emc secure remote services 3.04 port requirements

This document contains supplemental information about the EMCSecure Remote Services v3.04 (ESRS v3.04). ESRS v3.04 is the virtualedition of ESRS. This document includes the following topics:

Communication between ESRS and EMC ........................................ 2 Communication between ESRS and Policy Manager ..................... 2 Communication between ESRS and devices .................................... 2 Port requirements for ESRS and Policy Manager (PM) servers..... 4 Port requirements for devices............................................................. 6

Note: Some ports used by ESRS and devices may be registered for use by otherparties, or may not be registered by EMC. EMC is addressing these registrationissues. In the meantime, be aware that all ports listed for use by the ESRS serversand devices will be in use by the EMC applications listed.

EMC Secure Remote ServicesRelease 3.04

Port Requirements

Rev 02

March 23, 20151

2Communication between ESRS and EMC

Communication between ESRS and EMCTo enable communication between your EMC Secure RemoteServices (ESRS) and EMC, you must configure your external networkand/or firewalls to allow traffic over the specific ports as shown inTable 1 on page 4. These tables identify the installation site networkfirewall configuration open-port requirements for ESRS. Theprotocol/ports number and direction are identified relative to theESRS servers and storage devices. Figure 1 on page 3 shows thecommunication paths.

Communication between ESRS and Policy ManagerTo enable communication between ESRS and Policy Manager, youmust configure your internal firewalls to allow traffic over thespecific ports as shown in Table 1 on page 4. These tables identify theinstallation site network firewall configuration open-portrequirements for ESRS. The protocol/ports number and direction areidentified relative to the ESRS servers and storage devices. Figure 1on page 3 shows the communication paths.

Communication between ESRS and devicesThere are two connection requirements between the ESRS server andyour managed devices:

The first is the communication between ESRS and your manageddevices for remote access connections. ESRS secures remote accessconnections to your EMC devices by using a session-based IPport-mapped solution.

The second communication requirement is between ESRS and yourmanaged devices for Connect Home messages. ESRS brokersConnect Home file transfers from your managed devices that supportconnect-home through ESRS, ensuring secure transport,authorization, and auditing for those transfers.

To enable communication between ESRS and your devices, you mustconfigure your internal firewalls to allow traffic over the specificports as shown in Table 1 on page 4 and Table 2 on page 6. Thesetables identify the installation site network firewall configurationEMC Secure Remote Services Port Requirements

open-port requirements for ESRS IP. The protocol/ports number and

direction are identified relative to the ESRS servers and storagedevices. Figure 1 on page 3 shows the communication paths.

Note: See Primus emc169001, What IP addresses are used by the EMCSecure Remote Services IP Solution. You can access this Primus atsupport.emc.com or in Appendix D of the ESRS Release 3.04 OperationsGuide.

Figure 1 Port diagram for generic EMC managed product3EMC Secure Remote Services Port Requirements

4Por

EMCprodu

ESRSt requirements for ESRS and Policy Manager (PM) servers

Port requirements for ESRS and Policy Manager (PM) serversTable 1 on page 4 lists the port requirements as follows:

Table 1 Port requirements for ESRS and Policy Manager servers

ctTCP portor Protocol Notes for port settings

Directionopen

Source -or-Destination

Applicationname

Communication(network traffic)type

Performed by authorizedEMC Global Servicespersonnel: Supportobjective (frequency)

HTTPS 443 See KB article 13285, What IP addresses are usedby the EMC Secure Remote Support IP Solution?.You can access this article on support.emc.com.

Outbound to EMC Client service Service notification,setup, all traffic exceptremote support

N/A

HTTPS 443and 8443

See KB article 13285, What IP addresses are usedby the EMC Secure Remote Support IP Solution?.You can access this article on support.emc.com.

Outbound to EMC GlobalAccess Servers(GAS)

Client service Remote support N/A

IMPORTANT:Port 8443 is not required for functionality, however without this portbeing opened, there will be a significant decrease in remote supportperformance, which will directly impact time to resolve issues on theend devices. The following hosts/IP addresses and ports need to beadded as FTPS destinations: curpusfep3.emc.com = 128.221.234.66 990 corpusfep4.emc.com = 168.159.209.45 990

Port 990 forConnectHome failover (ifconfigured)

Supports ConnectHome failover if the ESRS Channelis unavailable

Outbound FTPS to EMCFEP

SMTP 25 forConnectHome failover (ifconfigured)

May use the customers e-mail server to relay theConnectHome or may send directly to EMC

Outbound to EMC throughcustomers mailserver

HTTPS 443 Use of HTTPS for service notifications inbound isdependent on the version of ConnectEMC used by themanaged device. Refer to product documentation. Ifconfigured, MUST use the customer SMTP server.

