Firewall and Port Reference for Secure Setup
This article provides information on the firewall and port reference for a secure setup.
uim902
This article provides information on the firewall and port reference for a secure setup.
CA UIM Component | Ports | Direction | Firewall Rules | Details |
Controller | 48000; configurable | Inbound, outbound | Allow inbound on 48000+ for probe access on all robots. | The controller listening port. Now, it accepts only SSL traffic. For an enterprise, enable communication both ways on port 48000 through a firewall. Communication both ways allow CA UIM to contact and control hubs, robots, and probes. This port also receives status from BUS components. The hub spooler and the spooler for robots transmit alarm and QoS data. A port must be set in the controller configuration for Infrastructure Manager (IM) and Admin Console to connect to remote tunnels through the tunnel server and client IPs: for example, 192.168.1.10:50003. For tunnel hubs, set the First Probe port number in Setup > Advanced for the controller to 50000 or higher. If necessary, open the same port and higher in the firewall. You only need ports 48000 for the controller and 48002 for the hub open between the primary hub and the UMP hub. You don’t need these ports open between every hub in the domain and the UMP server as the hub controllers will talk to the primary hub controller. |
Hub_adapter | 48001, 48002, opens the highest port available within the 48000-49000 range | Inbound, outbound | In case of non-secure robots, this component needs to be available for communication with a secure hub.
| |
Tunnels | 48003 or 443; configurable | Tunnel clients do not need any port. Tunnels using tunnel-server-to-tunnel-clients model or tunnel-client-to-tunnel-servers need port 48003, 443, or another configured port for incoming traffic. For example, a port must be open for the enterprise data center and MSP firewall. Port 443 is the default port for https but can be used for other purposes.Multi-hub infrastructures can use a tunnel with or without SSL. For tunnels that are NOT SSL tunnels, ports use the same assignment as for single-hub installations. You only need ports 48000 for the controller and 48002 for the hub open between the primary hub and the UMP hub. You don’t need these ports open between every hub in the domain and the UMP server as the hub controllers will talk to the primary hub controller. | ||
Secure hub | 48003; configurable | Inbound, Outbound | Allow inbound, outbound through a firewall. | Secure bus needs SSL tunnels between the hubs so that it matches the earlier SSL tunnel communication.
All other UIM ports, other than the configured SSL tunnel port, must be blocked. |
Discovery_agent | DNS - port 53 NetBIOS - port 137 SSH - port 22 SNMP - port 161; configurable WMI - port 135 and others | Outbound | Allow outbound on ports for the protocol | Discovery_agent makes calls, as a client, to the services hosted on target machines. |
Probes | Probes are now listening only on local address. No port needs to be specifically opened for the external traffic. All the data proxies through controller. | |||
UIM database | 1433 (Microsoft SQL Server); configurable 1521 (Oracle); configurable 3306 (MySQL); configurable | Inbound | Allow inbound for database. | The primary hub (data_engine) to UIM database is preferably local/on the same subnet as CA UIM. If the database for the primary hub is behind an internal firewall, then the appropriate port has to be open from the CA UIM server to the UIM database, outbound from hub server, and inbound on the CA UIM database server. Responses from the database server to the primary hub come back over the same connection/port. Port information for your UIM database is located in the Database Configuration section of the data_engine probe GUI. |
ADE | 22 | Outbound | The automated_deployment engine probe uses port 22 to deploy robots using SSH file transfer to the target system. If you cannot open port 22 on the primary hub:
| |
udm_manager | 4334; configurable | Inbound | Allow inbound on 4334 for UDM Manager. | UDM clients (Datomic peer), including UMP, Trellis, and the Discovery Server, must connect to the SQL database and also to UDM Manager on this port. |
UMP server | 8080, 80, or 443; configurable range: 1–65535 | Inbound, outbound | Allow inbound on 8080, 80, or 443 on UMP server. | The port assignment for the UMP server can vary by client/browser to UMP and depends on your choice during the UMP installation. If you are using a configuration with multiple UMP servers, the servers communicate through multicasting on the following IP address and ports:
|
UMP (Tomcat connector) | 8009 | Inbound, outbound | Allow inbound on 8009 on UMP server. | The UMP portal engine. Allow inbound on port 8009 from the CA UIM server to the UMP instance (wasp probe). |
UMP database | 1433 (Microsoft SQL Server); 1521 (Oracle); 3306 (MySQL) | Inbound | Allow inbound on respective port to Database server. | Inbound from UMP to the chosen database. The wasp probe requires a connection to the UIM database. Ensure that the database ports between the UMP and database servers are open. |
CA UIM Server home page | 80; configurable | Inbound | Allow inbound to port 80 (internal enterprise). | The CA UIM Server home page is typically internal-access only. Open the port in the firewall for any systems that must be able to contact the primary hub to run applications or download and install the client software. |
SMTP | 25; configurable | Outbound | Allow outbound | Report Scheduler creates output in PDF and CVS that is transmitted via email to users. Email transmission requires a designated server with this SMTP port open. |
SNMP | 161; configurable | SNMP is an internet-standard protocol for managing devices on IP networks. The snmpcollector probe uses port 161 by default to communicate with the SNMP port on a device. | ||
Hub to LDAP/AD server | 389, 686; configurable | Outbound | Allow outbound to LDAP/AD server. | Allow outbound to any custom port set in wasp probe configuration. |
Web clients, browsers to UMP, UMP clients | 80, 443; configurable | N/A | Allow inbound on port 80 or 443. | Portal access over the Internet. |
Wasp RelationshipViewer WebApp Relationship_Services | 8182; configurable | Port 8182 is the default HTTP port used by relationship_services. The wasp probe relationshipviewer webapp uses the custom properties GraphServiceHost and GraphServicePort. GraphServiceHost is the IP address of the robot running the relationship_services probe, and GraphServicePort is the HTTP port relationship_services is using (default: 8182). | ||
Admin Console | 80, 443; configurable wasp probe | Inbound | Allow inbound on port 80 or 443 on primary hub. | Admin Console is hosted on the primary hub with service_host.
|
CABI Server, UIM database | 1433, 1521 or 3306 | Inbound | Allow inbound on respective port to database server. | Inbound from CABI to the chosen database. |
CABI Server, UMP | 80 or 443; configurable | Inbound, outbound | Allow inbound on 80 or 443 to UMP and CABI Server. | This connection provides browser and customer client connectivity to CABI and UMP. Port 80 by default, or port 443 or another configured port for HTTPS. The port can vary from client/browser to CABI and UMP. The value depends on your choice during the CABI and UMP installation. For example, port 80 or port 443. The configurable range of ports is 1 through 65535. |