EMC Secure Remote Services 3.04 Port Requirements
-
Upload
anthony-thomas -
Category
Documents
-
view
309 -
download
7
description
Transcript of EMC Secure Remote Services 3.04 Port Requirements
-
This document contains supplemental information about the EMCSecure Remote Services v3.04 (ESRS v3.04). ESRS v3.04 is the virtualedition of ESRS. This document includes the following topics:
Communication between ESRS and EMC ........................................ 2 Communication between ESRS and Policy Manager ..................... 2 Communication between ESRS and devices .................................... 2 Port requirements for ESRS and Policy Manager (PM) servers..... 4 Port requirements for devices............................................................. 6
Note: Some ports used by ESRS and devices may be registered for use by otherparties, or may not be registered by EMC. EMC is addressing these registrationissues. In the meantime, be aware that all ports listed for use by the ESRS serversand devices will be in use by the EMC applications listed.
EMC Secure Remote ServicesRelease 3.04
Port Requirements
Rev 02
March 23, 20151
-
2Communication between ESRS and EMC
Communication between ESRS and EMCTo enable communication between your EMC Secure RemoteServices (ESRS) and EMC, you must configure your external networkand/or firewalls to allow traffic over the specific ports as shown inTable 1 on page 4. These tables identify the installation site networkfirewall configuration open-port requirements for ESRS. Theprotocol/ports number and direction are identified relative to theESRS servers and storage devices. Figure 1 on page 3 shows thecommunication paths.
Communication between ESRS and Policy ManagerTo enable communication between ESRS and Policy Manager, youmust configure your internal firewalls to allow traffic over thespecific ports as shown in Table 1 on page 4. These tables identify theinstallation site network firewall configuration open-portrequirements for ESRS. The protocol/ports number and direction areidentified relative to the ESRS servers and storage devices. Figure 1on page 3 shows the communication paths.
Communication between ESRS and devicesThere are two connection requirements between the ESRS server andyour managed devices:
The first is the communication between ESRS and your manageddevices for remote access connections. ESRS secures remote accessconnections to your EMC devices by using a session-based IPport-mapped solution.
The second communication requirement is between ESRS and yourmanaged devices for Connect Home messages. ESRS brokersConnect Home file transfers from your managed devices that supportconnect-home through ESRS, ensuring secure transport,authorization, and auditing for those transfers.
To enable communication between ESRS and your devices, you mustconfigure your internal firewalls to allow traffic over the specificports as shown in Table 1 on page 4 and Table 2 on page 6. Thesetables identify the installation site network firewall configurationEMC Secure Remote Services Port Requirements
open-port requirements for ESRS IP. The protocol/ports number and
-
direction are identified relative to the ESRS servers and storagedevices. Figure 1 on page 3 shows the communication paths.
Note: See Primus emc169001, What IP addresses are used by the EMCSecure Remote Services IP Solution. You can access this Primus atsupport.emc.com or in Appendix D of the ESRS Release 3.04 OperationsGuide.
Figure 1 Port diagram for generic EMC managed product3EMC Secure Remote Services Port Requirements
-
4Por
EMCprodu
ESRSt requirements for ESRS and Policy Manager (PM) servers
Port requirements for ESRS and Policy Manager (PM) serversTable 1 on page 4 lists the port requirements as follows:
Table 1 Port requirements for ESRS and Policy Manager servers
ctTCP portor Protocol Notes for port settings
Directionopen
Source -or-Destination
Applicationname
Communication(network traffic)type
Performed by authorizedEMC Global Servicespersonnel: Supportobjective (frequency)
HTTPS 443 See KB article 13285, What IP addresses are usedby the EMC Secure Remote Support IP Solution?.You can access this article on support.emc.com.
Outbound to EMC Client service Service notification,setup, all traffic exceptremote support
N/A
HTTPS 443and 8443
See KB article 13285, What IP addresses are usedby the EMC Secure Remote Support IP Solution?.You can access this article on support.emc.com.
