Upload
arul-kurian-raj
View
554
Download
1
Embed Size (px)
DESCRIPTION
ESRS Port Requirement for EMC Products
Citation preview
This document contains supplemental information about the EMCSecure Remote Support (ESRS). It includes the following topics:
◆ Communication between the Gateway Client and EMC ............... 2◆ Communication between the Gateway Client and Policy Manager 2◆ Communication between the Gateway Client and devices ........... 2◆ Port requirements for Gateway Client and Policy Manager servers 4◆ Port requirements for devices............................................................. 6
Note: Some ports used by the Gateway Client and devices may be registered foruse by other parties, or may not be registered by EMC. EMC is addressing theseregistration issues. In the meantime, be aware that all ports listed for use byGateway Client servers and devices will be in use by the EMC applicationslisted.
EMC® Secure Remote SupportRelease 2.26
Port Requirements
Rev 01
November 18,2013
1
2
Communication between the Gateway Client and EMC
Communication between the Gateway Client and EMCTo enable communication between your Gateway Client and EMC,you must configure your external and/or firewalls to allow trafficover the specific ports as shown in Table 1 on page 4. These tablesidentify the installation site network firewall configuration open-portrequirements for ESRS. The protocol/ports number and direction areidentified relative to EMC Gateway Client servers and storagedevices. Figure 1 on page 3 shows the communication paths.
Communication between the Gateway Client and PolicyManager
To enable communication between your Gateway Client and EMC,you must configure your internal firewalls to allow traffic over thespecific ports as shown in Table 1 on page 4. These tables identify theinstallation site network firewall configuration open-portrequirements for ESRS. The protocol/ports number and direction areidentified relative to EMC Gateway Client servers and storagedevices. Figure 1 on page 3 shows the communication paths.
Communication between the Gateway Client and devicesThere are two connection requirements between the Gateway Clientserver and your managed devices:
The first is the communication between the Gateway Client and yourmanaged devices for remote access connections. The Gateway Clientsecures remote access connections to your EMC® devices by using asession-based IP port-mapped solution.
The second communication requirement is between the GatewayClient and your managed devices for connect home messages. TheGateway Client brokers connect home file transfers from yourmanaged devices that support callhome thru the ESRS GatewayClient, ensuring secure encryption, authorization, and auditing forthose transfers.
To enable communication between your Gateway Client and yourdevices, you must configure your internal firewalls to allow trafficover the specific ports as shown in Table 1 on page 4 and Table 2 onpage 6. These tables identify the installation site network firewall
EMC Secure Remote Support Release 2.26 Port Requirements
Communication between the Gateway Client and devices
configuration open-port requirements for ESRS IP. Theprotocol/ports number and direction are identified relative to EMCGateway Client servers and storage devices. Figure 1 on page 3shows the communication paths.
Note: See Primus emc238467, “What IP addresses are used by the EMCSecure Remote Support IP Solution.” You can access this Primus atknowledgeBase.emc.com.
Figure 1 Port diagram for generic EMC managed product
PS0 PS1 PS2 PS3 PS4 SMB0 SMB1
SB
0
SB
1
SB
2
SB
3
SB
4
SB
5
SB
6
SB
7
SB
8
SB
9
SB
10
SB
11
SB
12
SB
13
SB
14
SB
15
443 / 8443
Internet
ESRS
infrastructure
Customer site EMC
GatewayClient
servers(HA pair)
EMCproduct
EMC product + Direction : Inbound(Ex Connectrix: 5414)
[21, 5400-5413] [25] [443]
ConfigurableDefault HTTP = 8090Default HTTPS = 8443
PolicyManager
to E-mailserver
25
3EMC Secure Remote Support Release 2.26 Port Requirements
4
Port requirements for Gateway Client and Policy Manager servers
Port requirements for Gateway Client and Policy Managerservers
Table 1 on page 4 lists the port requirements for the Gateway Clientand Policy Manager servers.