Inbound fromManageddevice (EMCproduct)

Apache httpdlistener

Service notificationfrom device

N/A

Port 9443 Customer access to ESRS GUI

HTTPS 9443 Use HTTPS 9443 for making RESTful service calls toadd/remove/update manage devices, to sendconnecthomes and to send device heartbeat check toESRS

Passive FTPports: 21,54005413

During the ESRS-IP installer execution, the value forPassive Port Range in FTP is set to 21 and 5400through 5413. This range indicates the data channelports available for response to PASV commands. SeeRFC 959 for passive FTP definition. These ports areused for passive mode FTP ofconnect-homeconnect-home messages as well as forthe GWExt loading and output. GWExt uses HTTPSby default but can be configured to use FTP.

ESRS: Apachehttpdftp

SMTP 25 ESRS: postfix

IMPORTANT:When opening ports for devices in Table 2, also open the same portson the ESRS server, identified as Inbound from ESRS VirtualEdition (VE) server

Outbound toManageddevice

Client service Remote support fordevice

N/A

HTTP(configurable)Default =8090

Outbound toPolicy Manager

Client service Policy query N/AEMC Secure Remote Services Port Requirements

HTTPS 8443

PolicyManag

EMCproduHTTP 8118 To support ESRS proxy. Inbound ToGateway

Proxy client Services eLicensingrequests and inboundtraffic to Gateway forMFT. Leveraged bystandaloneembedded ESRSDevice Clients.

N/A

erHTTP(configurable)Default =8090

Inbound from ESRS IPClients(and customerbrowser)

Policy Managerservice

Policy query(and policymanagement bycustomer)

N/A

HTTPS 8443

SMTP 25 Outbound to Customeremail server

Action request

ctTCP portor Protocol Notes for port settings

Directionopen


Applicationname

Communication(network traffic)type

Performed by authorizedEMC Global Servicespersonnel: Supportobjective (frequency)5EMC Secure Remote Services Port Requirements

6Port requirements for devices

Port requirements for devicesTable 2 on page 6 lists the port requirements for EMC devices.

Table 2 Port requirements for devices

EMCproduct

TCP portor Protocol Notes for port settings

Directionopen


Applicationname

Communi-cation(networktraffic)type

Performed byauthorized EMCGlobal Servicespersonnel: Supportobjective (frequency)

Atmos HTTPSa Outbound toESRS

ConnectEMC Servicenotification

NA

Passive FTP

SMTP to ESRS or toCustomerSMTP server

22 Inbound fromESRS

CLI (via SSH) Remotesupport

Administration (occasional)

443 SecureWebUI Troubleshooting (frequent)

Avamar HTTPSa Outbound toESRS


NA

Passive FTP

SMTP to ESRS or toCustomerSMTP server

22 Inbound fromESRS



8543 AVInstaller Troubleshooting (frequent)

80,443, 8778,8779, 8780,8781, 8580,8543, 9443,7778, 7779,7780, and 7781

EnterpriseManager

Celerra HTTPSa Outbound toESRS


Note: NAS code 5.5.30.x andearlier supports only FTP;NAS code 5.5.31.x supportsboth FTP and SMTP forconnect-home by usingESRS.

Passive FTP

SMTP

All of: 80, 443,and 8000

Inbound fromESRS

Celerra Manager(Web UI)

Remotesupport


22 CLI (via SSH) Troubleshooting (frequent)

23 This telnet port should be enabled onlyif SSH (port 22) cannot be used.

Telnet Troubleshooting (rare)Use only if CLI cannot beused

EMCCentera

SMTP Outbound to CustomerSMTP server


N/A

Both 3218 and3682

fromESRS

EMC CenteraViewer

Remotesupport

Diagnostics (frequent)

22 CLI (via SSH) Troubleshooting (frequent)EMC Secure Remote Services Port Requirements

CLARiiONandCLARiiONportion ofEDL

HTTPSa Service notification for CLARiiON andEDL is supported only on centrallymanaged devices via a managementserver. Distributed CLARiiON devices(including EDL) use ESRS or Customeremail server (SMTP) for servicenotifications.