Outbound to EMC GlobalAccess Servers(GAS)
Client service Remote support N/A
IMPORTANT:Port 8443 is not required for functionality, however without this portbeing opened, there will be a significant decrease in remote supportperformance, which will directly impact time to resolve issues on theend devices. The following hosts/IP addresses and ports need to beadded as FTPS destinations: curpusfep3.emc.com = 128.221.234.66 990 corpusfep4.emc.com = 168.159.209.45 990
Port 990 forConnectHome failover (ifconfigured)
Supports ConnectHome failover if the ESRS Channelis unavailable
Outbound FTPS to EMCFEP
SMTP 25 forConnectHome failover (ifconfigured)
May use the customers e-mail server to relay theConnectHome or may send directly to EMC
Outbound to EMC throughcustomers mailserver
HTTPS 443 Use of HTTPS for service notifications inbound isdependent on the version of ConnectEMC used by themanaged device. Refer to product documentation. Ifconfigured, MUST use the customer SMTP server.
Inbound fromManageddevice (EMCproduct)
Apache httpdlistener
Service notificationfrom device
N/A
Port 9443 Customer access to ESRS GUI
HTTPS 9443 Use HTTPS 9443 for making RESTful service calls toadd/remove/update manage devices, to sendconnecthomes and to send device heartbeat check toESRS
Passive FTPports: 21,54005413
During the ESRS-IP installer execution, the value forPassive Port Range in FTP is set to 21 and 5400through 5413. This range indicates the data channelports available for response to PASV commands. SeeRFC 959 for passive FTP definition. These ports areused for passive mode FTP ofconnect-homeconnect-home messages as well as forthe GWExt loading and output. GWExt uses HTTPSby default but can be configured to use FTP.
ESRS: Apachehttpdftp
SMTP 25 ESRS: postfix
IMPORTANT:When opening ports for devices in Table 2, also open the same portson the ESRS server, identified as Inbound from ESRS VirtualEdition (VE) server
Outbound toManageddevice
Client service Remote support fordevice
N/A
HTTP(configurable)Default =8090
Outbound toPolicy Manager
Client service Policy query N/AEMC Secure Remote Services Port Requirements
HTTPS 8443
-
PolicyManag
EMCproduHTTP 8118 To support ESRS proxy. Inbound ToGateway
Proxy client Services eLicensingrequests and inboundtraffic to Gateway forMFT. Leveraged bystandaloneembedded ESRSDevice Clients.
N/A
erHTTP(configurable)Default =8090
Inbound from ESRS IPClients(and customerbrowser)
Policy Managerservice
Policy query(and policymanagement bycustomer)
N/A
HTTPS 8443
SMTP 25 Outbound to Customeremail server
Action request
ctTCP portor Protocol Notes for port settings
Directionopen
Source -or-Destination
Applicationname
Communication(network traffic)type
Performed by authorizedEMC Global Servicespersonnel: Supportobjective (frequency)5EMC Secure Remote Services Port Requirements
-
6Port requirements for devices
Port requirements for devicesTable 2 on page 6 lists the port requirements for EMC devices.
Table 2 Port requirements for devices
EMCproduct
TCP portor Protocol Notes for port settings
Directionopen
Source -or-Destination
Applicationname
Communi-cation(networktraffic)type
Performed byauthorized EMCGlobal Servicespersonnel: Supportobjective (frequency)
Atmos HTTPSa Outbound toESRS
ConnectEMC Servicenotification
NA
Passive FTP
SMTP to ESRS or toCustomerSMTP server
22 Inbound fromESRS
CLI (via SSH) Remotesupport
Administration (occasional)
443 SecureWebUI Troubleshooting (frequent)
Avamar HTTPSa Outbound toESRS
ConnectEMC Servicenotification
NA
Passive FTP
SMTP to ESRS or toCustomerSMTP server
22 Inbound fromESRS
CLI (via SSH) Remotesupport
Administration (occasional)
8543 AVInstaller Troubleshooting (frequent)
80,443, 8778,8779, 8780,8781, 8580,8543, 9443,7778, 7779,7780, and 7781
EnterpriseManager
Celerra HTTPSa Outbound toESRS
ConnectEMC Servicenotification
Note: NAS code 5.5.30.x andearlier supports only FTP;NAS code 5.5.31.x supportsboth FTP and SMTP forconnect-home by usingESRS.
