 ports  

Enhancement PSC00311786; OpenEdge 11.5.0: messages other than those received from an AppServer type connection are ignored

• Appserver Agent stops abnormally after a port scanner performs a full scan  
• Intermittent 5565 protocol mismatch with Progress Appserver  

Enhancement PSC00159897; 9.1E02, 10.0B02, 10.1A, For the database Broker

• User count for a remote server growing > than maximum # of users for a remote server - port scanner used  

2. Add OpenEdge Listening Ports to Port Scanner exclusions 

This Product Enhancement part of a larger rollout on a case by case basis as raised by customer demand. Until these have been implemented, Progress Software does not recommend the use of port scanning software.

Configure the required port ranges used by OpenEdge that are affected by site-specific port scanning requirements to be excluded in the port vulnerability scans. 

For example refine the -minport -maxport range in use for the remote ABL servers and add these to the port scan exclusions to avoid these processes from terminating unexpectedly along with connected clients. For further information the same considerations for firewall ports relates to ports that need to be excluded by port scanning in Article:

• Which ports needs to be open on a firewall between a remote client and the database? 

3. Contact your Progress Account Manager

Discuss site specific compliance ordinances where portscan requirements are used as part of the Vulnerability Management strategy and specifically the concerns raised when OpenEdge Server Products ports are excluded from Port Scanning.

• How to contact Progress Presales Support, Customer Order Management or Customer Services?   

Up-vote and comment on the existing Enhancement request submitted as an Idea on the Progress Community to raise the priority of this Enhancement.  To promote the Idea, click on this link and login with your credentials:

https://community.progress.com/community_groups/products_enhancements/i/openedge/allow_port_scanning.aspx