Anda di halaman 1dari 12

EMC Secure Remote Services

Release 3.08

Port Requirements
REV 01
September 14, 2015

This document contains supplemental information about the EMC


Secure Remote Services (ESRS) v3.08. ESRS v3.08 is the virtual edition of
ESRS. This document includes the following topics:

Communication between ESRS and EMC ........................................ 2


Communication between ESRS and Policy Manager ..................... 2
Communication between ESRS and devices .................................... 2
Port requirements for ESRS and Policy Manager (PM) servers..... 4
Port requirements for devices............................................................. 6

Note: Some ports used by ESRS and devices may be registered for use by other
parties, or may not be registered by EMC. EMC is addressing these registration
issues. In the meantime, be aware that all ports listed for use by the ESRS servers
and devices will be in use by the EMC applications listed.

Communication between ESRS and EMC

Communication between ESRS and EMC


To enable communication between your EMC Secure Remote
Services (ESRS) Virtual Edition Server and EMC, you must configure
your external network and/or firewalls to allow traffic over the
specific ports as shown in Table 1 on page 4. These tables identify the
installation site network firewall configuration open-port
requirements for ESRS. The protocol/ports number and direction are
identified relative to the ESRS servers and storage devices. Figure 1
on page 3 shows the communication paths.

Communication between ESRS and Policy Manager


To enable communication between ESRS and Policy Manager, you
must configure your internal firewalls to allow traffic over the
specific ports as shown in Table 1 on page 4. These tables identify the
installation site network firewall configuration open-port
requirements for ESRS. The protocol/ports number and direction are
identified relative to the ESRS servers and storage devices. Figure 1
on page 3 shows the communication paths.

Communication between ESRS and devices


There are two connection requirements between the ESRS server and
your managed devices:

The first is the communication between ESRS and your managed


devices for remote access connections. ESRS secures remote
access connections to your EMC devices by using a
session-based IP port-mapped solution.

The second communication requirement is between ESRS and


your managed devices for Connect Home messages. ESRS
brokers Connect Home file transfers from your managed devices
that support Connect Home through ESRS, thus ensuring secure
transport, authorization, and auditing for those transfers.

To enable communication between ESRS and your devices, you must


configure your internal firewalls to allow traffic over the specific
ports as shown in Table 1 on page 4 and Table 2 on page 6. These
tables identify the installation site network firewall configuration
open-port requirements for ESRS IP. The protocol/ports number and

EMC Secure Remote Services Port Requirements

direction are identified relative to the ESRS servers and storage


devices. Figure 1 on page 3 shows the communication paths.
Note: See Knowledgebase (KB) Article 00013285, What IP addresses are
used by the EMC Secure Remote Services IP Solution. You can access this
article at support.emc.com or in Appendix C of the ESRS Release 3.08
Installation and Operations Guide.

Figure 1

Port diagram for generic EMC managed product


Note: For the optional failover, ports 990 and 25 are used on the ESRS Virtual
Edition outbound to EMC only when the failover Connect Home is
configured for FTPS and/or the email option is used as the failover channel.

EMC Secure Remote Services Port Requirements

Port requirements for ESRS and Policy Manager (PM) servers

Port requirements for ESRS and Policy Manager (PM) servers


Table 1 on page 4 lists the port requirements as follows:
Note: See Knowledgebase (KB) Article 00013285 for more information
regarding IP addresses used. You can access this article on support.emc.com.
Table 1

EMC
product

TCP port
or Protocol

ESRS

Port requirements for ESRS and Policy Manager servers


Performed by
authorized EMC Global
Services personnel:
Support objective
(frequency)

Direction
open

Source -orDestination

Application
name

HTTPS 443

Outbound

to EMC

Client service

Service
notification,
setup, all traffic
except remote
support

HTTPS 443
and 8443

Outbound

to EMC Global
Access Servers
(GAS)

Client service

Remote support N/A

Outbound

FTPS to EMC
FEP

SMTP 25 for Can use the customers e-mail server to relay the Connect Outbound
Connect Home Home or send directly to EMC
failover (if
configured)

to EMC through
customers mail
server

HTTPS 443

from
Apache httpd
Managed device listener
(EMC product)

Service
N/A
notification from
device

Notes for port settings

IMPORTANT:
Port 8443 is not required for functionality, however without this port being
opened, there will be a significant decrease in remote support
performance, which will directly impact the time to resolve the issues on the
end devices.
Port 990 for
Supports Connect Home failover if the ESRS Channel is
Connect Home unavailable
failover (if
configured)

Usage of the HTTPS for the inbound service notifications Inbound


is dependent on the version of ConnectEMC used by the
managed device. For more information, refer to the
product documentation. If configured, you MUST use the
customer SMTP server.