Passive FTP
SMTP
All of: 80, 443,and 8000
Inbound fromESRS
Celerra Manager(Web UI)
Remotesupport
Administration (occasional)
22 CLI (via SSH) Troubleshooting (frequent)
23 This telnet port should be enabled onlyif SSH (port 22) cannot be used.
Telnet Troubleshooting (rare)Use only if CLI cannot beused
EMCCentera
SMTP Outbound to CustomerSMTP server
ConnectEMC Servicenotification
N/A
Both 3218 and3682
fromESRS
EMC CenteraViewer
Remotesupport
Diagnostics (frequent)
22 CLI (via SSH) Troubleshooting (frequent)EMC Secure Remote Services Port Requirements
-
CLARiiONandCLARiiONportion ofEDL
HTTPSa Service notification for CLARiiON andEDL is supported only on centrallymanaged devices via a managementserver. Distributed CLARiiON devices(including EDL) use ESRS or Customeremail server (SMTP) for servicenotifications.
Outbound toESRS
ConnectEMC Servicenotification
N/A
Passive FTPa
SMTP ConnectEMC,Navisphere SPAgent
1345622 (to run pling)
Inbound fromESRS
KTCONS Remotesupport
Troubleshooting (occasional)
Both 80 and443, oroptionally(depending onconfiguration),both 2162 and2163
For more information, refer to CLARiiONdocumentation.
NavisphereManager;also allowsNavisphereSecureCLI
Administration (frequent)
Troubleshooting (frequent)
9519 RemotelyAnywhere
5414 EMCRemote
All of: 6389,6390, 6391, and6392
Navisphere CLI
60020 RemoteDiagnostic Agent
Diagnostics (occasional)
NavisphereManage-mentStation
HTTPSa Outbound toESRS
ConnectEMC Servicenotification
N/A
Passive FTPa
SMTP ConnectEMC,Navisphere SPAgent
Connectrix
switch familyHTTPSa When using Connectrix Manager Outbound to
ESRSConnectEMC orDialEMC
Servicenotification
N/A
Passive FTPa
SMTP
5414 Inbound fromESRS
EMCRemote Remotesupport
Troubleshooting (frequent)
CustomerManage-ment Station
5414 Inbound FromESRS
EMCRemote Remotesupport
Troubleshooting (frequent)
9519 Remotely-Anywhere
3389 RemoteDesktop
80, 443, 8443 WebHTTPHTTP
22 CLI (via SSH)
Data Domain HTTPS Inbound fromESRS
EnterpriseManager
Remotesupport
Administration (occasional)Troubleshooting (frequent)HTTP
22 Inbound fromESRS
CLI (via SSH) Remotesupport
Administration (occasional)Troubleshooting (frequent)
DL3DEngine
SMTP Outbound to CustomerSMTP server
CentOS Servicenotification
N/A
22 Inbound fromESRS
CLI (via SSH) Remotesupport
Troubleshooting (frequent)
443 Inbound Secure Web UI
EMCproduct
TCP portor Protocol Notes for port settings
Directionopen
Source -or-Destination
Applicationname
Communi-cation(networktraffic)type
Performed byauthorized EMCGlobal Servicespersonnel: Supportobjective (frequency)7EMC Secure Remote Services Port Requirements
-
8Port requirements for devices
DLm HTTPSa Outbound toESRS
ConnectEMC Servicenotification
N/A
Passive FTPa
SMTP
22 Inbound fromESRS
CLI (via SSH) Remotesupport
Troubleshooting (frequent)
80, 443, 8000 Celerra Manager
80,443 DLmConsole
3389 Remote Desktop
DPA HTTPSa Outbound to ESRS ConnectEMC Servicenotification
N/A
Passive FTPa
SMTP
22 Inbound from ESRS CLI (via SSH) Remotesupport
Troubleshooting (frequent)
9002,9003,9004
DPA GUI
3389 Remote Desktop
ElasticCloudStorage(ECS)
HTTPSa Outbound to ESRS ConnectEMC Servicenotification
N/A
Passive FTPa
SMTP
22 Inbound from ESRS CLI (via SSH) Remotesupport
Troubleshooting (frequent)
80, 443, 4443 ECS UI
EDLEngine(exceptDL3D)
HTTPSa Service notification for EDL is supportedonly on centrally managed devices via amanagement server. DistributedCLARiiON devices (including EDL) useESRS or Customer email server (SMTP)for service notifications.
