Network ports. Dell PowerProtect Data Protection Software

Add to My manuals
116 Pages

advertisement

Network ports. Dell PowerProtect Data Protection Software | Manualzz

A

Network ports

This appendix contains information about the network ports for the following components:

Topics:

Protection Software

Protection Storage

Data Protection Central

Search

Reporting & Analytics

Secure Remote Services

Remote server management (iDRAC)

Cloud DR

Protection Software

The following table lists the Protection Software port requirements.

Table 23. Port requirements

Port/Protocol

29000/TCP

Source

Utility node

Destination

Storage node

29000/TCP

30001/TCP

30001/TCP

30002/TCP

30002/TCP

30003/TCP

30003/TCP

Storage node

Utility node

Storage node

Storage node

Utility node

Storage node

Utility node

Protection Software server Protection Software client

Protection Software client Protection Software server

Utility node Storage node

Utility node

Description

Protection Software subsystem using

SSL

Protection Software subsystem using

SSL

MCS using SSL

MCS using SSL

Protection Software client using SSL

Protection Software client using SSL

MCS using SSL

MCS using SSL

For detailed information about ports, see the Port Requirements Appendix in the Dell EMC Avamar 19.4 Product Security Guide .

Utility node required inbound ports

The table in this section describes the inbound ports that must be open on a Protection Software utility node.

The following table describes the inbound ports that must be open on a Protection Software utility node. For every port listed in this table, the Protection Software utility node is the destination and the source is listed in the Source computer column.

NOTE: Protection Software 7.5.1 removes support for HTTP access to TCP ports 80 and 7580. Use the HTTPS ports 443 and 7543 to access these services instead.

82 Network ports

Table 24. Required inbound ports on the utility node

Port Protocol Service name

N/A ICMP

22

69

123

163

443

700

703

1234

ICMP

Types 3, 8, and 11

TCP

TCP

TCP/UDP

UDP

TCP

TCP/UDP

TCP

TCP

SSH

TFTP

NTP

SNMP

HTTPS protocol over

TLS/SSL

Login Manager

AKM service

Protection Software installation utility

HTTPS

Source computer

● Protection Software clients

● Other Protection

Software servers

● Protection Storage system

Additional information

Protection Software clients periodically ping the Protection

Software server to determine the best interface for communicating with the MCS. The

Protection Software server sends an ICMP response. Protection

Software servers also ping associated systems, such as replication destinations and Protection Storage.

Secure shell access.

● Administrator computers

● Other Protection

Software server nodes

Internal switch

NTP time servers

Protection Storage system

● Web browser clients

● Reverse proxy web server

● AvInstaller

● Protection Software

Downloader Service host

● Protection Software

Key Manager

Provides web browsers with HTTPS access to Protection Software services. A reverse proxy web server can be used to limit access to this port.

● Web browser clients

● Reverse proxy web server

Provides clock synchronization from network time protocol servers.

Getter/setter port for SNMP objects from a Protection

Storage system.

Required when storing

Protection Software client backups on a Protection Storage system.

Protection Software server nodes

Web browser clients

Used for key management.

Only open this port for installation of the Protection

Software. Only permit access from

Network ports 83

Table 24. Required inbound ports on the utility node (continued)

Port

2888

5555

5568

5671

6667

7000

Protocol

TCP

TCP

TCP

TCP

TCP

TCP

Service name Source computer Additional information trusted administrator computers that are used during software installation.

NOTE: Close this port when installation of the Protection

Software is complete.

Protection

Software services do not listen on port 1234.

AVDTO

PostgreSQL administrator server

PostgreSQL

Protection Software

Extended Retention

Media Access Node

The firewall rules open this port when you install support for

Protection Software

Extended Retention.

● Clients running

Protection Software

Client Manager and Reporting and

Analytics

● PostgreSQL administrator client computers

This port is open by default. The section Securing the

Postgres firewall port in the Avamar Product

Security Guide provides more instructions to enable selective access.

Limit access to trusted administrator computers.

AProtection Software

Extended Retention

Media Access Node

The firewall rules open this port when you install support for

Protection Software

Extended Retention.

Message Bus

Archive Service Event Protection Software

Extended Retention

Media Access Node

Apache Tomcat

● localhost

● Other Protection

Software utility nodes

● Protection Software

Extended Retention computers

● Backup and

Recovery Manager computers

Message Bus is a message broker who is used to enhance asynchronous interprocess communication.

Protection Software

Extended Retention

Media Access Node

The firewall rules open this port when you install support for

Protection Software

Extended Retention.

The firewall rules open this port when you install support for

84 Network ports

Table 24. Required inbound ports on the utility node (continued)

Port Protocol Service name

7443

7543

7544

7778–7781

8105

8109

8181

8444

8505

TCP

HTTPS/SSL

TCP

TCP

TCP

TCP

TCP

TCP

TCP

Apache Tomcat

Update Manager

Update Manager

RMI

Apache Tomcat

Apache Tomcat

Apache Tomcat

Apache Tomcat

Apache Tomcat

Source computer

Protection Software

Extended Retention

Media Access Node

Web browser clients

Jetty socket clients

Protection Software

Administrator management console

Protection Software client computers

Protection Software client computers

Protection Software client computers

Web browser clients

Utility node or singlenode server

Additional information

Protection Software

Extended Retention.

The firewall rules open this port when you install support for

Protection Software

Extended Retention.

Web browser clients use this port to create

HTTPS connections to

Protection Software

Installation Manager.

Limit access to trusted administrator computers.

Jetty socket clients use this port to send a shutdown signal to its Jetty web server. Limit access to trusted administrator computers.

Used for connections from the Protection

Software console.

Limit access to trusted administrator computers.

Used by Protection

Software Desktop/

Laptop.

Used by Protection

Software Desktop/

Laptop.

Connections from

Protection Software client computers and from AvInstaller hosts are redirected to this port.

Web browser connections from

Protection Software

Desktop/Laptop client computers are redirected to this port.

Protection Software

Desktop/Laptop uses this port to send a shutdown command to its Apache Tomcat server. Limit access to the utility node or single-node server.

Network ports 85

Table 24. Required inbound ports on the utility node (continued)

Port

8580

9443

19000

19500

20000

20500

25000

25500

26000

26500

27000

27500

28001

Protocol

TCP

TCP

TCP/UDP

TCP/UDP

TCP/UDP

TCP/UDP

TCP/UDP

TCP/UDP

TCP/UDP

TCP/UDP

TCP

TCP

TCP

Service name

AvInstaller

Source computer

Web browser clients

Additional information

Used for connections from Protection

Software Downloader

Service computer, and for access to

AvInstaller from other web browser clients.

RMI - Protection

Software Management

Console web services

Protection Software subsystem (also known as GSAN)

Protection Software subsystem

Protection Software subsystem

Protection Software subsystem

Web browser clients

Protection Software server nodes

Protection Software server nodes

Protection Software server nodes

Protection Software server nodes

Protection Software subsystem communication.

Protection Software subsystem communication.

Protection Software subsystem communication.

Protection Software subsystem communication.

Protection Software subsystem

Protection Software subsystem

Protection Software subsystem

Protection Software subsystem

Protection Software server

Protection Software server nodes

Protection Software subsystem communication.

Protection Software server nodes

Protection Software server nodes

Protection Software server nodes

● Protection Software client computers

● Protection Software server nodes

● Protection Software nodes acting as a replicator source

Protection Software subsystem communication.

Protection Software subsystem communication.

Protection Software subsystem communication.