Port 9443

Customer access to ESRS GUI

ESRS VE Web UI

HTTPS 9443

Use HTTPS 9443 for making RESTful service calls to


add/remove/update manage devices, to send Connect
Homes, and to send device heartbeat check to ESRS

ESRS VE REST
Communication
Channel

Passive FTP
ports: 21,
54005413

During the ESRS-IP installer execution, the value for


Passive Port Range in FTP is set to 21 and 5400 through
5413. This range indicates the data channel ports
available for response to the PASV commands. See RFC
959 for the passive FTP definition. These ports are used
for the Passive FTP mode of the Connect Home messages
as well as for the GWExt loading and output. GWExt uses
HTTPS by default but can be configured to use FTP.

ESRS: Apache
httpdftp

SMTP 25

N/A

ESRS: postfix

IMPORTANT:
Outbound
When opening the ports for the devices in Table 2, you must also open the
same ports on the ESRS server, identified as Inbound from ESRS Virtual
Edition (VE) server

to
Client service
Managed device

Remote support N/A


for device

HTTP
(configurable)
Default = 8090

to
Policy Manager

Policy query

Outbound

HTTPS 8443

Communication
(network traffic)
type

EMC Secure Remote Services Port Requirements

Client service

N/A

EMC
product

Policy
Manager

Communication
(network traffic)
type

Performed by
authorized EMC Global
Services personnel:
Support objective
(frequency)

TCP port
or Protocol

Notes for port settings

Direction
open

Source -orDestination

Application
name

HTTP 8118

To support ESRS proxy

Inbound

To
Gateway

Proxy client

Services
N/A
eLicensing
requests and
inbound traffic to
the gateway for
MFT. Leveraged
by standalone
embedded ESRS
Device Clients.

Inbound

from ESRS IP
Clients
(and customer
browser)

Policy Manager
service

Policy query
N/A
(and policy
management by
customer)

Outbound

to Customer
email server

HTTP
(configurable)
Default = 8090
HTTPS 8443
SMTP 25

Action request

EMC Secure Remote Services Port Requirements

Port requirements for devices

Port requirements for devices


Table 2 on page 6 lists the port requirements for EMC devices.
Note: The ESRS team highly recommends using CEC- HTTPS transport
protocol as FTP and SMTP are plain text protocols.
Table 2

Port requirements for devices


Communication
(network
traffic)
type

Performed by
authorized EMC
Global Services
personnel: Support
objective (frequency)

ConnectEMC

Service
notification

NA

from
ESRS

CLI (via SSH)

Remote
support

to
ESRS

ConnectEMC

Service
notification

CLI (via SSH)

Remote
support

EMC
product

TCP port
or Protocol Notes for port settings

Direction Source -or- Application


open
Destination name

Atmos

HTTPSa

Outbound

Passive FTP
SMTP

to ESRS or to
Customer
SMTP server

22

Inbound

443

Avamar

to
ESRS

HTTPSa

Outbound

Passive FTP
SMTP

22

Inbound

from
ESRS

80,443, 8778,
8779, 8780,
8781, 8580,
8543, 9443,
7778, 7779,
7780, and 7781

AVInstaller

to
ESRS

ConnectEMC

Service
notification

Note: NAS code 5.5.30.x and


earlier supports only FTP;
NAS code 5.5.31.x supports
both FTP and SMTP for
Connect Home by using
ESRS.

Inbound

from
ESRS

Celerra Manager
(Web UI)

Remote
support

Administration (occasional)

SMTP
All of: 80, 443,
and 8000
22

SMTP

This Telnet port should be enabled only


if SSH (port 22) cannot be used.
Outbound

Both 3218 and


3682
22

Administration (occasional)
Troubleshooting (frequent)

Outbound

Passive FTP

EMC
Centera

NA

Enterprise Manager

HTTPSa

23

Administration (occasional)
Troubleshooting (frequent)

to ESRS or to
Customer
SMTP server

8543

Celerra

SecureWebUI

EMC Secure Remote Services Port Requirements

CLI (via SSH)

Troubleshooting (frequent)

Telnet

Troubleshooting (rare)
Use only if CLI cannot be
used

to Customer
SMTP server

ConnectEMC

Service
notification

N/A

from
ESRS

EMC Centera
Viewer

Remote
support

Diagnostics (frequent)

CLI (via SSH)

Troubleshooting (frequent)

EMC
product

TCP port
or Protocol Notes for port settings

CLARiiON HTTPSa
and
Passive FTPa
CLARiiON
portion of SMTP
EDL

The service notification for CLARiiON Outbound


and EDL is supported only on the
centrally managed devices via a
management server. For the service
notifications, the distributed CLARiiON
devices (including EDL) use ESRS or
the Customer email server (SMTP).