Table 1 Port requirements for Gateway Client and Policy Manager servers
EMCproduct
TCP portor Protocol Notes for port settings
Directionopen
Source -or-Destination
Applicationname
Communication(networktraffic)type
Performed byauthorized EMCGlobal Servicespersonnel: Supportobjective (frequency)
GatewayClient
HTTPS 443 See Primus emc238467, “What IPaddresses are used by the EMC SecureRemote Support IP Solution.” You canaccess this Primus onknowledgeBase.emc.com.
Outbound to EMC Client service Servicenotification,setup, all trafficexcept remotesupport
N/A
HTTPS 443 and8443
See Primus emc238467, “What IPaddresses are used by the EMC SecureRemote Support IP Solution.” You canaccess this Primus onknowledgeBase.emc.com.
Outbound to EMC GlobalAccess Servers(GAS)
Client service Remotesupport
N/A
IMPORTANT:Port 8443 is not required for functionality, however withoutthis port being opened, there will be a significant decrease inremote support performance, which will directly impact timeto resolve issues on the end devices.
HTTPS 443 Use of HTTPS for service notificationsinbound is dependent on the version ofConnectEMC used by the manageddevice. Refer to product documentation.
Inbound fromManageddevice (EMCproduct)
ESRSHTTP Servicenotificationfrom device
N/A
Passive FTPports: 21,5400–5413
During the ESRS-IP installer execution,the value for Passive Port Range in FTP isset to 21 and 5400 through 5413. Thisrange indicates the data channel portsavailable for response to PASVcommands. See RFC 959 for passive FTPdefinition. These ports are used forpassive mode FTP of call home messagesas well as for the GWExt loading andoutput. GWExt uses HTTPS by default butcan be configured to use FTP.
Windows-GW:Microsoft IIS FTP
Linux-GW: vsftpd
SMTP 25 Windows-GW:Microsoft IISSMTP
Linux-GW: postfix
IMPORTANT:When opening ports for devices in Table 2, also open thesame ports on the Gateway Client server, identified as“Inbound from Gateway Client server”
Outbound toManageddevice
Client service Remotesupport fordevice
N/A
HTTP(configurable)Default = 8090
Outbound toPolicy Manager
Client service Policy query N/A
HTTPS 8443
HTTP 8118 To support ESRS Gateway proxy. Inbound ToGateway
Proxy client ServiceeLicensingrequests
N/A
EMC Secure Remote Support Release 2.26 Port Requirements
Port requirements for Gateway Client and Policy Manager servers
PolicyManager
HTTP(configurable)Default = 8090
Inbound from ESRS IPClients(and customerbrowser)
Policy Managerservice
Policy query(and policymanagementby customer)
N/A
HTTPS 8443
SMTP 25 Outbound to Customeremail server
Action request
Table 1 Port requirements for Gateway Client and Policy Manager servers
EMCproduct
TCP portor Protocol Notes for port settings
Directionopen
Source -or-Destination
Applicationname
Communication(networktraffic)type
Performed byauthorized EMCGlobal Servicespersonnel: Supportobjective (frequency)
5EMC Secure Remote Support Release 2.26 Port Requirements
6
Port requirements for devices
Port requirements for devicesTable 2 on page 6 lists the port requirements for EMC devices.
Table 2 Port requirements for devices
EMCproduct
TCP portor Protocol Notes for port settings
Directionopen
Source -or-Destination
Applicationname
Communi-cation(networktraffic)type
Performed byauthorized EMCGlobal Servicespersonnel: Supportobjective (frequency)
Atmos® HTTPSa Outbound toGateway Client
ConnectEMC Servicenotification
NA
Passive FTP
SMTP to GatewayClient or toCustomerSMTP server
22 Inbound fromGateway Client
CLI (via SSH) Remotesupport
Administration (occasional)
443 SecureWebUI Troubleshooting (frequent)
Avamar® HTTPSa Outbound toGateway Client
ConnectEMC Servicenotification
NA
Passive FTP
SMTP to GatewayClient or toCustomerSMTP server
22 Inbound fromGateway Client
CLI (via SSH) Remotesupport
Administration (occasional)
8543 AVInstaller Troubleshooting (frequent)
80,443, 8778,8779, 8780,8781, 8580,8543, 9443,7778, 7779,7780, and 7781
EnterpriseManager
Celerra® HTTPSa Outbound toGateway Client
ConnectEMC Servicenotification
Note: NAS code 5.5.30.x andearlier supports only FTP;NAS code 5.5.31.x supportsboth FTP and SMTP forcallhome by using theGateway Client.