Protection Software subsystem communication. This port is blocked by default for new

Protection Software installations. Open this port to allow unencrypted backups.

Protection Software server

● Protection Software server nodes

● Protection Software nodes acting as a replicator source

Protection Software subsystem communication.

● Protection Software server CLI

● MCS

● Avagent

● Protection Software client computers

● VMware proxy

● Replication source

● CLI commands from client computers.

● Avagent to MCS communication.

86 Network ports

Table 24. Required inbound ports on the utility node (continued)

Port Protocol Service name

28002–28011

28009

28810-28819

29000

TCP

TCP

TCP

TCP avagent ddrmaint

Protection Software server SSL

Source computer

● Replication target

Additional information

● Bi-directional communication between avagent and MCS on the replication source Protection

Software server and the replication destination

Protection Software server to permit authentication key exchange.

Protection Software

Extended Retention

Media Access Node

VMware proxy localhost

● Protection Software client computers

● Protection Software server nodes

The firewall rules open this port when you install support for

Protection Software

Extended Retention.

Unsecure communication with

VMware proxy.

Internal use only for token-based authentication when connecting to

Protection Storage; only localhost can use it.

Protection Software subsystem communication.

30001 TCP

30002

30003

30102–30109

61617

TCP

TCP

TCP

TCP

MCS ● Protection Software client computers

● VMware proxy

● Protection Software server nodes

● 2-way secure socket communication.

● Avagent to MCS communication.

● MCS communication over

SSL.

avagent

MCS avagent

Apache ActiveMQ SSL

Protection Software client computers

● Protection Software client computers

● Protection Software server nodes

MCS communication over SSL.

VMware proxy

Protection Software

Extended Retention

Media Access Node

Client communication over SSL.

Secure communication with VMware proxy.

The firewall rules open this port when you install support for

Protection Software

Extended Retention.

Network ports 87

Utility node optional inbound ports

This section describes the recommended, but optional, inbound ports for an Protection Software utility node.

The following table describes the recommended, but optional, inbound ports for an Protection Software utility node. For every port listed in this table, the Protection Software utility node is the destination and the source is listed in the Source computer column.

Table 25. Optional inbound ports on the utility node

Port Protocol Service name Source computer

514

8509

UDP

TCP syslog

Apache Tomcat

Utility node or singlenode server

Utility node or singlenode server

Additional information

Protection Software server connects to this port to communicate events to syslog.

The Apache JServ

Protocol (AJP) uses port 8509 to balance the work load for multiple instances of

Tomcat.

Utility node required outbound ports

This section describes the outbound ports that must be accessible to network packets that are sent from an Protection

Software utility node.

The following table describes the outbound ports that must be accessible to network packets that are sent from an Protection

Software utility node. For each row, the utility node is the source computer that must have outgoing access to the listed port on the listed destination computer.

Table 26. Required outbound ports for the utility node

Port

N/A

Protocol

ICMP

Types 3, 8, and 11

Destination computer

● Protection Software clients

● Other Protection Software servers

● Protection Storage system

Additional information

Protection Software clients periodically ping the

Protection Software server to determine the best interface for communicating with the MCS. The Protection

Software server sends an

ICMP response. Protection

Software servers also ping associated systems, such as replication destinations and

Protection Storage.

7 TCP Protection Storage system

23

25

53

TCP

TCP

TCP/UDP

Internal

Protection Software

Customer Support

DNS

Required to register a

Protection Storage system for storing Protection Software client backups.

Required for communication with internal switches and for firmware upgrades.

Required to allow

ConnectEMC to make an

SMTP connection with

Customer Support.

Required for name resolution and DNS zone transfers.

88 Network ports

Table 26. Required outbound ports for the utility node (continued)

Port

88

111

123

161

389

Protocol

TCP/UDP

TCP/UDP

UDP

TCP/UDP

Destination computer

Key Distribution Center (KDC) Required for access to

Kerberos authentication system.

RPC port mapper service on the Protection Storage system

Only required when backups are stored on a Protection

Storage system. Access to

RPC and NFS port mapper functionality on a Protection

Storage system.

NTP time servers

SNMP service on the

Protection Storage system

LDAP

Additional information

VMware proxy nodes require the TCP connection to DNS.

Provides synchronization of system time from network time protocol servers.

Only required when backups are stored on a Protection

Storage system.

Provides access to directory services.

443 ● Hypervisor Platform API

● TCP

464

902

2049

2052

5671

5696

7443

TCP

TCP

TCP/UDP

TCP/UDP

TCP

TCP

TCP

● Hypervisor Manager

● Protection Software Key

Manager

Key Distribution Center (KDC) Required for access to the Kerberos Change/Set password.

Hypervisor server proxy service

NFS daemon on the

Protection Storage system

NFS mountd process on the

Protection Storage system

● localhost

● Other Protection Software utility nodes

● Protection Software

Extended Retention computers

● Backup and Recovery

Manager computers

Only required when backups are stored on a Protection

Storage system. Outbound communication must be open for both TCP and UDP protocols.

Message Bus messaging.

Message Bus is a message broker used to enhance asynchronous interprocess communication.

KMIP-compliant key management server

Only required when backups are stored on a Protection

Storage system.

Media Access node that hosts Protection Software

Extended Retention

Recommended port for AKM external key management operation.

Only required when using the Protection Software

Extended Retention feature.

Network ports 89

Table 26. Required outbound ports for the utility node (continued)

Port

7444

7543

7544

7543

8080

8580

9443

Protocol

TCP

HTTPS/SSL

TCP

HTTPS

TCP

TCP

TCP

Destination computer

Hypervisor Manager

Update Manager

Update Manager

Additional information

For utility node configurations that also run the VMware

Backup Appliance this port is opened by an if/then clause in the firewall rules. Otherwise, this port is not required. Used to test Hypervisor Manager credentials.

Web browser clients use this port to create HTTPS connections to Protection Software

Installation Manager. Limit access to trusted administrator computers.

Jetty socket clients use this port to send a shutdown signal to its Jetty web server.

Limit access to trusted administrator computers.

Update Manager

NetWorker server

Computer running Protection

Software Downloader Service

Used for connections from the Protection

Software Downloader Service computer, and for access

Update Manager from other web browser clients.

For utility node configurations that also run the VMware

Backup Appliance this port is opened by an if/then clause in the firewall rules. Otherwise, this port is not required. Used to register with a NetWorker server.

Used to make requests for package downloads from the Protection

Software Downloader Service computer.

Managed Protection Software servers

Protection Software

Management Console web services use this outbound port for RMI communication via a dynamically assigned port on managed Protection

Software servers.

19000

19500

20000

20500

TCP/UDP

TCP/UDP

TCP/UDP

TCP/UDP

Protection Software server nodes

Protection Software server nodes

Protection Software server nodes

Protection Software server nodes

Protection Software subsystem communication.

Protection Software subsystem communication.

Protection Software subsystem communication.

Protection Software subsystem communication.

90 Network ports

Table 26. Required outbound ports for the utility node (continued)

Port

25000

25500

26000

26500

27000

28001

28009

28011

Protocol

TCP/UDP

TCP/UDP

TCP/UDP

TCP/UDP

TCP

TCP

TCP

TCP

Destination computer

Protection Software server nodes

Protection Software server nodes

Protection Software server nodes

Protection Software server nodes

Protection Software server nodes

Additional information

Protection Software subsystem communication.

Protection Software subsystem communication.

Protection Software subsystem communication.

Protection Software subsystem communication.

Protection Software subsystem communication.

