Docu37729 EMC Secure Remote Support 2.26 Port Requirements

This document contains supplemental information about the EMCSecure Remote Support (ESRS). It includes the following topics:

◆ Communication between the Gateway Client and EMC ............... 2◆ Communication between the Gateway Client and Policy Manager 2◆ Communication between the Gateway Client and devices ........... 2◆ Port requirements for Gateway Client and Policy Manager servers 4◆ Port requirements for devices............................................................. 6

Note: Some ports used by the Gateway Client and devices may be registered foruse by other parties, or may not be registered by EMC. EMC is addressing theseregistration issues. In the meantime, be aware that all ports listed for use byGateway Client servers and devices will be in use by the EMC applicationslisted.

EMC® Secure Remote SupportRelease 2.26

Port Requirements

Rev 01

November 18,2013

1

2

Communication between the Gateway Client and EMC

Communication between the Gateway Client and EMCTo enable communication between your Gateway Client and EMC,you must configure your external and/or firewalls to allow trafficover the specific ports as shown in Table 1 on page 4. These tablesidentify the installation site network firewall configuration open-portrequirements for ESRS. The protocol/ports number and direction areidentified relative to EMC Gateway Client servers and storagedevices. Figure 1 on page 3 shows the communication paths.

Communication between the Gateway Client and PolicyManager

To enable communication between your Gateway Client and EMC,you must configure your internal firewalls to allow traffic over thespecific ports as shown in Table 1 on page 4. These tables identify theinstallation site network firewall configuration open-portrequirements for ESRS. The protocol/ports number and direction areidentified relative to EMC Gateway Client servers and storagedevices. Figure 1 on page 3 shows the communication paths.

Communication between the Gateway Client and devicesThere are two connection requirements between the Gateway Clientserver and your managed devices:

The first is the communication between the Gateway Client and yourmanaged devices for remote access connections. The Gateway Clientsecures remote access connections to your EMC® devices by using asession-based IP port-mapped solution.

The second communication requirement is between the GatewayClient and your managed devices for connect home messages. TheGateway Client brokers connect home file transfers from yourmanaged devices that support callhome thru the ESRS GatewayClient, ensuring secure encryption, authorization, and auditing forthose transfers.

To enable communication between your Gateway Client and yourdevices, you must configure your internal firewalls to allow trafficover the specific ports as shown in Table 1 on page 4 and Table 2 onpage 6. These tables identify the installation site network firewall

EMC Secure Remote Support Release 2.26 Port Requirements

Communication between the Gateway Client and devices

configuration open-port requirements for ESRS IP. Theprotocol/ports number and direction are identified relative to EMCGateway Client servers and storage devices. Figure 1 on page 3shows the communication paths.

Note: See Primus emc238467, “What IP addresses are used by the EMCSecure Remote Support IP Solution.” You can access this Primus atknowledgeBase.emc.com.

Figure 1 Port diagram for generic EMC managed product

PS0 PS1 PS2 PS3 PS4 SMB0 SMB1

SB

0

SB

1

SB

2

SB

3

SB

4

SB

5

SB

6

SB

7

SB

8

SB

9

SB

10

SB

11

SB

12

SB

13

SB

14

SB

15

443 / 8443

Internet

ESRS

infrastructure

Customer site EMC

GatewayClient

servers(HA pair)

EMCproduct

EMC product + Direction : Inbound(Ex Connectrix: 5414)

[21, 5400-5413] [25] [443]

ConfigurableDefault HTTP = 8090Default HTTPS = 8443

PolicyManager

to E-mailserver

25

3EMC Secure Remote Support Release 2.26 Port Requirements

4

Port requirements for Gateway Client and Policy Manager servers

Port requirements for Gateway Client and Policy Managerservers

Table 1 on page 4 lists the port requirements for the Gateway Clientand Policy Manager servers.