Passive FTP
SMTP
All of: 80, 443,and 8000
Inbound fromGateway Client
Celerra Manager(Web UI)
Remotesupport
Administration (occasional)
22 CLI (via SSH) Troubleshooting (frequent)
23 This telnet port should be enabled onlyif SSH (port 22) cannot be used.
Telnet Troubleshooting (rare)Use only if CLI cannot beused
EMCCentera®
SMTP Outbound to CustomerSMTP server
ConnectEMC Servicenotification
N/A
Both 3218 and3682
fromGateway Client
EMC CenteraViewer
Remotesupport
Diagnostics (frequent)
22 CLI (via SSH) Troubleshooting (frequent)
EMC Secure Remote Support Release 2.26 Port Requirements
Port requirements for devices
CLARiiON®
andCLARiiONportion ofEDL
HTTPSa Service notification for CLARiiON andEDL is supported only on centrallymanaged devices via a managementserver. Distributed CLARiiON devices(including EDL) use Gateway Client orCustomer email server (SMTP) forservice notifications.
Outbound toGateway Client
ConnectEMC Servicenotification
N/A
Passive FTPb
SMTPc ConnectEMC,Navisphere® SPAgent
1345622 (to run pling)
Inbound fromGateway Client
KTCONS Remotesupport
Troubleshooting (occasional)
Both 80 and443, oroptionally(depending onconfiguration),both 2162 and2163
For more information, refer to CLARiiONdocumentation.
NavisphereManager;also allowsNavisphereSecureCLI
Administration (frequent)
Troubleshooting (frequent)
9519 RemotelyAnywhere
5414 EMCRemote
All of: 6389,6390, 6391, and6392
Navisphere CLI
60020 RemoteDiagnostic Agent
Diagnostics (occasional)
NavisphereManage-mentStation
HTTPSa Outbound toGateway Client
ConnectEMC Servicenotification
N/A
Passive FTPb
SMTPc ConnectEMC,Navisphere SPAgent
Connectrix®
switchfamily
HTTPSa Outbound toGateway Client
ConnectEMC orDialEMC
Servicenotification
N/A
Passive FTPb
SMTPc
5414 Inbound fromGateway Client
EMCRemote Remotesupport
Troubleshooting (frequent)
CustomerManage-mentStation
5414 Inbound FromGateway Client
EMCRemote Remotesupport
Troubleshooting (frequent)
9519 Remotely-Anywhere
3389 RemoteDesktop
80, 443, 8443 WebHTTPHTTP
22 CLI (via SSH)
DataDomain
HTTPS Inbound fromGateway Client
EnterpriseManager
Remotesupport
Administration (occasional)Troubleshooting (frequent)HTTP
22 Inbound fromGateway Client
CLI (via SSH) Remotesupport
Administration (occasional)Troubleshooting (frequent)
DL3DEngine
SMTPc Outbound to CustomerSMTP server
CentOS Servicenotification
N/A
22 Inbound fromGateway Client
CLI (via SSH) Remotesupport
Troubleshooting (frequent)
443 Inbound Secure Web UI
EMCproduct
TCP portor Protocol Notes for port settings
Directionopen
Source -or-Destination
Applicationname
Communi-cation(networktraffic)type
Performed byauthorized EMCGlobal Servicespersonnel: Supportobjective (frequency)
7EMC Secure Remote Support Release 2.26 Port Requirements
8
Port requirements for devices
DLm HTTPSa Outbound toGateway Client
ConnectEMC Servicenotification
N/A
Passive FTPb
SMTPc
22 Inbound fromGateway Client
CLI (via SSH) Remotesupport
Troubleshooting (frequent)
80, 443, 8000 Celerra Manager
80,443 DLmConsole
EDLEngine(exceptDL3D)
HTTPSa Service notification for EDL is supportedonly on centrally managed devices via amanagement server. DistributedCLARiiON devices (including EDL) useGateway Client or Customer emailserver (SMTP) for service notifications.
