Main Firewall

You will need a router (with DMZ and VLAN and SPI capability) and two subnets are required within the office to implement PCI compliance. These can be reasonably priced such as the easily configurable SG-2440 pfSense router (approx $500 in 2015 prices) which has a lot of features. Please check if you are a not for profit organization as they have full cisco routers that you may be eligible to purchase at a discount.

We only recommend a router/firewall that has the ability to isolate the apache computer (i.e. designate an ip address for the DMZ).

Your firewall need to restrict connections between untrusted networks and any system components in the card holder environment PCI requirement 1.2.
  • Routers be a dedicated device, preferably a hardware router. If it is a software router such as one built on linux, then it must only be used only for this purpose and contain no other services.
  • It should be configured to shut down all incoming and outgoing ports except those required for business as per the following:

When you need to set up firewalls on computers, the built in firewall on windows is very flexible. On macOS, do not manage the built in firewall via System Preferences on servers - instead, consider using a tool like Murus Firewall to unlock the power of the macOS PF Firewall.

Firewall/Router Rules

The main router/firewall is protection from the outside world. If the router has DMZ capability, please set up the DMZ IP address to have the same subnet range as the office LAN. This will make it easier to scale up web listeners that talk to the Web Server.

This diagram identifies which traffic is required for Theatre Manager to work in the card holder environment per PCI requirement 1.2.1

Any traffic not required should be denied - and the router should be set to 'deny all' unless explicit permission is given.

All traffic is TLS 1.2 or better, including to and from:
  • database and internal workstations
  • patrons using internet browsers and NGINX
  • NGINX and web listeners
  • Web Listeners and database
  • credit card providers

In the example below, we'll refer to IP addresses

  • in the office VLAN as 192.168.1.x
  • in VLAN2 (containing wireless devices and/or machines not subject to PCI) as 192.168.2.x
  • and use as the inside address of the DMZ where the Web Server resides, protected on both sides by firewall rules. The outside IP address (internet) also authenticated and verified using an TLS Certificate.

  • The lighter red arrows on the diagram represent places where you could place restrictive rules from specific machines to specific machines. Those rules are outlined in the table below the diagram.
  • The number in the first column of the table refers to the same number on the diagram to give an idea what kind of rules are required for each component. If you combine some services on to the same machine, you will need to aggregate the rules.
  • All ports in the table are TCP
  • Rules are for INITIATED connections (outbound connections). Meaning a machine starts the connection.
  • If an inbound message occurs on an approved port, then ANY port can be used for outgoing response. (i.e. do not block responses to approved inbound messages.

    For example: Item #1, the postgres server, only needs port 5432 incoming to that device. You would turn on the personal firewall on the machine so that it only opens that port.

If you prefer to view the firewall rules from the perspective of specific ports, please refer to ports used by Theatre Manager

Item Machine and Purpose Subject to PCI Virus S/W Inbound Port Rules Outbound Port Rules
1 PostgreSQL server


depends no*
  • 5432 from any 192.168.1.x (note: traffic to DB will be using TLS 1.2)
  • all to 192.168.1.x
  • 37 to NTP server
2 Remote Box Office via VPN
(or terminal server)
yes yes*
  • as needed from internet
  • all to internet
  • 5432 to (Postgres Server)
3 Web Services (TM Listener) yes no*
  • 443 from (NGINX server)
  • 8111 from other TM listeners if they exist
  • any from (Postgres server)
  • any to (NGINX web server)
  • 5432 to (Postgres)
  • 53 for DNS, MX lookup
  • 37 to NTP server
  • 443 to
    • and
  • 80 to
  • 25 (or 465 or 587) to SMTP server (as required)
  • 110 to pop server for Facility Mgt
  • 443 outgoing to credit card provider
  • 443 outgoing to if using a P400 EMV device from Moneris
4 Box Office Workstations yes yes*
  • all from 192.168.1.x
  • 80, 443, 8111 to (web server)
  • 5432 to (postgres)
  • 53 for DNS, MX lookup
  • 37 to NTP server
  • 443 to
    • and
  • 80 to
  • 80 to
  • 80 to
  • 443 outgoing to credit card provider
  • 443 outgoing to if using a P400 EMV device from Moneris
5 Ticket Printer no n/a
  • 10001 from 192.168.1.x (or whatever port the printer is set on
  • all to 192.168.1.x
6 Web Server (NGINX) yes yes*
  • 80, 443 from internet
  • port 443 to (Web Services TM Listener)
7 Outside of Firewall no n/a
  • 80,443 from internet
  • xxxx from internet or Term Services
  • forward 80,443 to (NGINX Web Server - which automatically escalates to 443 using TLS 1.2 or later)
  • forward xxxx to (Term Server)
8 Internal Wireless Router no n/a
  • all from
  • specific to as required
9 Venue Lan computers not handling credit cards
no yes
  • all from
  • as needed to
10 wireless ticket scanners no n/a  
  • Ticket scanning occurs through the internet via and port 443. Open ports to allow scanning traffic to the outside of the router

Ports used by Theatre Manager

The table below describes which ports various components in Theatre Manager uses. With few exceptions, it is possible to change the ports that are being used if you wish. The only ports that should not (or cannot) be changed are:
  • ports 80 & 443 externally for web sales.
  • Outgoing port 443 for credit card authorizations
  • port 37 for a time server
  • port 53 for MX record lookup via a DNS server

If you prefer to view the firewall rules from the perspective of specific machines, please refer to ports used by each machine

Port Meaning Use Security Note
25 (or 465 or 587) SMTP Outgoing TM Server uses this for email for web sales, eblasts and meeting scheduling. note: Workstations do not send emails and do not require access to SMTP server.