Outbound toESRS


N/A

Passive FTPa

SMTP ConnectEMC,Navisphere SPAgent

1345622 (to run pling)

Inbound fromESRS

KTCONS Remotesupport

Troubleshooting (occasional)

Both 80 and443, oroptionally(depending onconfiguration),both 2162 and2163

For more information, refer to CLARiiONdocumentation.

NavisphereManager;also allowsNavisphereSecureCLI

Administration (frequent)

Troubleshooting (frequent)

9519 RemotelyAnywhere

5414 EMCRemote

All of: 6389,6390, 6391, and6392

Navisphere CLI

60020 RemoteDiagnostic Agent

Diagnostics (occasional)

NavisphereManage-mentStation

HTTPSa Outbound toESRS


N/A

Passive FTPa

SMTP ConnectEMC,Navisphere SPAgent

Connectrix

switch familyHTTPSa When using Connectrix Manager Outbound to

ESRSConnectEMC orDialEMC

Servicenotification

N/A

Passive FTPa

SMTP

5414 Inbound fromESRS

EMCRemote Remotesupport


CustomerManage-ment Station

5414 Inbound FromESRS



9519 Remotely-Anywhere

3389 RemoteDesktop

80, 443, 8443 WebHTTPHTTP

22 CLI (via SSH)

Data Domain HTTPS Inbound fromESRS

EnterpriseManager

Remotesupport

Administration (occasional)Troubleshooting (frequent)HTTP

22 Inbound fromESRS


Administration (occasional)Troubleshooting (frequent)

DL3DEngine


CentOS Servicenotification

N/A

22 Inbound fromESRS



443 Inbound Secure Web UI

EMCproduct


Directionopen


Applicationname


Performed byauthorized EMCGlobal Servicespersonnel: Supportobjective (frequency)7EMC Secure Remote Services Port Requirements

8Port requirements for devices

DLm HTTPSa Outbound toESRS


N/A

Passive FTPa

SMTP

22 Inbound fromESRS



80, 443, 8000 Celerra Manager

80,443 DLmConsole

3389 Remote Desktop

DPA HTTPSa Outbound to ESRS ConnectEMC Servicenotification

N/A

Passive FTPa

SMTP

22 Inbound from ESRS CLI (via SSH) Remotesupport


9002,9003,9004

DPA GUI

3389 Remote Desktop

ElasticCloudStorage(ECS)

HTTPSa Outbound to ESRS ConnectEMC Servicenotification

N/A

Passive FTPa

SMTP



80, 443, 4443 ECS UI

EDLEngine(exceptDL3D)

HTTPSa Service notification for EDL is supportedonly on centrally managed devices via amanagement server. DistributedCLARiiON devices (including EDL) useESRS or Customer email server (SMTP)for service notifications.

Outbound toESRS


N/A

Passive FTPa

SMTP

22 Inbound fromESRS



11576 EDL Mgt Console

GreenplumDataComputingAppliance(DCA)

HTTPSa Outbound to CustomerSMTP server


NA

Passive FTP

SMTP

22 Inbound fromESRS




InvistaElementManager



N/A

Passive FTPa

SMTP

InvistaCPCs




All of: 80, 443,2162, and 2163

Invista ElementManager andInvistaSecCLI

5201 ClassicCLI

EMCproduct


Directionopen


Applicationname


Performed byauthorized EMCGlobal Servicespersonnel: Supportobjective (frequency)EMC Secure Remote Services Port Requirements

Isilon HTTPSa ESRS team highly recommends usingCEC- HTTPS transport protocol as FTPand SMTP are plain text protocols.

Outbound toESRS


NA

Passive FTP

SMTP

Managed FileTransfer (MFT)8118

Within Isilon OneFS 7.1, theisi_gather_info script will send the Isilonlog file back to EMC via MFT using port8118 on the ESRS. All other ConnectHomes will use ConnectEMC to sendfiles to ESRS using HTTPS, PassiveFTP, or SMTP.

ISI-Gather LogProcess

Configurationinformation

22 Inbound fromESRS



8080 WEBUI Troubleshooting (frequent)

Recover-Point

SMTP Outbound toESRS

Servicenotification

N/A

22 Inbound fromESRS



80, 443, and7225

RecoverPointManagement GUI

SwitchBrocade-B

22 Inbound fromESRS



23Note: Ifmanaged byConnectrixManager, useport 5414

This telnet port should be enabled only ifSSH (port 22) cannot be used.