Outbound toGateway Client
ConnectEMC Servicenotification
N/A
Passive FTPb
SMTPc
22 Inbound fromGateway Client
CLI (via SSH) Remotesupport
Troubleshooting (frequent)
11576 EDL Mgt Console
GreenplumDataComputingAppliance(DCA)®
HTTPSa Outbound to CustomerSMTP server
ConnectEMC Servicenotification
NA
Passive FTP
SMTP
22 Inbound fromGateway Client
CLI (via SSH) Remotesupport
Administration (occasional)
Troubleshooting (frequent)
Invista®
ElementManager
HTTPSa Outbound toGateway Client
ConnectEMC Servicenotification
N/A
Passive FTPb
SMTPc
InvistaCPCs
5414 Inbound fromGateway Client
EMCRemote Remotesupport
Troubleshooting (frequent)
All of: 80, 443,2162, and 2163
Invista ElementManager andInvistaSecCLI
5201 ClassicCLI
Isilon® HTTPSa ESRS team highly recommends usingCEC- HTTPS transport protocol as FTPand SMTP are plain text protocols.
Outbound toGateway Client
ConnectEMC Servicenotification
NA
Passive FTP
SMTP
Managed FileTransfer (MFT)8118
Within Isilon OneFS 7.1, theisi_gather_info script will send the Isilonlog file back to EMC via MFT using port8118 on the ESRS Gateway. All otherConnect Homes will use ConnectEMCto send files to the Gateway usingHTTPS, Passive FTP, or SMTP.
ISI-Gather LogProcess
Configurationinformation
22 Inbound fromGateway Client
CLI (via SSH) Remotesupport
Administration (occasional)
8080 WEBUI Troubleshooting (frequent)
Recover-Point
SMTPc Outbound toGateway Client
Servicenotification
N/A
22 Inbound fromGateway Client
CLI (via SSH) Remotesupport
Troubleshooting (frequent)
80, 443, and7225
RecoverPointManagement GUI
EMCproduct
TCP portor Protocol Notes for port settings
Directionopen
Source -or-Destination
Applicationname
Communi-cation(networktraffic)type
Performed byauthorized EMCGlobal Servicespersonnel: Supportobjective (frequency)
EMC Secure Remote Support Release 2.26 Port Requirements
Port requirements for devices
Switch–Brocade-B
22 Inbound fromGateway Client
CLI (via SSH) Remotesupport
Troubleshooting (frequent)
23Note: Ifmanaged byConnectrixManager, useport 5414
This telnet port should be enabled only ifSSH (port 22) cannot be used.
Telnet Troubleshooting (rare)Use only if CLI cannot beused
Switch–Cisco
SMTPc Outbound to CustomerSMTP server
N/A
22 SSH must be enabled and configured. Inbound fromGateway Client
CLI (via SSH) Remotesupport
Troubleshooting (frequent)