Replication source system and replication target system

Replication requires bidirectional access between the replication source

Protection Software server and the replication destination

Protection Software server to permit authentication key exchange.

VMware proxy

Protection Software

Extended Retention Media

Access Node

MCS access to proxy logs.

The firewall rules open this port when you install support for Protection Software

Extended Retention.

29000

30001

30002

30003

30002 - 30009

30102

61617

61619

TCP

TCP

TCP

TCP

TCP

TCP

TCP

TCP

Protection Software server nodes

Protection Software server nodes

Protection Software client computers

Protection Software server nodes

VMware proxy

Protection Software subsystem communication over SSL.

MCS communication over

SSL.

Communication with avagent.

MCS communication over

SSL.

Avagent paging port. Secured communication with VMware proxy.

VMware proxy

Media Access node that hosts Protection Software

Extended Retention

Avagent paging port. Secure communication with VMware proxy.

Only required when using the Protection Software

Extended Retention feature.

Computer running Backup and

Recovery Manager.

Required to permit communication with Backup and Recovery Manager.

Network ports 91

Storage node required inbound ports

This section describes the inbound ports that must be open on each Protection Software storage node.

The following table describes the inbound ports that must be open on each Protection Software storage node. For every port listed in this table, the Protection Software storage node is the destination and the source is listed in the Source computer column.

Table 27. Required inbound ports on each storage node

Port Protocol Service name

22

123

19000

19500

20000

20500

25000

25500

26000

26500

27000

TCP

TCP/UDP

TCP/UDP

TCP/UDP

TCP/UDP

TCP/UDP

TCP/UDP

TCP/UDP

TCP/UDP

TCP/UDP

TCP

SSH

NTP

Protection Software subsystem

Protection Software subsystem

Protection Software subsystem

Protection Software subsystem

Protection Software subsystem

Protection Software subsystem

Protection Software subsystem

Protection Software subsystem

Protection Software server

Source

Protection Software server nodes

Additional information

Secure shell access.

● Administrator computers

● Other Protection

Software server nodes

● NTP time servers

● Protection Software utility node

Permits clock synchronization from network time protocol servers (exochronous) and from the utility node (isochronous).

Protection Software server nodes

Protection Software subsystem communication.

Protection Software subsystem communication.

Protection Software server nodes

Protection Software server nodes

Protection Software server nodes

Protection Software server nodes

Protection Software subsystem communication.

Protection Software subsystem communication.

Protection Software subsystem communication.

Protection Software subsystem communication.

Protection Software server nodes

Protection Software server nodes

Protection Software subsystem communication.

Protection Software subsystem communication.

● Protection Software client computers

● Protection Software nodes acting as a replicator source

Protection Software subsystem communication. This port is blocked by default for new installations. Open this port to allow unencrypted backups.

92 Network ports

Table 27. Required inbound ports on each storage node (continued)

Port

29000

30001

30003

Protocol

TCP

TCP

TCP

Service name

Protection Software server SSL

MCS SSL

MCS SSL

Source

● Protection Software client computers

● Protection Software server nodes

Additional information

Protection Software subsystem communication.

Protection Software server nodes

Protection Software server nodes

MCS communication.

MCS communication.

Storage node optional inbound ports

This section describes the recommended, but optional, inbound ports for an Protection Software storage node.

The following table describes the recommended, but optional, inbound ports for an Protection Software storage node. For every port listed in this table, the Protection Software storage node is the destination and the source is listed in the Source computer column.

Table 28. Optional inbound ports on the storage node

Port

623

Protocol

UDP

Service name

IPMI

Source computer

Remote management clients

Additional information

Management clients connect to this port to issue IPMI commands to the node operating system and BMC. This port is independent of the remote RMC console ports described in the Remote management interface ports section of the Dell EMC

Protection Software

Product Security Guide.

.

Storage node required outbound ports

This section describes the outbound ports that must be accessible to network packets that are sent from each Protection

Software storage node.

The following table describes the outbound ports that must be accessible to network packets that are sent from each

Protection Software storage node. For each row, the storage node is the source computer that must have outgoing access to the listed port on the listed destination computer.

Table 29. Required outbound ports for each storage node

Port Protocol Destination

53 TCP/UDP DNS

123 TCP/UDP NTP time servers and the

Protection Software utility node

Additional information

Required for name resolution and DNS zone transfers. TCP connection to DNS is required by VMware proxy nodes.

Permits clock synchronization from network time protocol servers (exochronous) and from the utility node

(isochronous).

Network ports 93

Table 29. Required outbound ports for each storage node (continued)

Port

703

Protocol

TCP

Destination

Utility node

19000

19500

20000

20500

25000

25500

26000

26500

27000

29000

30001

30003

TCP/UDP

TCP/UDP

TCP/UDP

TCP/UDP

TCP/UDP

TCP/UDP

TCP/UDP

TCP/UDP

TCP

TCP

TCP

TCP

Protection Software server nodes

Protection Software server nodes

Protection Software server nodes

Protection Software server nodes

Protection Software server nodes

Protection Software server nodes

Protection Software server nodes

Protection Software server nodes

Protection Software server nodes

Protection Software server nodes

Protection Software server nodes

Protection Software server nodes

Additional information

Permits access to the AKM service on the utility node.

Protection Software subsystem communication.

Protection Software subsystem communication.

Protection Software subsystem communication.

Protection Software subsystem communication.

Protection Software subsystem communication.

Protection Software subsystem communication.

Protection Software subsystem communication.

Protection Software subsystem communication.

Protection Software subsystem communication.

Protection Software subsystem communication over SSL.

MCS communication over

SSL.

MCS communication over

SSL.

Protection Software client required inbound ports

This section describes the inbound ports that must be open on a Protection Software client.

The following table describes the inbound ports that must be open on a Protection Software client. For every port listed in this table, aProtection Software client is the destination and the source is listed in the Source computer column.

Table 30. Required inbound ports on a Protection Software client

Port Protocol Service name Source

28002

30001

TCP

TCP avagent

MCS

Protection Software server

Additional information

Provides management functionality from

Protection Software

Administrator.

2-way secure socket

30002 TCP avagent

Protection Software utility node

Protection Software utility node

94 Network ports

Protection Software client required outbound ports

This section describes the outbound ports that must be accessible to network packets that are sent from an Protection

Software client.

The following table describes the outbound ports that must be accessible to network packets that are sent from an Protection

Software client. For each row, the Protection Software client is the source computer that must have outgoing access to the listed port on the listed destination computer.

NOTE: Protection Software 7.5.1 removes support for HTTP access to TCP port 80. Use the HTTPS port 443 to access these services instead.

Table 31. Required outbound ports for an Protection Software client

Port

53

Protocol

TCP/UDP

Destination

DNS

111

123

443

2049

2052

3008

8105

8109

8181

8444

27000

28001

TCP/UDP

UDP

TCP

TCP/UDP

TCP/UDP

TCP

TCP

TCP

TCP

TCP

TCP

TCP

Protection Storage system

NTP time servers

Protection Software server

HTTPS service

Protection Storage system

Protection Storage system

Archive tier service on

Protection Storage system

Protection Software server

Protection Software server

Protection Software server

HTTP redirect port

Protection Software server

HTTPS redirect port

Protection Software server

Protection Software server

Additional information

Required for name resolution and DNS zone transfers.

Required for backing up clients to Protection Storage.

Provides clock synchronization from network time protocol servers.

Required to use the web browser UI of Protection

Software Desktop/Laptop and the web browser UI of

Protection Software Web

Restore.

Required for backing up clients to Protection Storage.

Required for backing up clients to Protection Storage.