Table 1 Port requirements for Gateway Client and Policy Manager servers

EMCproduct

TCP portor Protocol Notes for port settings

Directionopen

Source -or-Destination

Applicationname

Communication(networktraffic)type

Performed byauthorized EMCGlobal Servicespersonnel: Supportobjective (frequency)

GatewayClient

HTTPS 443 See Primus emc238467, “What IPaddresses are used by the EMC SecureRemote Support IP Solution.” You canaccess this Primus onknowledgeBase.emc.com.

Outbound to EMC Client service Servicenotification,setup, all trafficexcept remotesupport

N/A

HTTPS 443 and8443

See Primus emc238467, “What IPaddresses are used by the EMC SecureRemote Support IP Solution.” You canaccess this Primus onknowledgeBase.emc.com.

Outbound to EMC GlobalAccess Servers(GAS)

Client service Remotesupport

N/A

IMPORTANT:Port 8443 is not required for functionality, however withoutthis port being opened, there will be a significant decrease inremote support performance, which will directly impact timeto resolve issues on the end devices.

HTTPS 443 Use of HTTPS for service notificationsinbound is dependent on the version ofConnectEMC used by the manageddevice. Refer to product documentation.

Inbound fromManageddevice (EMCproduct)

ESRSHTTP Servicenotificationfrom device

N/A

Passive FTPports: 21,5400–5413

During the ESRS-IP installer execution,the value for Passive Port Range in FTP isset to 21 and 5400 through 5413. Thisrange indicates the data channel portsavailable for response to PASVcommands. See RFC 959 for passive FTPdefinition. These ports are used forpassive mode FTP of call home messagesas well as for the GWExt loading andoutput. GWExt uses HTTPS by default butcan be configured to use FTP.

Windows-GW:Microsoft IIS FTP

Linux-GW: vsftpd

SMTP 25 Windows-GW:Microsoft IISSMTP

Linux-GW: postfix

IMPORTANT:When opening ports for devices in Table 2, also open thesame ports on the Gateway Client server, identified as“Inbound from Gateway Client server”

Outbound toManageddevice

Client service Remotesupport fordevice

N/A

HTTP(configurable)Default = 8090

Outbound toPolicy Manager

Client service Policy query N/A

HTTPS 8443

HTTP 8118 To support ESRS Gateway proxy. Inbound ToGateway

Proxy client ServiceeLicensingrequests

N/A


Port requirements for Gateway Client and Policy Manager servers

PolicyManager

HTTP(configurable)Default = 8090

Inbound from ESRS IPClients(and customerbrowser)

Policy Managerservice

Policy query(and policymanagementby customer)

N/A

HTTPS 8443

SMTP 25 Outbound to Customeremail server

Action request

Table 1 Port requirements for Gateway Client and Policy Manager servers

EMCproduct


Directionopen


Applicationname

Communication(networktraffic)type



6

Port requirements for devices

Port requirements for devicesTable 2 on page 6 lists the port requirements for EMC devices.

Table 2 Port requirements for devices

EMCproduct


Directionopen


Applicationname

Communi-cation(networktraffic)type


Atmos® HTTPSa Outbound toGateway Client

ConnectEMC Servicenotification

NA

Passive FTP

SMTP to GatewayClient or toCustomerSMTP server

22 Inbound fromGateway Client

CLI (via SSH) Remotesupport

Administration (occasional)

443 SecureWebUI Troubleshooting (frequent)

Avamar® HTTPSa Outbound toGateway Client


NA

Passive FTP

SMTP to GatewayClient or toCustomerSMTP server




8543 AVInstaller Troubleshooting (frequent)

80,443, 8778,8779, 8780,8781, 8580,8543, 9443,7778, 7779,7780, and 7781

EnterpriseManager

Celerra® HTTPSa Outbound toGateway Client


Note: NAS code 5.5.30.x andearlier supports only FTP;NAS code 5.5.31.x supportsboth FTP and SMTP forcallhome by using theGateway Client.