13456
22 (to run pling)
Both 80 and
443, or
optionally
(depending on
configuration),
both 2162 and
2163

Direction Source -or- Application


open
Destination name

Inbound

to
ESRS

ConnectEMC

Communication
(network
traffic)
type

Performed by
authorized EMC
Global Services
personnel: Support
objective (frequency)

Service
notification

N/A

Remote
support

Troubleshooting (occasional)

ConnectEMC,
Navisphere SP
Agent
from
ESRS

For more information, refer to the


CLARiiON documentation.

KTCONS
Navisphere
Manager;
also allows
Navisphere
SecureCLI

9519

Administration (frequent)
Troubleshooting (frequent)

RemotelyAnywhere

5414

EMCRemote

All of: 6389,


6390, 6391, and
6392

Navisphere CLI

60020

Remote Diagnostic
Agent

CloudArray HTTPSa

Diagnostics (occasional)

Outbound

to
ESRS

ConnectEMC or
DialEMC

Service
notification

N/A

Inbound

from ESRS

CLI (via SSH)

Remote
support

Administration (occasional)

Passive FTPa
SMTP
41022
443

BMCUI
CLOUDARRAYUI

CloudBoost HTTPSa

Troubleshooting (frequent)

Outbound

to ESRS

ConnectEMC or
DialEMC

Service
notification

N/A

Inbound

from ESRS

CLI (via SSH)

Remote
support

Administration (occasional)

Outbound

to
ESRS

ConnectEMC or
DialEMC

Service
notification

N/A

5414

Inbound

from
ESRS

EMCRemote

Remote
support

Troubleshooting (frequent)

Customer 5414
Manage9519
ment Station

Inbound

from
ESRS

EMCRemote

Remote
support

Troubleshooting (frequent)

Passive FTPa
SMTP
22

Connectrix HTTPSa
switch family Passive FTPa

When using Connectrix Manager

SMTP

3389

RemoteDesktop

80, 443, 8443

WebHTTPHTTP

22

Data
Domain

RemotelyAnywhere

HTTPS

CLI (via SSH)


Inbound

from
ESRS

Enterprise Manager Remote


support

Administration (occasional)
Troubleshooting (frequent)

Inbound

from
ESRS

CLI (via SSH)

Administration (occasional)
Troubleshooting (frequent)

HTTP
22

Remote
support

EMC Secure Remote Services Port Requirements

Port requirements for devices

Communication
(network
traffic)
type

Performed by
authorized EMC
Global Services
personnel: Support
objective (frequency)

EMC
product

TCP port
or Protocol Notes for port settings

Direction Source -or- Application


open
Destination name

DL3D
Engine

SMTP

Outbound

to Customer
SMTP server

CentOS

Service
notification

N/A

22

Inbound

from
ESRS

CLI (via SSH)

Remote
support

Troubleshooting (frequent)

Outbound

to
ESRS

ConnectEMC

Service
notification

N/A

Inbound

from
ESRS

CLI (via SSH)

Remote
support

Troubleshooting (frequent)

ConnectEMC

Service
notification

N/A

CLI (via SSH)

Remote
support

Troubleshooting (frequent)

ConnectEMC

Service
notification

N/A

CLI (via SSH)

Remote
support

Troubleshooting (frequent)

443
HTTPSa

DLm

Passive FTPa

Secure Web UI

SMTP
22
80, 443, 8000
80, 443

DLmConsole

3389

Remote Desktop

HTTPSa

DPA

Celerra Manager

Outbound

to ESRS

Inbound

from ESRS

Passive FTPa
SMTP
22
9002, 9003,
9004

DPA GUI

3389

ElasticCloud HTTPSa
Storage
(ECS)

Remote Desktop
Outbound

to ESRS

Inbound

from ESRS

Passive FTPa
SMTP
22
80, 443, 4443

EDL
Engine
(except
DL3D)

HTTPSa
Passive FTPa
SMTP

22

ECS UI
The service notification for EDL is
Outbound
supported only on the centrally
managed devices via a management
server. For the service notifications, the
distributed CLARiiON devices (including
EDL) use ESRS or the Customer email
server (SMTP).