Only required when backups are stored on a Protection

Storage system and archive tier is used.

Used by Protection Software

Desktop/Laptop.

Used by Protection Software

Desktop/Laptop.

Required to use the web browser UI of Protection

Software Desktop/Laptop and the web browser UI of

Protection Software Web

Restore.

Required to use the web browser UI of Protection

Software Desktop/Laptop and the web browser UI of

Protection Software Web

Restore.

Protection Software subsystem communication.

CLI commands from client computers.

Network ports 95

Table 31. Required outbound ports for an Protection Software client (continued)

Port

29000

Protocol

TCP

Destination

Protection Software server

Additional information

Protection Software subsystem communication.

30001

30003

TCP

TCP

Protection Software utility node MCS

Protection Software utility node MCS

Protection Software Downloader Service host required inbound port

This section describes the inbound port that must be open on a Protection Software Downloader Service host.

The following table describes the inbound port that must be open on a Protection Software Downloader Service host. For the port listed in this table, a Protection Software Downloader Service host is the destination and the source is listed in the Source computer column.

Table 32. Required inbound port on a Protection Software Downloader Service host

Port Protocol Service name Source Additional information

8580 TCP Protection Software

Downloader Service

Protection Software server

Protection Software server connects to this port to access the

Protection Software

Downloader Service.

Protection Software Downloader Service host required outbound ports

This section describes the outbound ports that must be accessible to network packets that are sent from an Protection

Software Downloader Service host.

The following table describes the outbound ports that must be accessible to network packets that are sent from an Protection

Software Downloader Service host. For each row, an Protection Software Downloader Service host is the source computer that must have outgoing access to the listed port on the listed destination computer.

NOTE: Protection Software 7.5.1 removes support for HTTP access to TCP port 80. Use the HTTPS port 443 to access these services instead.

Table 33. Required outbound ports for an Protection Software Downloader Service host

Port

21

Protocol

TCP

Destination

Protection Software FTP server

Additional information

Provides the Protection

Software Downloader Service with FTP access to updates, security rollup packages, hotfixes, and patches.

53 TCP/UDP DNS

123

443

UDP

TCP

NTP time servers

Protection Software server

HTTPS service

Required for name resolution and DNS zone transfers.

Provides clock synchronization from network time protocol servers.

Provides HTTPS access to the AvInstaller service.

96 Network ports

Required ports when using a Protection Storage system

The following table describes the general port requirements when a Protection Software system is deployed with a Protection

Storage system as a storage target:

Table 34. Required ports when using a Protection Storage system

Port

7

22

111

161

163

2049

2052

Protocol

TCP

TCP

TCP/UDP

UDP

UDP

TCP/UDP

TCP/UDP

Source Destination Service

Utility node Protection Storage system ECHO

Utility node Protection Storage system SSH

Utility node Protection Storage system RPC port mapper service Access to RPC and NFS

Protection

Software client port mapper functionality on a Protection Storage system.

Utility node Protection Storage system SNMP

Secure shell communication with the Protection Storage system.

This is the getter/setter port for SNMP objects from a utility node.

none Protection

Storage system

Utility node SNMP

Utility node Protection Storage system NFS daemon none

Protection

Software client

Utility node

Protection Storage system NFS daemon

Protection Storage system NFS mountd process

Additional information

Required to register a

Protection Storage system for storing Protection

Software client backups.

Only required when backups are stored on a Protection Storage system.

Outbound communication must be open for both protocols: TCP and UDP.

3008 TCP

Protection

Software client

Protection Storage system NFS mountd process

Protection Storage system Archive tier service

Only required when backups are stored on a Protection Storage system.

Only required when archive tier is used.

3009 TCP

Protection

Software client

Protection

Software client

Protection Storage system Archive tier service Only required when archive tier is used in the

REST API.

NDMP accelerator node required inbound ports

This section describes the inbound ports that must be accessible to network packets that are sent to each Protection Software accelerator node.

The following table describes the inbound ports that must be accessible to network packets that are sent to each Protection

Software accelerator node. For each row, the accelerator node is the destination and the source is listed in the Source computer column:

Network ports 97

Table 35. Required inbound ports for each accelerator node

Port

7543

Protocol

HTTP/SSL

Source

Web browser clients

Additional information

Web browser clients use this port to create HTTPS connections to Protection Software

Installation Manager. Limit access to trusted administrator computers.

28002-28202

30002-30202

TCP

TCP

Protection Software client/ agent

Protection Software client/ agent

NDMP accelerator node required outbound ports

This section describes the outbound ports that must be accessible to network packets that are sent from each Protection

Software accelerator node.

The following table describes the outbound ports that must be accessible to network packets that are sent from each

Protection Software accelerator node. For each row, the accelerator node is the source computer that must have outgoing access to the listed port on the listed destination computer.

Table 36. Required outbound ports for each accelerator node

Port Protocol Destination

7

25

TCP

TCP

Protection Storage system

Customer Support

111

443

2049

2052

3008

3009

8080

8580

9443

10000

28001

TCP/UDP

TCP

TCP/UDP

TCP/UDP

TCP

TCP

TCP

TCP

TCP

TCP

TCP

Additional information

Required for SMTP connections between

ConnectEMC and Customer

Support.

Protection Storage system

Customer Support LDLS communication with

Customer Support.

Protection Storage system

Protection Storage system

Protection Storage system

Protection Storage system

Isilon

Computer running Protection

Software Downloader Service

Required for Isilon platform

API access.

Used to make requests for package downloads from the Protection

Software Downloader Service computer.

RMI - Protection Software

Management Console web services

NAS filer Required for NDMP control messages.

Protection Software

Administrator management console

98 Network ports

Table 36. Required outbound ports for each accelerator node (continued)

Port

30001

30003

Protocol

TCP

TCP

Destination

Protection Software

Administrator management console

Protection Software server nodes

Additional information

MCS communication over

SSL.

Remote management interface inbound ports

This section describes the inbound ports that should be open on the remote management interface of all Gen4T and Gen4Sbased Protection Software nodes.

The following table describes the inbound ports that should be open on the remote management interface of all Gen4T-based

Protection Software nodes. The actual ports that should be open depend on your network environment. For every port listed in this table, the remote management interface on the node is the destination and the source is listed in the Source computer column.

Table 37. Inbound ports for the remote management interface on all Gen4T-based nodes

Port

80

Protocol

TCP

Service name

HTTP

Source computer

Administrator computers

Additional information

HTTP access

443 TCP HTTPS access

2068 TCP

HTTP protocol over

TLS/SSL

Virtual console and media redirection

Administrator computers

Administrator computers

Virtual console keyboard/mouse, virtual media server, virtual media secure service, and virtual console video

The following table describes the inbound ports that should be open on the remote management interface of all Gen4S-based

Protection Software nodes. The actual ports that should be open depend on your network environment. For every port listed in this table, the remote management interface on the node is the destination and the source is listed in the Source computer column.

Table 38. Inbound ports for the remote management interface on all Gen4S-based nodes

Port

80

Protocol

TCP

Service name

HTTP

Source computer Additional information

HTTP access

443 TCP HTTPS

Administrator computers

Administrator computers

HTTPS access

5120 TCP

5123

7578

TCP

TCP

CDROM media redirection

Floppy/USB media redirection

Administrator computers

Administrator computers

Keyboard, video, mouse Administrator computers

Gen4-based Protection Software nodes have reached end-of-life. Past releases of this guide provide further information about

Gen4-based Protection Software nodes.

NOTE:

Network ports 99

Ensure that the local network environment allows for the creation of these connections.