Passive FTP

SMTP

All of: 80, 443,and 8000

Inbound fromGateway Client

Celerra Manager(Web UI)

Remotesupport


22 CLI (via SSH) Troubleshooting (frequent)

23 This telnet port should be enabled onlyif SSH (port 22) cannot be used.

Telnet Troubleshooting (rare)Use only if CLI cannot beused

EMCCentera®

SMTP Outbound to CustomerSMTP server


N/A

Both 3218 and3682

fromGateway Client

EMC CenteraViewer

Remotesupport

Diagnostics (frequent)

22 CLI (via SSH) Troubleshooting (frequent)



CLARiiON®

andCLARiiONportion ofEDL

HTTPSa Service notification for CLARiiON andEDL is supported only on centrallymanaged devices via a managementserver. Distributed CLARiiON devices(including EDL) use Gateway Client orCustomer email server (SMTP) forservice notifications.

Outbound toGateway Client


N/A

Passive FTPb

SMTPc ConnectEMC,Navisphere® SPAgent

1345622 (to run pling)

Inbound fromGateway Client

KTCONS Remotesupport

Troubleshooting (occasional)

Both 80 and443, oroptionally(depending onconfiguration),both 2162 and2163

For more information, refer to CLARiiONdocumentation.

NavisphereManager;also allowsNavisphereSecureCLI

Administration (frequent)

Troubleshooting (frequent)

9519 RemotelyAnywhere

5414 EMCRemote

All of: 6389,6390, 6391, and6392

Navisphere CLI

60020 RemoteDiagnostic Agent

Diagnostics (occasional)

NavisphereManage-mentStation

HTTPSa Outbound toGateway Client


N/A

Passive FTPb

SMTPc ConnectEMC,Navisphere SPAgent

Connectrix®

switchfamily


ConnectEMC orDialEMC

Servicenotification

N/A

Passive FTPb

SMTPc


EMCRemote Remotesupport


CustomerManage-mentStation

5414 Inbound FromGateway Client



9519 Remotely-Anywhere

3389 RemoteDesktop

80, 443, 8443 WebHTTPHTTP

22 CLI (via SSH)

DataDomain

HTTPS Inbound fromGateway Client

EnterpriseManager

Remotesupport

Administration (occasional)Troubleshooting (frequent)HTTP



Administration (occasional)Troubleshooting (frequent)

DL3DEngine

SMTPc Outbound to CustomerSMTP server

CentOS Servicenotification

N/A




443 Inbound Secure Web UI

EMCproduct


Directionopen


Applicationname




8


DLm HTTPSa Outbound toGateway Client


N/A

Passive FTPb

SMTPc




80, 443, 8000 Celerra Manager

80,443 DLmConsole

EDLEngine(exceptDL3D)

HTTPSa Service notification for EDL is supportedonly on centrally managed devices via amanagement server. DistributedCLARiiON devices (including EDL) useGateway Client or Customer emailserver (SMTP) for service notifications.



N/A

Passive FTPb

SMTPc




11576 EDL Mgt Console

GreenplumDataComputingAppliance(DCA)®

HTTPSa Outbound to CustomerSMTP server


NA

Passive FTP

SMTP





Invista®

ElementManager



N/A

Passive FTPb

SMTPc

InvistaCPCs




All of: 80, 443,2162, and 2163

Invista ElementManager andInvistaSecCLI

5201 ClassicCLI

Isilon® HTTPSa ESRS team highly recommends usingCEC- HTTPS transport protocol as FTPand SMTP are plain text protocols.



NA

Passive FTP

SMTP

Managed FileTransfer (MFT)8118

Within Isilon OneFS 7.1, theisi_gather_info script will send the Isilonlog file back to EMC via MFT using port8118 on the ESRS Gateway. All otherConnect Homes will use ConnectEMCto send files to the Gateway usingHTTPS, Passive FTP, or SMTP.

ISI-Gather LogProcess

Configurationinformation




8080 WEBUI Troubleshooting (frequent)

Recover-Point

SMTPc Outbound toGateway Client

Servicenotification

N/A




80, 443, and7225

RecoverPointManagement GUI

EMCproduct


Directionopen


Applicationname





Switch–Brocade-B




23Note: Ifmanaged byConnectrixManager, useport 5414

This telnet port should be enabled only ifSSH (port 22) cannot be used.