Outbound toESRS
ConnectEMC Servicenotification
N/A
Passive FTPa
SMTP
22 Inbound fromESRS
CLI (via SSH) Remotesupport
Troubleshooting (frequent)
11576 EDL Mgt Console
GreenplumDataComputingAppliance(DCA)
HTTPSa Outbound to CustomerSMTP server
ConnectEMC Servicenotification
NA
Passive FTP
SMTP
22 Inbound fromESRS
CLI (via SSH) Remotesupport
Administration (occasional)
Troubleshooting (frequent)
InvistaElementManager
HTTPSa Outbound toESRS
ConnectEMC Servicenotification
N/A
Passive FTPa
SMTP
InvistaCPCs
5414 Inbound fromESRS
EMCRemote Remotesupport
Troubleshooting (frequent)
All of: 80, 443,2162, and 2163
Invista ElementManager andInvistaSecCLI
5201 ClassicCLI
EMCproduct
TCP portor Protocol Notes for port settings
Directionopen
Source -or-Destination
Applicationname
Communi-cation(networktraffic)type
Performed byauthorized EMCGlobal Servicespersonnel: Supportobjective (frequency)EMC Secure Remote Services Port Requirements
-
Isilon HTTPSa ESRS team highly recommends usingCEC- HTTPS transport protocol as FTPand SMTP are plain text protocols.
Outbound toESRS
ConnectEMC Servicenotification
NA
Passive FTP
SMTP
Managed FileTransfer (MFT)8118
Within Isilon OneFS 7.1, theisi_gather_info script will send the Isilonlog file back to EMC via MFT using port8118 on the ESRS. All other ConnectHomes will use ConnectEMC to sendfiles to ESRS using HTTPS, PassiveFTP, or SMTP.
ISI-Gather LogProcess
Configurationinformation
22 Inbound fromESRS
CLI (via SSH) Remotesupport
Administration (occasional)
8080 WEBUI Troubleshooting (frequent)
Recover-Point
SMTP Outbound toESRS
Servicenotification
N/A
22 Inbound fromESRS
CLI (via SSH) Remotesupport
Troubleshooting (frequent)
80, 443, and7225
RecoverPointManagement GUI
SwitchBrocade-B
22 Inbound fromESRS
CLI (via SSH) Remotesupport
Troubleshooting (frequent)
23Note: Ifmanaged byConnectrixManager, useport 5414
This telnet port should be enabled only ifSSH (port 22) cannot be used.
Telnet Troubleshooting (rare)Use only if CLI cannot beused
SwitchCisco
SMTP Outbound to CustomerSMTP server
N/A
22 SSH must be enabled and configured. Inbound fromESRS
CLI (via SSH) Remotesupport
Troubleshooting (frequent)
23 This telnet port should be enabled only ifSSH (port 22) cannot be used.
Telnet Troubleshooting (rare)Use only if CLI cannot beused
Symmetrix HTTPSa Outbound toESRS
ConnectEMC orDialEMC
Servicenotification
N/A
Passive FTPa
SMTP
22
9519 Inbound fromESRS
RemotelyAnywhere
Remotesupport
Troubleshooting (frequent)
5414 EMCRemote
All of: 1300,1400, 4444,5555, 7000,23003, 23004,and 23005
SGBD/Swuch/Chat Server/Remote Browser/InlineCS
Advanced troubleshooting (byEMCSymmetrix Engineering)(rare)
ViPR HTTPSa Outbound toESRS
ConnectEMC Servicenotification
N/A
Passive FTPa
SMTP
22 Inbound fromESRS
CLI (via SSH) Remotesupport
Troubleshooting (frequent)
443, 4443, 80 ViPRManagementGUI(ViPRUI)
EMCproduct
TCP portor Protocol Notes for port settings
Directionopen
Source -or-Destination
Applicationname
Communi-cation(networktraffic)type
Performed byauthorized EMCGlobal Servicespersonnel: Supportobjective (frequency)9EMC Secure Remote Services Port Requirements
-
10
Port requirements for devices
ViPRSRM HTTPSa Outbound toESRS
ConnectEMC Servicenotification
N/A
Passive FTPa
SMTP
22 Inbound fromESRS
CLI (via SSH) Remotesupport
Troubleshooting (frequent)
VMAX3 HTTPSa Outbound toESRS
ConnectEMC Servicenotification
NA
Passive FTPa
SMTP
22 Inbound fromESRS
CLI (via SSH) Remotesupport
Troubleshooting (frequent)
5414 EMCRemote
4444, 5555,7000
InlineCS
7000 RemoteBrowser
9519 RemotelyAnywhere
5555, 23004,23003, 1300
SGDB
5555, 23004 SWUCH
VMAXCloud Edition(CE)
HTTPSa Outbound toESRS
ConnectEMC Servicenotification
NA