If using a private intranet, configure the setup of firewall and Network Address Translation (NAT) accordingly.

Ensure that you open the ports bi-directionally at the firewall level.

Remote management interface outbound ports

This section describes the outbound ports that should be accessible to network packets that are sent from the remote management interface on all Protection Software nodes.

The following table describes the outbound ports that should be accessible to network packets that are sent from the remote management interface on all Protection Software nodes. The actual ports that should be open depend on your network environment. By default, none of these outbound ports are configured to be in use. You must modify the configuration to use those protocols. For each row, the node is the source computer that must have outgoing access to the listed port on the listed destination computer.

Table 39. Outbound ports for the remote management interface on all Protection Software nodes

Port Protocol Destination computer Additional information

25 TCP Administrator computers

53

68

69

162

636

3269

TCP/UDP

UDP

UDP

UDP

TCP/UDP

TCP /UDP

DNS server

Administrator computers

Administrator computers

Administrator computers

LDAPS server

LDAPS server

Required to make an SMTP connection with Administrator computers.

Required for DNS queries.

Required for DHCP-assigned

IP address.

Required for trivial file transfers (TFTP).

Required to send SNMP traps.

Required to make Secure

LDAP queries.

Required for LDAPS global catalog (CG).

NOTE:

Ensure that the local network environment allows for the creation of these connections.

If using a private intranet, configure the setup of firewall and Network Address Translation (NAT) accordingly.

Ensure that you open the ports bi-directionally at the firewall level.

Protection Software VMware Combined Proxy inbound ports

This section describes the inbound ports requirements for the Protection Software VMware Combined Proxy.

The following table describes the inbound ports requirements for the Protection Software VMware Combined Proxy:

Table 40. Required inbound ports for the Protection Software VMware Combined Proxy

Port Protocol Source Additional information

22

902

TCP / SSH TCP / SSH

TCP / Hypervisor server proxy service

Protection Software

Administrator

Protection Software server

Diagnostic support is optional, but recommended.

5489 TCP / CIM service Protection Software deployment

Used to register the proxy.

100 Network ports

Table 40. Required inbound ports for the Protection Software VMware Combined Proxy (continued)

Port

28009

Protocol

TCP / Access proxy logs

Source

Protection Software MCS

Additional information

30102 - 30109

30002 - 30009

TCP / avagent paging port

TCP / avagent paging port

Protection Software MCS

Protection Software server Secured communication with the Protection Software server (utility node).

Protection Software VMware Combined Proxy outbound ports

This section describes the outbound ports requirements for the Protection Software VMware Combined Proxy.

The following table describes the outbound ports requirements for the Protection Software VMware Combined Proxy:

Table 41. Required outbound ports for the Protection Software VMware Combined Proxy

Port

53

111

Protocol

UDP + TCP / DNS

TCP / UDP

Destination

DNS server

Additional information

UDP + TCP

Protection Storage system Access to RPC and NFS port mapper functionality on a

Protection Storage system

443

443

902

2049

2052

8543

27000

28001

28002 - 28010

29000

30001

30002 - 30010

30102 - 30109

TCP / Hypervisor Platform

API

TCP / Hypervisor Platform

API

TCP / VDDK

TCP/UDP

TCP/UDP

TCP

Hypervisor hosts

Hypervisor Manager

Hypervisor hosts

Protection Storage system

Protection Storage system Outbound communication must be open for both protocols: TCP and UDP

Protection Software server Used for VMware snapshot operations

TCP / GSAN communication Protection Software server Non-secured communication

TCP / Protection Software

MCS / avagent

Protection Software server

TCP / Protection Software

MCS / avagent

Protection Software server

TCP / GSAN communication Protection Software server Secured communication

Protection Software MCS Protection Software 7.2

TCP / avagent to MCS communication

TCP / Protection Software

MCS / avagent

TCP / Avagent paging port

Protection Software server

Protection Software server Secured communication with

Protection Software server utility node

Protection Software Hypervisor Platform Combined Proxy ports

This section describes the ports that are required for the Protection Software Hypervisor Platform Combined Proxy.

The following table describes the ports that are required for the Protection Software Hypervisor Platform Combined Proxy:

Network ports 101

Table 42. Required ports for the Protection Software Hypervisor Platform Combined Proxy

Port

443

Protocol

TCP / Hypervisor Platform

API

Source

Protection Software

Deployment Manager

Destination

Hypervisor hosts

443 Protection Software MCS Hypervisor Manager (Service)

7444

TCP / Hypervisor Platform

API

TCP / Test Hypervisor

Manager credentials

Protection Software MCS Hypervisor Manager (Service)

Inbound ports for the Azure network security group

This section describes the rules that should be added to an Azure network security group.

The following tables describe the rules that should be added to an Azure network security group:

NOTE: If you want to restrict the source traffic, set the source with IPv4 or IPv6 CIDR block, or a single IPv4 or IPv6 address.

NOTE: Protection Software no longer supports HTTP access to TCP port 80. Use the HTTPS ports 443 to access these services instead.

For all table entries:

● The Source and Destination fields are Any .

● The Source port range field is *

● The Action is Allow .

● Assign a unique priority value to each rule, starting at 100.

● Type a unique description for each rule. The value must be unique for both inbound and outbound rules.

Table 43. Inbound ports for the Azure network security group

Type Protocol

SSH TCP

Custom TCP Rule

Custom UDP Rule

Custom TCP Rule

Custom UDP Rule

HTTPS

Custom TCP Rule

Custom TCP Rule

Custom TCP Rule

Custom TCP Rule

Custom TCP Rule

Custom TCP Rule

Custom TCP Rule

Custom TCP Rule

Custom TCP Rule

Custom TCP Rule

Custom TCP Rule

TCP

TCP

TCP

TCP

TCP

UDP

TCP

UDP

TCP

TCP

TCP

TCP

TCP

TCP

TCP

TCP

161

163

163

Destination port range

22

161

443

700

7543

7778 - 7781

8543

9090

9443

27000

28001 - 28002

28810 - 28819

29000

30001 - 30010

102 Network ports

Outbound ports for the Azure network security group

This section describes the outbound ports for the Azure network security group.

NOTE: If you want to restrict the source of traffic, set the source with IPv4 or IPv6 CIDR block, or a single IPv4 or IPv6 address.

By default, Azure has a rule AllowInternetOutBound with priority 65001 to allow all outbound internet traffic. Override this rule by adding a rule with a priority (that is, an integer number) that is greater than all customized rules' priority, and less than

65000: source: *, destination: *, protocol: *, action: Deny . Azure documentation contains information about creating a firewall rule.

For all table entries:

● The Source and Destination fields are Any .

● The Source port range field is *

● The Action is Allow .

● Assign a unique priority value to each rule, starting at 100.

● Type a unique description for each rule. The value must be unique for both inbound and outbound rules.

Table 44. Outbound ports for the Azure network security group

Type Protocol

Custom TCP Rule TCP

SSH

SMTP

DNS (UDP)

Custom TCP Rule

Custom UDP Rule

Custom TCP Rule

Custom UDP Rule

Custom TCP Rule

Custom UDP Rule

HTTPS

Custom TCP Rule

Custom TCP Rule

Custom UDP Rule

Custom TCP Rule

Custom UDP Rule

Custom TCP Rule

Custom TCP Rule

Custom TCP Rule

Custom TCP Rule

Custom TCP Rule

Custom TCP Rule

Custom TCP Rule

Custom TCP Rule

Custom TCP Rule

TCP

UDP

TCP

UDP

TCP

TCP

TCP

TCP

TCP

UDP

TCP

UDP

UDP

TCP

UDP

TCP

TCP

TCP

TCP

TCP

TCP

TCP

TCP

TCP

2049

2052

2052

3008

3009

8443

8888

9090

9443

27000

28001-28010

29000

161

161

163

53

111

111

Destination port range

7

22

25

163

443

700

2049

Network ports 103

Table 44. Outbound ports for the Azure network security group (continued)

Type

Custom TCP Rule

Protocol

TCP

Destination port range

30001-30010

Protection Storage

This section lists information about Protection Storage network ports.