23 This telnet port should be enabled only ifSSH (port 22) cannot be used.
Telnet Troubleshooting (rare)Use only if CLI cannot beused
Symmetrix® HTTPSa Outbound toGateway Client
ConnectEMC orDialEMC
Servicenotification
N/A
Passive FTPb
SMTPc
9519 Inbound fromGateway Client
RemotelyAnywhere
Remotesupport
Troubleshooting (frequent)
5414 EMCRemote
All of: 1300,1400, 4444,5555, 7000,23003, 23004,and 23005
SGBD/Swuch/Chat Server/Remote Browser/InlineCS
Advanced troubleshooting (byEMC Symmetrix Engineering)(rare)
ViPR HTTPSa Outbound toGateway Client
ConnectEMC Servicenotification
N/A
Passive FTPb
SMTPc
22 Inbound fromGateway Client
CLI (via SSH) Remotesupport
Troubleshooting (frequent)
443, 4443, 80 ViPRManagement GUI(ViPRUI)
VMAX®
CloudEdition (CE)
HTTPSa Outbound toGateway Client
ConnectEMC Servicenotification
NA
Passive FTPb
SMTPc
22 Inbound fromGateway Client
CLI (via SSH) Remotesupport
Troubleshooting (frequent)
443, 8443, 22,80, 903, 8080,10080, 10443,902
VClient Administration (frequent)
443 WebHostLogAccess (Primary)
443 WebHostAccess
9443, 443, 80 WebVClient
5480 vAppAccess(Primary)
EMCproduct
TCP portor Protocol Notes for port settings
Directionopen
Source -or-Destination
Applicationname
Communi-cation(networktraffic)type
Performed byauthorized EMCGlobal Servicespersonnel: Supportobjective (frequency)
9EMC Secure Remote Support Release 2.26 Port Requirements
10
Port requirements for devices
VNX® HTTPSa Outbound toGateway Client
ConnectEMC Servicenotification
N/A
Passive FTPb
SMTPc
13456 Inbound fromGateway Client
KTCONS Remotesupport
Troubleshooting (occasional)
13456, 13457 RemoteKTrace Administration (frequent)
Troubleshooting (frequent)
9519 Remotely-Anywhere
22 CLI (via SSH)
80, 443, 2162,2163, 8000
Unisphere/USM/NavisphereSecureCLI
6391,6392,60020
RemoteDiagnostic Agent
Diagnostics (occasional)
VNXe® HTTPSa Outbound to CustomerSMTP server
ConnectEMC Servicenotification
NA
Passive FTP
SMTP
22 Inbound fromGateway Client
CLI (via SSH) Remotesupport
Administration (occasional)
80 and 443 Unisphere Troubleshooting (frequent)
VPLEX® SMTP Outbound toGateway Client
ConnectEMC Servicenotification
N/A
CLI (via SSH)
443 Inbound from GatewayClient
Invista ElementManager
Remotesupport
Troubleshooting (frequent)
22 CLI (via SSH) Advanced troubleshooting (byEMC Symmetrix Engineering)(rare)
XtremIO® HTTPSa Outbound toGateway Client
ConnectEMC Servicenotification
N/A
Passive FTPb
SMTPc
22, 80 Inbound fromGateway Client
CLI (via SSH) Remotesupport
Troubleshooting (frequent)
80, 443, 42502 XTREMIOGUI
a. Use of HTTPS for service notifications is dependent on the version of ConnectEMC used by the managed device. Refer to productdocumentation. The default port for HTTPS is 443.
b. During the ESRS-IP Windows installer execution, the value for Passive Port Range in IIS FTP is set to 21 and 5400 through 5413.This range indicates the data channel ports available for response to PASV commands. See RFC 959 for passive FTP definition.These ports are used for passive mode FTP of call home messages as well as for the GWExt loading and output.
During the ESRS-IP Linux installer execution, the installer autoconfigures FTP settings only if vsftpd is available on the system. Thesame port range as Windows will be set up in this case.
c. Port 25 needs to be open to the ESRS gateway server or Customers SMTP server, only from the Fabric Manager Server or ECC.The protocol SMTP is assigned the service port 25, used for Outbound Service Notification to Gateway Client or email server.
Linux Gateway installation autoconfigures SMTP service only if postfix is available on the system.
EMCproduct
TCP portor Protocol Notes for port settings
Directionopen
Source -or-Destination
Applicationname
Communi-cation(networktraffic)type
Performed byauthorized EMCGlobal Servicespersonnel: Supportobjective (frequency)
EMC Secure Remote Support Release 2.26 Port Requirements
Port requirements for devices
Copyright © 2013 EMC Corporation. All rights reserved.
EMC believes the information in this publication is accurate as of its publication date. The information issubject to change without notice.
THE INFORMATION IN THIS PUBLICATION IS PROVIDED “AS IS.” EMC CORPORATION MAKES NOREPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION INTHIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OFMERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Use, copying, and distribution of any EMC software described in this publication requires an applicablesoftware license.
For the most up-to-date regulatory document for your product line, go to Technical Documentation andAdvisories section on the EMC Online Support Site (support.emc.com).
For the most up-to-date listing of EMC product names, see EMC Corporation Trademarks on EMC.com.
All other trademarks used herein are the property of their respective owners.
11EMC Secure Remote Support Release 2.26 Port Requirements
12
Port requirements for devices
EMC Secure Remote Support Release 2.26 Port Requirements