Firewall Port Reference

The following table describes the port assignments for various CA UIM components and configurations. These port assignments apply to single-hub installations and to multiple-hub installations with and without a firewall.
uim901
firewall_port
The following table describes the port assignments for various CA UIM components and configurations. These port assignments apply to single-hub installations and to multiple-hub installations with and without a firewall.
The following topics cover the complete information:
2
2
Considerations
Review the following considerations:
  • All installations require:
    • Robot controller
    • Robot spooler
    • Robot-to-hub and manager-to-hub communications
    • A port for each probe
    • wasp probes to access Admin Console or OC through HTTP
  • Multiple-hub installations for tunnels that are NOT SSL tunnels also require:
    • Tunnel server
  • Multiple-hub installations for tunnels that ARE SSL tunnels also require:
    • service_host to tunnel client
  • Installations that enable discovery across a firewall without a hub and tunnel require the port for the appropriate protocol to be open in the discovery_agent probe.
Protocols for all components are TCP except for controller, hub, and spooler, which also require UDP.  UDP broadcast is used for the discovery of the hub, spooler, and controller components. All other core communications are done via TCP.
Firewall Port Reference Table
In the following table, Firewall Rules define the ports and directions that must be open through the firewall.
CA UIM Component
Ports
Direction
Firewall Rules
Details
CABI Server, UIM database
1433, 1521 or 3306
Inbound
Allow inbound on respective port to database server.
Inbound from CABI to the chosen database.
CABI Server, OC
80 or 443; configurable
Inbound, outbound
Allow inbound on 80 or 443 to OC and CABI Server.
This connection provides browser and customer client connectivity to CABI and OC. Port 80 by default, or port 443 or another configured port for HTTPS. The port can vary from client/browser to CABI and OC. The value depends on your choice during the CABI and OC installation. For example, port 80 or port 443. The configurable range of ports is 1 through 65535.
Controller
48000; configurable
Inbound, outbound
Allow inbound on 48000+ for probe access on all robots.
The controller listening port. 
For an enterprise, enable communication both ways on port 48000 through a firewall. Communication both ways allow CA UIM to contact and control hubs, robots, and probes. This port also receives status from BUS components.
The hub spooler and the spooler for robots transmit alarm and QoS data. A port must be set in the controller configuration for Infrastructure Manager (IM) and Admin Console to connect to remote tunnels through the tunnel server and client IPs: for example, 192.168.1.10:50003.
For tunnel hubs, set the
First Probe port number
in Setup > Advanced for the controller to 50000 or higher. If necessary, open the same port and higher in the firewall.
You only need ports 48000 for the controller and 48002 for the hub open between the primary hub and the OC hub. You don’t need these ports open between every hub in the domain and the OC server as the hub controllers will talk to the primary hub controller.
Spooler
48001; configurable
Inbound, outbound
Allow inbound on 48001 on all robots.
Enable inbound communication from robot to hub so that probes can send messages to hubs through the spooler port. Probes send messages to hubs using the spooler port 48001. This port must be enabled from the robot to the hub.
Hub
48002; configurable
Inbound, outbound
Allow inbound on 48002 to the hub.
The hub listening port. This connection allows robot-to-hub and manager-to-hub communications.
  • Allow outbound traffic on all hub and robot ports.
  • All hubs must have port 48002 open inbound and outbound for robot-to-hub and manager-to-hub communications.
  • All hubs must have port 48000 open inbound and outbound for communication with the robot controller.
  • All child robots must also have port 48000 open inbound.
  • Open port 48001 on the hub for spooler communications.
We recommend that you have ports 48000 through 48099 open inbound to all robots.
You only need ports 48000 for the controller and 48002 for the hub open between the primary hub and the OC hub. You don’t need these ports open between every hub in the domain and the OC server as the hub controllers will talk to the primary hub controller.
Tunnels
48003 or 443; configurable
Tunnels using tunnel-server-to-tunnel-clients model or tunnel-client-to-tunnel-servers need port 48003, 443, or another configured port for incoming traffic. For example, a port must be open for the enterprise data center and MSP firewall.
Port 443 is the default port for
https
but can be used for other purposes.
Multi-hub infrastructures can use a tunnel with or without SSL. For tunnels that are NOT SSL tunnels, ports use the same assignment as for single-hub installations.
You only need ports 48000 for the controller and 48002 for the hub open between the primary hub and the OC hub. You don’t need these ports open between every hub in the domain and the OC server as the hub controllers will talk to the primary hub controller.
Secure (SSL) Tunnels
48003; configurable
Unidirectional
Allow inbound, outbound through a firewall.
If you are using a CA UIM SSL tunnel, you need the tunnel port open between tunneled hubs. All other CA UIM traffic flows over the tunnel. For tunnels that are SSL tunnels:
  • The controller port must be set to 48000.
  • The hub port must be set to 48002.
  • The tunnel client port must be set to 48003 to allow access to the tunnel server.
  • The wasp probe must be set to port 80 to access Admin Console and the CA UIM web page.