Passive FTPa
SMTP
22 Inbound fromESRS
CLI (via SSH) Remotesupport
Troubleshooting (frequent)
443, 8443, 22,80, 903, 8080,10080, 10443,902
VClient Administration (frequent)
443 WebHostLogAccess (Primary)
443 WebHostAccess
9443, 443, 80 WebVClient
5480 vAppAccess(Primary)
VNX HTTPSa Outbound toESRS
ConnectEMC Servicenotification
N/A
Passive FTPa
SMTP
13456 Inbound fromESRS
KTCONS Remotesupport
Troubleshooting (occasional)
13456, 13457 RemoteKTrace Administration (frequent)
Troubleshooting (frequent)
9519 Remotely-Anywhere
22 CLI (via SSH)
80, 443, 2162,2163, 8000
Unisphere/USM/NavisphereSecureCLI
EMCproduct
TCP portor Protocol Notes for port settings
Directionopen
Source -or-Destination
Applicationname
Communi-cation(networktraffic)type
Performed byauthorized EMCGlobal Servicespersonnel: Supportobjective (frequency)EMC Secure Remote Services Port Requirements
6391,6392,60020
RemoteDiagnostic Agent
Diagnostics (occasional)
-
VNXe HTTPSa Outbound to CustomerSMTP server
ConnectEMC Servicenotification
N/A
Passive FTP
SMTP
22 Inbound fromESRS
CLI (via SSH) Remotesupport
Administration (occasional)
80 and 443 Unisphere Troubleshooting (frequent)
VPLEX SMTP Outbound toESRS
ConnectEMC Servicenotification
N/A
CLI (via SSH)
443 Inbound from ESRS Invista ElementManager
Remotesupport
Troubleshooting (frequent)
22 CLI (via SSH) Advanced troubleshooting (byEMCSymmetrix Engineering)(rare)
VSPEXBLUE
HTTPSa Outbound toESRS
ConnectEMC Servicenotification
N/A
Passive FTP
SMTP
22 Inbound from ESRS CLI (via SSH) Remotesupport
Troubleshooting (frequent)
5900, 5901 VNC
XtremIO HTTPSa Outbound toESRS
ConnectEMC Servicenotification
N/A
Passive FTPa
SMTP
22, 80, 443 Inbound fromESRS
CLI (via SSH) Remotesupport
Troubleshooting (frequent)
80, 443, 42502 XTREMIOGUI
a. Use of HTTPS for service notifications is dependent on the version of ConnectEMC used by the managed device. Refer to productdocumentation. The default port for HTTPS is 443. The value for Passive Port Range in FTP is set to 21 and 5400 through 5413. Thisrange indicates the data channel ports available for response to PASV commands. These ports are used for passive mode FTP ofconnect-home messages as well as for the GWExt loading and output.
EMCproduct
TCP portor Protocol Notes for port settings
Directionopen
Source -or-Destination
Applicationname
Communi-cation(networktraffic)type
Performed byauthorized EMCGlobal Servicespersonnel: Supportobjective (frequency)11EMC Secure Remote Services Port Requirements
-
12
Port requirements for devices
Copyright 2015 EMC Corporation. All rights reserved.
EMC believes the information in this publication is accurate as of its publication date. The information issubject to change without notice.
THE INFORMATION IN THIS PUBLICATION IS PROVIDED AS IS. EMC CORPORATIONMAKES NOREPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION INTHIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OFMERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Use, copying, and distribution of any EMC software described in this publication requires an applicablesoftware license.
For the most up-to-date regulatory document for your product line, go to Technical Documentation andAdvisories section on the EMC Online Support Site (support.emc.com).
For the most up-to-date listing of EMC product names, see EMC Corporation Trademarks on EMC.com.EMC Secure Remote Services Port Requirements
All other trademarks used herein are the property of their respective owners.
Communication between ESRS and EMCCommunication between ESRS and Policy ManagerCommunication between ESRS and devicesPort requirements for ESRS and Policy Manager (PM) serversPort requirements for devices