SwitchCisco


N/A

22 SSH must be enabled and configured. Inbound fromESRS



23 This telnet port should be enabled only ifSSH (port 22) cannot be used.


Symmetrix HTTPSa Outbound toESRS

ConnectEMC orDialEMC

Servicenotification

N/A

Passive FTPa

SMTP

22


RemotelyAnywhere

Remotesupport


5414 EMCRemote

All of: 1300,1400, 4444,5555, 7000,23003, 23004,and 23005

SGBD/Swuch/Chat Server/Remote Browser/InlineCS

Advanced troubleshooting (byEMCSymmetrix Engineering)(rare)

ViPR HTTPSa Outbound toESRS


N/A

Passive FTPa

SMTP

22 Inbound fromESRS



443, 4443, 80 ViPRManagementGUI(ViPRUI)

EMCproduct


Directionopen


Applicationname



10

Port requirements for devices

ViPRSRM HTTPSa Outbound toESRS


N/A

Passive FTPa

SMTP

22 Inbound fromESRS



VMAX3 HTTPSa Outbound toESRS


NA

Passive FTPa

SMTP

22 Inbound fromESRS



5414 EMCRemote

4444, 5555,7000

InlineCS

7000 RemoteBrowser

9519 RemotelyAnywhere

5555, 23004,23003, 1300

SGDB

5555, 23004 SWUCH

VMAXCloud Edition(CE)



NA

Passive FTPa

SMTP

22 Inbound fromESRS



443, 8443, 22,80, 903, 8080,10080, 10443,902

VClient Administration (frequent)

443 WebHostLogAccess (Primary)

443 WebHostAccess

9443, 443, 80 WebVClient

5480 vAppAccess(Primary)

VNX HTTPSa Outbound toESRS


N/A

Passive FTPa

SMTP


KTCONS Remotesupport

Troubleshooting (occasional)

13456, 13457 RemoteKTrace Administration (frequent)


9519 Remotely-Anywhere

22 CLI (via SSH)

80, 443, 2162,2163, 8000

Unisphere/USM/NavisphereSecureCLI

EMCproduct


Directionopen


Applicationname


Performed byauthorized EMCGlobal Servicespersonnel: Supportobjective (frequency)EMC Secure Remote Services Port Requirements

6391,6392,60020

RemoteDiagnostic Agent

Diagnostics (occasional)

VNXe HTTPSa Outbound to CustomerSMTP server


N/A

Passive FTP

SMTP

22 Inbound fromESRS



80 and 443 Unisphere Troubleshooting (frequent)

VPLEX SMTP Outbound toESRS


N/A

CLI (via SSH)

443 Inbound from ESRS Invista ElementManager

Remotesupport


22 CLI (via SSH) Advanced troubleshooting (byEMCSymmetrix Engineering)(rare)

VSPEXBLUE



N/A

Passive FTP

SMTP



5900, 5901 VNC

XtremIO HTTPSa Outbound toESRS


N/A

Passive FTPa

SMTP

22, 80, 443 Inbound fromESRS



80, 443, 42502 XTREMIOGUI

a. Use of HTTPS for service notifications is dependent on the version of ConnectEMC used by the managed device. Refer to productdocumentation. The default port for HTTPS is 443. The value for Passive Port Range in FTP is set to 21 and 5400 through 5413. Thisrange indicates the data channel ports available for response to PASV commands. These ports are used for passive mode FTP ofconnect-home messages as well as for the GWExt loading and output.

EMCproduct


Directionopen


Applicationname



12

Port requirements for devices

Copyright 2015 EMC Corporation. All rights reserved.

EMC believes the information in this publication is accurate as of its publication date. The information issubject to change without notice.

THE INFORMATION IN THIS PUBLICATION IS PROVIDED AS IS. EMC CORPORATIONMAKES NOREPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION INTHIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OFMERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Use, copying, and distribution of any EMC software described in this publication requires an applicablesoftware license.

For the most up-to-date regulatory document for your product line, go to Technical Documentation andAdvisories section on the EMC Online Support Site (support.emc.com).

For the most up-to-date listing of EMC product names, see EMC Corporation Trademarks on EMC.com.EMC Secure Remote Services Port Requirements

All other trademarks used herein are the property of their respective owners.

Communication between ESRS and EMCCommunication between ESRS and Policy ManagerCommunication between ESRS and devicesPort requirements for ESRS and Policy Manager (PM) serversPort requirements for devices

emc secure remote services 3.04 port requirements

Documents