Communication security settings

Communication security settings enable the establishment of secure communication channels between the product components, and between product components and external systems or components.

The following tables list the input and output ports for TCP and UDP:

Table 45. Protection Storage system inbound communication ports

Service Protocol Port Port

Configurable

Default

FTP TCP 21 No Disabled

Description

SSH and SCP

Telnet

HTTP

DD Boost/NFS

(portmapper)

NTP

SNMP

HTTPS

TCP

TCP

TCP

TCP

UDP

TCP/UDP

TCP

22

23

80

111

123

161

443

Yes

No

Yes

No

No

No

Yes

Enabled

Disabled

Enabled

a

Enabled

Disabled

Disabled

Enabled

Port is used only if FTP is enabled. Run adminaccess show on the Protection

Storage system to determine if it is enabled.

Port is used only if SSH is enabled. Run adminaccess show on the Protection

Storage system to determine if it is enabled. SCP is enabled as default.

Port is used only if Telnet is enabled. Run adminaccess show on the Protection

Storage system to determine if it is enabled.

Port is used only if HTTP is enabled. Run adminaccess show on the Protection

Storage system to determine if it is enabled.

Used to assign a random port for the mountd service that DD Boost and NFS use. The mountd service port can be statically assigned and can be run with the nfs option set mountd-port command.

1. Port is used only if NTP is enabled on the Protection Storage system. Run ntp status to determine if it is enabled.

2. The Protection Storage system uses this port to synchronize to a time server.

Port is used only if SNMP is enabled.

Run snmp status to determine if it is enabled.

Port is used only if HTTPS is enabled.

Run adminaccess show on the

Protection Storage system to determine if it is enabled.

104 Network ports

Table 45. Protection Storage system inbound communication ports (continued)

Service

CIFS (Microsoft-DS)

Protocol

TCP

Port

445

Port

Configurable

No

Default

Enabled

Description

Main port that CIFS uses for data transfer.

DD Boost/NFS TCP 2049 Yes Enabled

NFS v3/NFS v4

Replication

NFS ( mountd )

Protection Storage

Management Center

Port

TCP

TCP

TCP/UDP

TCP

2049

2051

2052

3009

Yes

Yes

Yes

No

Enabled

Enabled

Enabled

Enabled

Main port that NFS uses. Run the nfs option show command on the

Protection Storage system to determine the current NFS server port.

Main port that NFS service uses. Run nfs status to determine if NFS v3 or NFS v4 service is enabled. Run nfs option show nfs3-port or nfs option show nfs4-port on the

Protection Storage system to determine the current port that is listening.

Port is used only if replication is configured on theProtection Storage system. Run replication show config to determine if it is configured.

This port can be modified using the replication modify command.

Can be hardcoded using the nfs option set mountd-port command. (This command is SE mode, which means that only a Service

Engineer can issue this command.) Run nfs option show mountd-port on the Protection Storage system to determine the current port that mountd is listening on.

This port is used only if the Protection

Storage Management Center manages the Protection Storage system. It is not configurable.

a.

HTTP is enabled by default, but automatically redirects to HTTPS.

Table 46. Protection Storage system outbound communication ports

Service Protocol Port Port

Configurable

Default

SMTP TCP 25 No Disabled

SNMP

Syslog

RMCP

UDP

UDP

UDP

162

514

623

Yes

No

Open

Disabled

Disabled

Enabled

Description

The Protection Storagesystem uses this port to send email autosupports and alerts.

The Protection Storagesystem uses this port to send SNMP traps to SNMP host.

Use snmp show trap-hosts to see destination hosts and snmp status to display service status.

If enabled, the Protection Storage system uses this port to send syslog messages. Use log host show to display destination hosts and service status.

Remotely access BMC through IPMI.

Network ports 105

To reach a Protection Storage system behind a firewall, you may need to enable these ports defined in the preceding tables.

Use the net filter functionality to disable all ports that are not used.

Firewall Configuration

Table 47. Ports that Protection Storage uses for inbound traffic

Port

TCP 21

Service

FTP

TCP 22

TCP 23

TCP 80

TCP 111

UDP 111

UDP 123

UDP 137

UDP 138

TCP 139

UDP 161

TCP 389

TCP 443

TCP 445

TCP 464

SSH

Telnet

HTTP

DD Boost/NFS (port mapper)

DD Boost/NFS (port mapper)

NTP

CIFS (NetBIOS name service)

CIFS (NetBIOS datagram service)

CIFS (NetBIOS session service)

SNMP (query)

LDAP

HTTPS

CIFS (Microsoft-DS)

Active Directory

Note

Used only if FTP is enabled (run adminaccess show on the Protection

Storage system to determine).

Used only if SSH is enabled (run adminaccess show on the Protection

Storage system to determine).

Used only if Telnet is enabled (run adminaccess show on the Protection

Storage system to determine).

Used only if HTTP is enabled (run adminaccess show on the Protection

Storage system to determine).

Used to assign a random port for the mountd service that NFS and DD Boost use. The mountd service port can be statically assigned.

Used to assign a random port for the mountd service that NFS and DD Boost use. The mountd service port can be statically assigned.

Used only if NTP is enabled (run ntp status on the Protection Storage system to determine).

CIFS uses this port for NetBIOS name resolution.

CIFS uses this port for NetBIOS datagram service.

CIFS uses this port for session information.

Used only if SNMP is enabled (run snmp status on the Protection Storage system to determine).

The LDAP server monitors this port for

LDAP client requests; by default it uses

TCP.

Used only if HTTPS is enabled (run adminaccess show on the Protection

Storage system to determine).

Main port that CIFS uses for data transfer.

Kerberos change/set password; this is required to join an Active Directory domain.

106 Network ports

Table 47. Ports that Protection Storage uses for inbound traffic (continued)

Port

TCP 2049

TCP 2051

Service

DD Boost/NFS

Replication/DD Boost/Optimized

Duplication

Note

Main port that NFS uses; it can be modified using the nfs set serverport command, which requires SE mode.

Used only if replication is configured

(run replication show config on the Protection Storage system to determine).This port can be modified using replication modify .

TCP 2052 Main port that NFS Mountd uses.

TCP 3008

NFS Mountd/DD Boost/Optimized

Duplication

RSS

TCP 3009

TCP 5001

TCP 10000

SMS (system management) iPerf

NDMP

Required when the Protection Storage system has an Archive Tier.

Used for managing a system remotely with Protection Storage Data Protection

Central (DPC). This port cannot be modified. This port is used only on

Protection Storage systems running DD

OS 4.7.x or later. This port needs to be open if you plan to configure replication within Protection Storage DPC because the replication partner must be added to

Protection Storage DPC.

iPerf uses this by default. Changing the port requires the -p option from se iperf or the port option from the net iperf command. The remote side must listen on the new port.

NDMP uses this port.

Table 48. Ports that Protection Storage systems for outbound traffic

Port

TCP 20

Service

FTP

Note

Used only if FTP is enabled (run adminaccess show on the Protection

Storage system to determine).