Alternate SMTP ports can be used as TM supports (startTLS and other security)

You may wish to place a small SMTP server (like Exchange) within your network so that TM talks to it and allow it to relay to the internet. This also controls outgoing access.

37 NTP Time Server Outgoing OSX and Windows machines use this to syncronize clocks. All machines should be able to synchronize with an NTP server so that transactions and audit logs are accurately recorded when the happen per PCI 10.4 compliance
53 DNS and MX lookup. Outgoing This is used to verify email and web domains during the data entry process to improve data quality
80 HTTP Incoming and Outgoing Incoming is only required to the Web server.

Outgoing for workstations to communicate to:

  • teamviewer
Teamviewer can go out on ports 80 and/or 5938
443 HTTPS Incoming and Outgoing Incoming is required for web sales.

Outgoing is required for TM Server and TM Workstations for

  • Credit Card Authorization
  • for autoupdates
  • TM Server for REST API access if enabled
110 (or 993) POP3 Outgoing Facility Management module only: TM has a scheduling function that lets users set up calendar event and send the invitations to users, patrons and volunteers.

The port is used by TM workstation and Server, and only email with valid outlook or iCal attachements are read. All others are discarded. No user checks this email address.

Theatre Manager supports alternate POP3 ports if you prefer.

5000 Web Services Internal The Web Server load balancer communicates to Theatre Manager Web Services on port 5000
8111 Web Template Server Internal This internal port on the web server is a Virtual host used by web services to obtain the custom web page templates from the htdocs folder for merging. It is also used by workstations to obtain web page templates used to send double out-in confirmations as per CASL (Canada's Anti Spam Law).
8201 Cache Server Internal This internal port is used for caching data shared between web service processes.
5432 Postgres Internal This is the standard port for the Postgres database server and is only used within the LAN. Postgres's pg_hba.conf configuration file specifies the IP address ranges (or specfic IP's) that can communicate with the database server. If a machine is not permitted to talk, postgres will does not respond.

Traffic from workstations to Postgres is via TLS 1.2

10001 Ticket Printer Internal Workstations send a string of characters to print a ticket. The printer responds with status requests as need be.

No outside machine needs access to a ticket printer.

xxxx Terminal Server & Remote Access Incoming A secure connection from the remote box office to the firewall is recommended for security purposes. RDC and Terminal Services establish secure connections. VPN is additional security.

PostgreSQL Server

Postgres listens on 5432 by default (see firewall rules for postgres).

Only this port needs to be open on this server. All other inbound ports can be closed in the operating system. The port can be changed by editing the Postgresql.conf file, or during the install.

Misc Recommendations

  • File and email services for the network must be placed on a separate machine from the database server.
  • Turn off windows auto updater. Instead, perform regular maintenance at a time of your choosing (every second Monday for example, more often if the news reports critical viruses) to download and install updates. For 24/7 web sales service, it is important that the Postgresql server run constantly and only be updated at a time of your choosing.
  • On OSX, turn off Software Update and run regular maintenance every second week, similar to Windows Environment. There is far less risk on unix based systems for virus attack vectors.

Deploy anti-virus software on all systems commonly affected by malicious software, particularly personal computers and file servers. PCI requirement 5.1

Since postgres is implemented on a stand alone machine (per PCI requirement 2.2.1), we recommend that you DO NOT install virus software on the PostgreSQL Server. If you must, then do it under very controlled circumstances..

Never allow the virus scanner to scan the actual postgres database directories for traffic because virus scanners severely affect performance when many files are changed rapidly (as in a stand alone database server).

If you absolutely must scan all files, scan the database folder at very off peak hours.

TM Listener - Web Services

The ports that need to be opened for web services depends on which you are using for load balancing

In all cases, you specify the ports to talk to listeners within the TM Director interface.


Simple Setup for Load Balancing

In the simple setup situation, you just need to open port 5000 to each TM listener. When any message is received by the second gen listener externally on port 5000, it load balances internally on ports local to the machine (5001-5010, 5111, 5201-5210).

Each second generation listener machine needs to be able to talk to the designated TM Web Listener machine to retrieve web pages.


Custom Setup for Load Balancing

In the custom setup, the web processes can listen on

  • Second Generation Listener:
    • port 5000 (like the simple setup for load balancing) -or-
    • ports 5001-500x where you specify the load balancing on the TM Web server for high performance throughput -or-

Deploy anti-virus software on all systems commonly affected by malicious software, particularly personal computers and servers PCI requirement 5.1

You can install anti virus software on the TM Server - but may need to exclude the TheatreManagerServer program directory and all traffic to port 5432 on the postgres server. Since the web services run as a service, there is limited need to log into the machine. It should not be used for any other purpose and listens only to the API's from the TM server, so you may only need periodic file scanning at night if you do not join a domain and/or limit people who can access it.