All other UIM ports, other than the configured SSL tunnel port, must be blocked.
Discovery_agent
DNS - port 53
NetBIOS - port 137
SSH - port 22
SNMP - port 161; configurable
WMI - port 135 and others
Outbound
Allow outbound on ports for the protocol
Discovery_agent makes calls, as a client, to the services hosted on target machines.
Probes
48004-48050; configurable
Inbound
Allow inbound on 48004-48050 (or higher) on all robots.
Probes listen on their respective ports and await incoming connections from other clients. The inbound port for each probe must be open so that outside clients and hubs can communicate. Ports are assigned to probes sequentially as available beginning with the first probe port number.
For information about probe-specific port requirements, refer to the probe documentation at CA Unified Infrastructure Management Probe Space.
Distribution Server (distsrv)
48005 or automatically assigned
Inbound, outbound
See Details
The distsrv probe on the hub must have its TCP port open on the hub for licensing of probes on the robots. Without this port open, probes fail to start on the robots. Unlike the controller, spooler, and hub, the distsrv probe does not have a reserved port. The port can change each time the hub restarts.
UIM database
1433 (Microsoft SQL Server); configurable
1521 (Oracle); configurable
3306 (MySQL); configurable
Inbound
Allow inbound for database.
The primary hub (data_engine) to UIM database is preferably local/on the same subnet as CA UIM. If the database for the primary hub is behind an internal firewall, then the appropriate port has to be open from the UIM Server to the CA UIM database, outbound from hub server, and inbound on the CA UIM database server.  Responses from the database server to the primary hub come back over the same connection/port.
Port information for your UIM database is located in the
Database Configuration
section of the data_engine probe GUI.
ADE
22
Outbound
The automated_deployment engine probe uses port
22
to deploy robots using SSH file transfer to the target system. If you cannot open port 22 on the primary hub:
    1. Deploy the automated_deployment_engine a secondary hub where port 22 is not blocked.
    2. Log in to Infrastructure Manager directly from the secondary hub.
    3. Drag and drop the robot packages that you want to deploy into the archive on the secondary hub.
    4. Deploy the robots to the secondary hub through an XML file. For more information, see the topic Bulk Robot Deployment with an XML File.
udm_manager
4334; configurable
Inbound
Allow inbound on 4334 for UDM Manager.
UDM clients (Datomic peer), including OC, Trellis, and the Discovery Server, must  connect to the SQL database and also to UDM Manager on this port.
OC server
8080, 80, or 443; configurable range: 1–65535
Inbound, outbound
Allow inbound on 8080, 80, or 443 on OC server.
The port assignment for the OC server can vary by client/browser to OC and depends on your choice during the OC installation.
If you are using a configuration with multiple OC servers, the servers communicate through multicasting on the following IP address and ports:
  • IP addresses
    239.255.0.1
    through
    239.255.0.5
  • Ports
    23301
    through
    23305
OC (Tomcat connector)
8009
Inbound, outbound
Allow inbound on 8009 on OC server.
The OC engine.
Allow inbound on port 8009 from the UIM Server to the OC instance (wasp probe).
OC database
1433 (Microsoft SQL Server);
1521 (Oracle);
3306 (MySQL)
Inbound
Allow inbound on respective port to Database server.
Inbound from OC to the chosen database.
The wasp probe requires a connection to the UIM database. Ensure that the database ports between the OC and database servers are open.
UIM Server home page
80; configurable
Inbound
Allow inbound to port 80 (internal enterprise).
The UIM Server home page is typically internal-access only. Open the port in the firewall for any systems that must be able to contact the primary hub to run applications or download and install the client software.
SMTP
25; configurable
Outbound
Allow outbound
Report Scheduler creates output in PDF and CVS that is transmitted via email to users. Email transmission requires a designated server with this SMTP port open.
SNMP
161; configurable
SNMP is an internet-standard protocol for managing devices on IP networks. The snmpcollector probe uses port
161
by default to communicate with the SNMP port on a device.
Hub to LDAP/AD server
389, 686; configurable
Outbound
Allow outbound to LDAP/AD server.
Allow outbound to any custom port set in wasp probe configuration.
Web clients, browsers to OC, OC clients
80, 443; configurable
N/A
Allow inbound on port 80 or 443.
Portal access over the Internet.
Admin Console
80, 443; configurable wasp probe
Inbound
Allow inbound on port 80 or 443 on primary hub.
Admin Console is hosted on the primary hub with service_host.
  • 80 is the default port to access Admin Console and CA UIM web page through HTTP.
  • 443 is the default port to access Admin Console and CA UIM web page through HTTPS.
Log Analytics
9200, 9092
Inbound, Outbound
See Details
Open the following ports to allow communication between CA UIM and CA App Experience Analytics:
  • AXA Elasticsearch port (default 9200) - Open this port between CA App Experience Analytics and the location of the log_monitoring_service probe
  • AXA Kafka Port (default 9092) - Open this port between CA App Experience Analytics and the location of the axa_log_gateway probe