TCP 25 SMTP

UDP/TCP 53

TCP 80

TCP 443

UDP 123

UDP 162

DNS

HTTP

HTTPS

NTP

SNMP (trap)

Used only if FTP is enabled (run adminaccess show on the Protection

Storage system to determine).

Used to perform DNS lookups when DNS is configured (run net show dns on the Protection Storage system to review

DNS configuration).

Used to upload log files to Dell EMC support using support upload.

Used to upload the Support Bundle

(SUB).

Used to synchronize to a time server.

Used to send SNMP traps to an SNMP host. Use to see destination hosts and snmp status to display service status.

Network ports 107

Table 48. Ports that Protection Storage systems for outbound traffic (continued)

Port Service Note

Use the snmp show trap-hosts command.

UDP 514 Syslog

TCP 2051

TCP 3009

Replication/DD Boost/Optimized

Duplication

SMS (system management)

If enabled, Used to send syslog messages. Use log host show to display destination hosts and service status.

Used only if replication is configured

(run replication show config on the Protection Storage system to determine).

Used for managing a system remotely using Protection Storage Data

Protection Central (DPC). This port cannot be modified. This port is used only on Protection Storage systems running DD OS 4.7.x or later.

If you plan to configure replication from within the Protection Storage DPC, this port needs to be opened. The replication partner has to be added to the Protection Storage DPC.

TCP 5001

TCP 27000 iPerf iPerf uses this port by default. Changing the port requires entering the -p option from se iperf or the port option from net iperf . The remote side must listen on the new port.

Protection Software client network hosts.

TCP 27000

TCP 28001

TCP 28002

TCP 29000

Protection Software client communications with Protection

Software server

Protection Software server communications with Replicator target server (Protection Software proprietary communication)

Protection Software client communications with administrator server

Protection Software server communications with Protection

Software client

Required if server is used as replication source.

Protection Software clients required.

Optional for browsing clients and canceling backups from Protection

Software Administrator management console.

Protection Software clients required.

TCP 29000

Protection Software client Secure

Sockets Layer (SSL) communications with Protection Software server

Protection Software server SSL communications with Replicator target server

Required if server is replication source.

108 Network ports

Data Protection Central

Data Protection Central uses inbound and outbound ports when communicating with remote systems.

Table 49. Outbound ports

Port number

7

902

2049

2052

3009

5671

8443

9002

9443

443

448

464

514

587

636

22

25

53

67, 68

80

88

111

123

161-163

389

TCP

TCP

TCP, UDP

TCP, UDP

TCP

TCP, UDP

TCP

TCP, UDP

TCP, UDP

TCP

TCP

TCP

TCP

TCP

Layer 4 protocol

TCP, UDP

TCP

TCP

UDP, TCP

TCP

TCP

TCP, UDP

TCP, UDP

TCP, UDP

TCP, UDP

TCP, UDP

Service

ECHO

SSO

SMTP

DNS

DHCP

HTTP

Kerberos

ONC RPC

NTP

SNMP

LDAP

HTTPS

Search Admin REST API

Kerberos rsh

SMPT

LDAPS

Hypervisor

NFS mountd, clearvisn

Protection Storage REST API

Message Bus over amqp

MCSDK 8443 is an alternative for 443

Reporting & Analytics REST API

Protection Software Management Console web service

Table 50. Inbound ports

Port number

22

80

443

5671

Layer 4 protocol

TCP

TCP

TCP

TCP

Service

SSH

HTTP

HTTPS

Message Bus over amqp

Network ports 109

Search

This section lists information about Search network ports.

Port usage

Table 51. Default ports

Component

Common Indexing

Service

Service

NGINX

Search and Admin UIs and APIs

NGINX

Protocol

TCP/HTTPS

Port

442

Common Indexing

Service

Elasticsearch cluster ports

Puppet

Protection Software

Client

NetWorker Client

OpenLDAP

SSH

NFS

NGINX

NGINX

Puppet

Protection

Software

Client

NetWorker

Client slapd sshd nfs

Description

Secure access to Elasticsearch.

TCP/HTTPS

TCP/HTTPS

TCP/HTTPS

TCP

TCP

TCP

TCP

TCP

TCP

443 Admin web application.

Search web application.

Admin REST API.

Search REST API.

445

9300–

9400

CIS REST API. The Common Indexing Service (CIS) provides a secure layer above Elasticsearch.

Ports for communicating with Elasticsearch (Index data nodes). Elasticsearch cluster ports are only opened internally, and are not for external access.

8140,

61613

28000-29

000,

30000-31

000

Puppet primary server, agent, and console. Puppet ports must be open between Search nodes to enable communication during an automatic upgrade.

Ports for Protection Software client communicating with Protection Software server. Each client requires two ports from each port range.

7937-8100 Ports for NetWorker client communicating with

Networker server.

389 Ports for the Search node communicating with

OpenLDAP, and sync between OpenLDAP, are only opened internally.

22 Client connects to server through ssh.

111, 2049 Ports for communicating with NFS are only opened internally.

Firewall rules

Search requires access to the following external (worldwide) ports:

● 442:445 (Web/Rest API)

● 28000-29000, 30000-31000 (Protection Software Client)

● 7937-8100 (NetWorker client)

● 22 (SSH)

Search requires access to the following internal ports:

● 389 (openLDAP)

● 8140 (Puppet primary server and primary server node only)

● 61613 (Puppet)

● 9300:9400 (Elasticsearch)

● 111, 2049 (NFS)

110 Network ports

To use ports 9300–9400, CIS provides access to IP addresses within a subnet. An example subnet is 128.222.162.

Elasticsearch nodes use ports 9300–9400 to form a cluster and to communicate with other Elasticsearch nodes.

Reporting & Analytics

The following tables list information about Reporting & Analytics network ports. Additional ports can be required for the

Reporting and Analytics agents depending on the systems being monitored.

Table 52. Reporting & Analytics application ports settings

Port

25

Description

TCP port used for the SMTP service

80

22

161

389/636 (over SSL)

3741

4447

4712

4713

5445

5455

8090

9002

TCP port used for the SharePoint service

TCP port used for SSH

UDP port used for SNMP service

TCP port used for LDAP integration

TCP port used for Reporting and

Analytics agents communications.

TCP port used for intra-service communication

TCP port used for intra-service communication

TCP port used for intra-service communication

TCP port used for intra-service communication

TCP port used for intra-service communication

TCP port used for intra-service communication

TCP port used for the HTTPS service.

9003

9005

9999

TCP port used for Reporting and

Analytics Datastore communications.

TCP port used for JBoss Management

TCP port used for JBoss Management

Traffic direction

Outbound connection to SMTP server

Outbound connection to SharePoint server

Bidirectional connection to SSH server

Outbound connection to SNMP devices

Outbound connection to LDAP server

Outbound connection to Reporting and

Analytics agents

Inbound connection

Localhost connection

Localhost connection

Localhost connection

Localhost connection

Localhost connection

Inbound connection over SSL from UI,

CLI, and REST API clients.

Outbound connection to Reporting and

Analytics Datastore.

Localhost connection

Localhost connection

Table 53. Reporting & Analytics datastore port settings

Port

3741

Description

TCP port used for Reporting and

Analytics agents communications.

9002 TCP port used for the HTTPS service.

9003 TCP port used for Reporting and

Analytics datastore communications.

Traffic direction

Inbound connection from Reporting and

Analytics application server.

Outbound connection over SSL to

Reporting and Analytics application server.