to
ESRS

ConnectEMC

Service
notification

N/A

from
ESRS

CLI (via SSH)

Remote
support

Troubleshooting (frequent)

Outbound

to Customer
SMTP server

ConnectEMC

Service
notification

NA

Inbound

from
ESRS

CLI (via SSH)

Remote
support

Outbound

to
ESRS

ConnectEMC

Service
notification

N/A

Inbound

from
ESRS

EMCRemote

Remote
support

Troubleshooting (frequent)

Inbound

11576

Greenplum
Data
Computing
Appliance
(DCA)
Invista
Element
Manager
Invista
CPCs

HTTPSa
Passive FTP
SMTP
22
HTTPSa
Passive FTPa

Administration (occasional)
Troubleshooting (frequent)

SMTP
5414
All of: 80, 443,
2162, and 2163
5201

EDL Mgt Console

EMC Secure Remote Services Port Requirements

Invista Element
Manager and
InvistaSecCLI
ClassicCLI

EMC
product
Isilon

Communication
(network
traffic)
type

Performed by
authorized EMC
Global Services
personnel: Support
objective (frequency)

ConnectEMC

Service
notification

N/A

ISI-Gather Log
Process

Configuration
information

CLI (via SSH)

Remote
support

TCP port
or Protocol Notes for port settings

Direction Source -or- Application


open
Destination name

HTTPSa

Outbound

Passive FTP

to
ESRS

SMTP
Managed File Within Isilon OneFS 7.1, the
Transfer (MFT) isi_gather_info script will send the Isilon
8118
log file back to EMC via MFT using port
8118 on ESRS. All other Connect
Homes will use ConnectEMC to send
the files to ESRS using HTTPS, Passive
FTP, or SMTP.
22

Inbound

8080

RecoverPoint

SMTP

Outbound

to
ESRS

22

Inbound

from
ESRS

80, 443, and


7225
SMTP
Switch
Brocade-B

Requires separate Windows monitoring Outbound


workstation running Fabric Manager
Server 5.x or higher

22

Switch
Cisco

from
ESRS

Inbound

from
ESRS

This Telnet port should be enabled only


if SSH (port 22) cannot be used.

SMTP

Requires separate Windows monitoring Outbound


workstation running Fabric Manager
Server 5.x or higher

to Customer
SMTP server

22

SSH must be enabled and configured.

23

This Telnet port should be enabled only


if SSH (port 22) cannot be used.

from
ESRS

Symmetrix HTTPSa

CLI (via SSH)


RecoverPoint
Management GUI

to Customer
SMTP server

23
Note: If
managed by
Connectrix
Manager, then
use port 5414

Inbound

Web UI

CLI (via SSH)


Telnet

CLI (via SSH)


Telnet

Administration (occasional)
Troubleshooting (frequent)

Service
notification

N/A

Remote
support

Troubleshooting (frequent)

Service
notification

N/A

Remote
support

Troubleshooting (frequent)

Service
notification

N/A

Remote
support

Troubleshooting (frequent)

Service
notification

N/A

Troubleshooting (rare)
Use only if CLI cannot be
used

Troubleshooting (rare)
Use only if CLI cannot be
used

Outbound

to
ESRS

ConnectEMC or
DialEMC

Inbound

from
ESRS

RemotelyAnywhere Remote
support
EMCRemote

Troubleshooting (frequent)

SGBD/Swuch/ Chat
Server/Remote
Browser/InlineCS

Advanced troubleshooting (by


EMC Symmetrix Engineering)
(rare)

Passive FTPa
SMTP
22
9519
5414
All of: 1300,
1400, 4444,
5555, 7000,
23003, 23004,
and 23005

VCE Vision HTTPSa


Passive FTPa

Outbound

to ESRS

ConnectEMC

Service
notification

N/A

SMTP

EMC Secure Remote Services Port Requirements

Port requirements for devices

EMC
product
ViPR

Communication
(network
traffic)
type

Performed by
authorized EMC
Global Services
personnel: Support
objective (frequency)

ConnectEMC

Service
notification

N/A

CLI (via SSH)

Remote
support

Troubleshooting (frequent)

TCP port
or Protocol Notes for port settings

Direction Source -or- Application


open
Destination name

HTTPSa

Outbound

to
ESRS

Inbound

from
ESRS

Passive FTPa
SMTP
22
443, 4443, 80

ViPR SRM HTTPSa

ViPR Management
GUI (ViPRUI)