Switch–Cisco

SMTPc Outbound to CustomerSMTP server

N/A

22 SSH must be enabled and configured. Inbound fromGateway Client



23 This telnet port should be enabled only ifSSH (port 22) cannot be used.


Symmetrix® HTTPSa Outbound toGateway Client

ConnectEMC orDialEMC

Servicenotification

N/A

Passive FTPb

SMTPc


RemotelyAnywhere

Remotesupport


5414 EMCRemote

All of: 1300,1400, 4444,5555, 7000,23003, 23004,and 23005

SGBD/Swuch/Chat Server/Remote Browser/InlineCS

Advanced troubleshooting (byEMC Symmetrix Engineering)(rare)

ViPR HTTPSa Outbound toGateway Client


N/A

Passive FTPb

SMTPc




443, 4443, 80 ViPRManagement GUI(ViPRUI)

VMAX®

CloudEdition (CE)



NA

Passive FTPb

SMTPc




443, 8443, 22,80, 903, 8080,10080, 10443,902

VClient Administration (frequent)

443 WebHostLogAccess (Primary)

443 WebHostAccess

9443, 443, 80 WebVClient

5480 vAppAccess(Primary)

EMCproduct


Directionopen


Applicationname




10


VNX® HTTPSa Outbound toGateway Client


N/A

Passive FTPb

SMTPc


KTCONS Remotesupport

Troubleshooting (occasional)

13456, 13457 RemoteKTrace Administration (frequent)


9519 Remotely-Anywhere

22 CLI (via SSH)

80, 443, 2162,2163, 8000

Unisphere/USM/NavisphereSecureCLI

6391,6392,60020

RemoteDiagnostic Agent

Diagnostics (occasional)

VNXe® HTTPSa Outbound to CustomerSMTP server


NA

Passive FTP

SMTP




80 and 443 Unisphere Troubleshooting (frequent)

VPLEX® SMTP Outbound toGateway Client


N/A

CLI (via SSH)

443 Inbound from GatewayClient

Invista ElementManager

Remotesupport


22 CLI (via SSH) Advanced troubleshooting (byEMC Symmetrix Engineering)(rare)

XtremIO® HTTPSa Outbound toGateway Client


N/A

Passive FTPb

SMTPc

22, 80 Inbound fromGateway Client



80, 443, 42502 XTREMIOGUI

a. Use of HTTPS for service notifications is dependent on the version of ConnectEMC used by the managed device. Refer to productdocumentation. The default port for HTTPS is 443.

b. During the ESRS-IP Windows installer execution, the value for Passive Port Range in IIS FTP is set to 21 and 5400 through 5413.This range indicates the data channel ports available for response to PASV commands. See RFC 959 for passive FTP definition.These ports are used for passive mode FTP of call home messages as well as for the GWExt loading and output.

During the ESRS-IP Linux installer execution, the installer autoconfigures FTP settings only if vsftpd is available on the system. Thesame port range as Windows will be set up in this case.

c. Port 25 needs to be open to the ESRS gateway server or Customers SMTP server, only from the Fabric Manager Server or ECC.The protocol SMTP is assigned the service port 25, used for Outbound Service Notification to Gateway Client or email server.

Linux Gateway installation autoconfigures SMTP service only if postfix is available on the system.

EMCproduct


Directionopen


Applicationname





Copyright © 2013 EMC Corporation. All rights reserved.

EMC believes the information in this publication is accurate as of its publication date. The information issubject to change without notice.

THE INFORMATION IN THIS PUBLICATION IS PROVIDED “AS IS.” EMC CORPORATION MAKES NOREPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION INTHIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OFMERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Use, copying, and distribution of any EMC software described in this publication requires an applicablesoftware license.

For the most up-to-date regulatory document for your product line, go to Technical Documentation andAdvisories section on the EMC Online Support Site (support.emc.com).

For the most up-to-date listing of EMC product names, see EMC Corporation Trademarks on EMC.com.

All other trademarks used herein are the property of their respective owners.


12



Documents

Docu37729 EMC Secure Remote Support 2.26 Port Requirements