Inbound connection from Reporting and

Analytics application server.

Network ports 111

Table 54. Reporting & Analytics agent port settings

Port

3741

9002

Description

TCP port used for Reporting and

Analytics agents communications.

TCP port used for the HTTPS service.

Traffic direction

Inbound connection from Reporting and

Analytics application server.

Outbound connection over SSL to

Reporting and Analytics application server.

9003

9005

9876

9999

23364

45688

45689

45700

54200

54201

55200

Table 55. Reporting & Analytics cluster port settings

Port

25

Description

TCP port used for the SMTP service

80

161

389/636 (over SSL)

3741

4447

4712

4713

5445

5455

7500

7600

8090

9002

TCP port used for the SharePoint service

UDP port used for SNMP service

TCP port used for LDAP integration

TCP port used for Reporting and

Analytics agents communications.

TCP port used for intra-service communication

TCP port used for intra-service communication

TCP port used for intra-service communication

TCP port used for intra-service communication

TCP port used for intra-service communication

Multicast over UDP

Multicast over TCP

TCP port used for intra-service communication

TCP port used for the HTTPS service.

Traffic direction

Outbound connection to SMTP server.

Outbound connection to SharePoint server.

Outbound connection to SNMP devices.

Outbound connection to LDAP server.

Outbound connection to Reporting and

Analytics agents

Inbound connection

Localhost connection

Localhost connection

Bidirectional connection for Cluster

Bidirectional connection for Cluster

Bidirectional connection for Cluster

Inbound connection for Cluster

Localhost connection

TCP port used for Reporting and

Analytics datastore communications.

TCP port used for JBoss Management

Multicast over TCP

TCP port used for JBoss Management

Multicast over TCP

Multicast over TCP

Multicast over TCP

Multicast over UDP

Multicast over UDP

Multicast over UDP

Multicast over UDP

Inbound connection over SSL from UI,

CLI, and REST API clients.

Outbound connection to Reporting and

Analytics datastore.

Localhost connection

Bidirectional connection for Cluster

Localhost connection

Bidirectional connection for Cluster

Bidirectional connection for Cluster

Bidirectional connection for Cluster

Bidirectional connection for Cluster

Bidirectional connection for Cluster

Bidirectional connection for Cluster

Bidirectional connection for Cluster

112 Network ports

Table 55. Reporting & Analytics cluster port settings (continued)

Port

55201

Description

Multicast over UDP

57600 Multicast over TCP

Traffic direction

Bidirectional connection for Cluster

Bidirectional connection for Cluster

Secure Remote Services

Secure Remote Services (SRS) runs its services on the following ports:

The following ports should be opened on the Secure Remote Services (SRS) gateway server Service. The appliance components

(Protection Software, Protection Storage, ACM, and Reporting & Analytics) communicate with SRS using these ports.

Table 56. Port requirements for devices

Dell EMC product

TCP port or

Protocol

Direction open

Source-or-

Destination

Application name

Protection

Software

HTTPS 9443

HTTPS

Passive FTP (21)

SMTP (25)

Outbound to SRS REST

ConnectEMC

Communicati on (network traffic) type

Service notification

Performed by authorized

Dell EMC

Global Services personnel:

Support objective

(frequency)

NA

22 Inbound to SRS or to

Customer SMTP server from SRS CLI (through

SSH)

AVInstaller

Enterprise

Manager

Remote support

Administration

(occasional)

Troubleshooting

(frequent)

Protection

Storage

Reporting &

Analytics

443

80, 443, 8778,

8779, 8780, 8781,

8580, 8543, 9443,

7778, 7779, 7780, and 7781

7778, 7779, 7780,

7781, and 9443

HTTPS 9443 Outbound

443,25,21

80,443 Inbound

22

HTTPS 9443

HTTPS

Passive FTP (21)

SMTP (25)

22

Outbound

Inbound to SRS from SRS to SRS from SRS

MCGUI

REST

ConnectEMC

Enterprise

Manager

CLI (through

SSH)

REST

ConnectEMC

CLI (through

SSH)

Service notification

Remote support

Service notification

Remote support

NA

Administration

(occasional)

Troubleshooting

(frequent)

NA

Troubleshooting

(frequent)

Network ports 113

Table 56. Port requirements for devices (continued)

Dell EMC product

TCP port or

Protocol

Direction open

Source-or-

Destination

Integrated

Data

Protection

Appliance

9002, 9003, 9004

3389

HTTPS 9443

HTTPS

Passive FTP (21)

SMTP (25)

22

Outbound

Inbound

8543

443 to SRS from SRS

Application name

Communicati on (network traffic) type

Performed by authorized

Dell EMC

Global Services personnel:

Support objective

(frequency)

Reporting and

Analytics GUI

Remote desktop

REST

ConnectEMC

Service notification

NA

CLI (through

SSH)

ACM

Search UI,

Hypervisor

Platform Web

Client, iDRAC UI

Remote support

Troubleshooting

(frequent)

Remote server management (iDRAC)

The following table lists the ports that are required to remotely access iDRAC through firewall. These are the default ports iDRAC listens to for connections.

Table 57. Ports iDRAC listens for connections

Port number Type Function

22

23

80

161

443

623

5000

5900

5901 b

TCP

TCP

TCP

UDP

TCP

UDP

TCP

TCP

TCP

SSH

TELNET

HTTP

SNMP Agent

HTTPS

RMCP/RMCP+ iDRAC to iSM

Virtual console keyboard and mouse redirection, Virtual Media, Virtual folders, and Remote File Share

VNC

Configurable port Maximum Encryption

Level

Yes 256-bit SSL

Yes

Yes

Yes

Yes

No

No

Yes

None

None

None

256-bit SSL

128-bit SSL

256-bit SSL

a

128-bit SSL

Yes 128-bit SSL a.

b.

Maximum encryption level is 256-bit SSL if both iSM 3.4 or higher and iDRAC firmware 3.30.30.30 or higher are installed.

Port 5901 opens when VNC feature is enabled.

The following table lists the ports that iDRAC uses as a client:

114 Network ports

Table 58. Ports iDRAC uses as client

Port number Type

25

53

68

69

123

162

445

636

2049

TCP

UDP

UDP

TFTP

UDP

UDP

TCP

TCP

TCP

Function

SMTP

DNS

DHCP-assigned IP address

TFTP

Network Time Protocol (NTP)

SNMP trap

Common Internet File System (CIFS)

LDAP Over SSL (LDAPS)

Network File System (NFS)

Configurable port Maximum Encryption

Level

Yes

No

No

No

No

Yes

No

No

No

None

None

None

None

None

None

None

256-bit SSL

None

3269

5353

TCP

UDP

LDAPS for global catalog (GC) mDNS

No

No

256-bit SSL

None

NOTE: When Group Manager is enabled, iDRAC uses mDNS to communicate through port 5353. However, when it is disabled, port 5353 is blocked by iDRAC's internal firewall and appears as open|filtered port in the port scans.

514 UDP Remote syslog Yes None

Cloud DR

The following ports should be opened for communication between the specified components:

Table 59. Required Cloud DR ports

Port

111

443

Description

Communication between Protection Storage and Cloud DR

Communication between Cloud DR and AWS/Azure

443

443

443

2049

9443

Communication between Cloud DR and Cloud DR Server

Communication between Cloud DR and Hypervisor Manager (Service)

Communication between a local restore Service and AWS/Azure

Communication between Protection Storage and Cloud DR

Communication between Protection Software and Cloud DR

Network ports 115

advertisement

Related manuals

advertisement

Table of contents