Outbound

to
ESRS

ConnectEMC

Service
notification

N/A

22

Inbound

from
ESRS

CLI (via SSH)

Remote
support

Troubleshooting (frequent)

HTTPSa

Outbound

to
ESRS

ConnectEMC

Service
notification

N/A

Inbound

from
ESRS

CLI (via SSH)

Remote
support

Troubleshooting (frequent)

ConnectEMC

Service
notification

N/A

CLI (via SSH)

Remote
support

Troubleshooting (frequent)

Passive FTPa
SMTP

VMAX3

Passive FTPa
SMTP
22
5414

EMCRemote

4444, 5555,
7000

InlineCS

7000

RemoteBrowser

9519

RemotelyAnywhere

5555, 23004,
23003, 1300

SGDB

5555, 23004
HTTPSa
VMAX
Cloud
Passive FTPa
Edition (CE)

SWUCH
Outbound

to
ESRS

Inbound

from
ESRS

SMTP
22

443, 8443, 22,


80, 903, 8080,
10080, 10443,
902

10

VClient

443

WebHostLogAcces
s (Primary)

443

WebHostAccess

9443, 443, 80

WebVClient

5480

vAppAccess
(Primary)

EMC Secure Remote Services Port Requirements

Administration (frequent)

EMC
product
VNX

Communication
(network
traffic)
type

Performed by
authorized EMC
Global Services
personnel: Support
objective (frequency)

TCP port
or Protocol Notes for port settings

Direction Source -or- Application


open
Destination name

HTTPSa

Outbound

to
ESRS

ConnectEMC

Service
notification

N/A

Inbound

from
ESRS

KTCONS

Remote
support

Troubleshooting (occasional)

Passive FTPa
SMTP
13456
13456, 13457

RemoteKTrace

Administration (frequent)
Troubleshooting (frequent)

9519

VNXe

RemotelyAnywhere

22

CLI (via SSH)

80, 443, 2162,


2163, 8000

Unisphere/USM/Na
visphere SecureCLI

6391,6392,
60020

Remote Diagnostic
Agent

HTTPSa

Diagnostics (occasional)

Outbound

to Customer
SMTP server

ConnectEMC

Service
notification

Inbound

from
ESRS

CLI (via SSH)

Remote
support

to
ESRS

ConnectEMC

from ESRS

Invista Element
Manager

Passive FTP

N/A

SMTP
22
80 and 443

VPLEX

SMTP
443

Outbound
Inbound

22

VSPEX
BLUE

HTTPSa

Unisphere
CLI (via SSH)

Administration (occasional)
Troubleshooting (frequent)

Service
notification

N/A

Remote
support

Troubleshooting (frequent)

CLI (via SSH)

Advanced troubleshooting (by


EMC Symmetrix Engineering)
(rare)

Outbound

to
ESRS

ConnectEMC

Service
notification

N/A

Inbound

from ESRS

CLI (via SSH)

Remote
support

Troubleshooting (frequent)

Outbound

to
ESRS

ConnectEMC

Service
notification

N/A

Inbound

from
ESRS

CLI (via SSH)

Remote
support

Troubleshooting (frequent)

Passive FTP

SMTP
22
5900, 5901
XtremIO

HTTPSa

VNC

Passive FTPa
SMTP
22, 80, 443
80, 443, 42502

XTREMIOGUI

a. The use of HTTPS for service notifications is dependent on the version of ConnectEMC used by the managed device. For more
information, refer to the product documentation. The default port for HTTPS is 443. The value for Passive Port Range in FTP is set to
21 and 5400 through 5413. This range indicates the data channel ports available for the response to the PASV commands. These
ports are used for the Passive FTP mode of the Connect Home messages as well as for the GWExt loading and output.

EMC Secure Remote Services Port Requirements

11

Port requirements for devices

Copyright 2015 EMC Corporation. All rights reserved.


EMC believes the information in this publication is accurate as of its publication date. The information is
subject to change without notice.
THE INFORMATION IN THIS PUBLICATION IS PROVIDED AS IS. EMC CORPORATION MAKES NO
REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN
THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Use, copying, and distribution of any EMC software described in this publication requires an applicable
software license.
For the most up-to-date regulatory document for your product line, go to the Documentation and Advisories
sections on the EMC Online Support Site (support.emc.com).
For the most up-to-date listing of EMC product names, see EMC Corporation Trademarks on EMC.com.
All other trademarks used herein are the property of their respective owners.

12

EMC Secure Remote Services Port Requirements