Firewall and Port Reference for Secure Setup

This article provides information on the firewall and port reference for a secure setup.
uim902
This article provides information on the firewall and port reference for a secure setup.
CA UIM Component
Ports
Direction
Firewall Rules
Details
 
Controller
 
48000; configurable
Inbound, outbound
Allow inbound on 48000+ for probe access on all robots.
The controller listening port. Now, it accepts only SSL traffic.
For an enterprise, enable communication both ways on port 48000 through a firewall. Communication both ways allow CA UIM to contact and control hubs, robots, and probes. This port also receives status from BUS components.
The hub spooler and the spooler for robots transmit alarm and QoS data. A port must be set in the controller configuration for Infrastructure Manager (IM) and Admin Console to connect to remote tunnels through the tunnel server and client IPs: for example, 192.168.1.10:50003.
For tunnel hubs, set the 
First Probe port number
 in Setup > Advanced for the controller to 50000 or higher. If necessary, open the same port and higher in the firewall.
 You only need ports 48000 for the controller and 48002 for the hub open between the primary hub and the UMP hub. You don’t need these ports open between every hub in the domain and the UMP server as the hub controllers will talk to the primary hub controller.
 
 
Hub_adapter
 
48001, 48002, opens the highest port available within the 48000-49000 range
Inbound, outbound
In case of non-secure robots, this component needs to be available for communication with a secure hub.
  • Hub_adapter creates a listening port for each connected hub.
  • You might need to relax the firewall rules to support the communication.
 
Tunnels
 
48003 or 443; configurable
Tunnel clients do not need any port.
Tunnels using tunnel-server-to-tunnel-clients model or tunnel-client-to-tunnel-servers need port 48003, 443, or another configured port for incoming traffic. For example, a port must be open for the enterprise data center and MSP firewall.
 Port 443 is the default port for 
https
 but can be used for other purposes.
Multi-hub infrastructures can use a tunnel with or without SSL. For tunnels that are NOT SSL tunnels, ports use the same assignment as for single-hub installations.
 You only need ports 48000 for the controller and 48002 for the hub open between the primary hub and the UMP hub. You don’t need these ports open between every hub in the domain and the UMP server as the hub controllers will talk to the primary hub controller.
 
Secure hub
 
48003; configurable
Inbound,
Outbound
Allow inbound, outbound through a firewall.
Secure bus needs SSL tunnels between the hubs so that it matches the earlier SSL tunnel communication.
  • The controller port must be set to 48000.
  • If applicable, the hub_adapter port must be set to 48002.
  • The wasp probe must be set to port 80 to access Admin Console and the CA UIM web page.
All other UIM ports, other than the configured SSL tunnel port, must be blocked.
 
Discovery_agent
 
DNS - port 53
NetBIOS - port 137
SSH - port 22
SNMP - port 161; configurable
WMI - port 135 and others
Outbound
Allow outbound on ports for the protocol
Discovery_agent makes calls, as a client, to the services hosted on target machines.
 
Probes
 
Probes are now listening only on local address. No port needs to be specifically opened for the external traffic. All the data proxies through controller.
 
UIM database
 
1433 (Microsoft SQL Server); configurable
1521 (Oracle); configurable
3306 (MySQL); configurable
Inbound
Allow inbound for database.
The primary hub (data_engine) to UIM database is preferably local/on the same subnet as CA UIM. If the database for the primary hub is behind an internal firewall, then the appropriate port has to be open from the CA UIM server to the UIM database, outbound from hub server, and inbound on the CA UIM database server.  Responses from the database server to the primary hub come back over the same connection/port.
 Port information for your UIM database is located in the 
Database Configuration 
section of the data_engine probe GUI.
 
ADE
 
22
Outbound
The automated_deployment engine probe uses port 
22 
to deploy robots using SSH file transfer to the target system. If you cannot open port 22 on the primary hub:
    1. Deploy the automated_deployment_engine a secondary hub where port 22 is not blocked.
    2. Log in to Infrastructure Manager directly from the secondary hub.
    3. Drag and drop the robot packages that you want to deploy into the archive on the secondary hub.
    4. Deploy the robots to the secondary hub through an XML file. For more information, see the topic Bulk Robot Deployment with an XML File.
 
udm_manager
 
4334; configurable
Inbound
Allow inbound on 4334 for UDM Manager.
UDM clients (Datomic peer), including UMP, Trellis, and the Discovery Server, must  connect to the SQL database and also to UDM Manager on this port.
 
UMP server
 
8080, 80, or 443; configurable range: 1–65535
Inbound, outbound
Allow inbound on 8080, 80, or 443 on UMP server.
The port assignment for the UMP server can vary by client/browser to UMP and depends on your choice during the UMP installation. 
If you are using a configuration with multiple UMP servers, the servers communicate through multicasting on the following IP address and ports:
  • IP addresses 
    239.255.0.1
     through 
    239.255.0.5
     
  • Ports 
    23301
     through 
    23305
     
 
UMP (Tomcat connector)
 
8009
Inbound, outbound
Allow inbound on 8009 on UMP server.
The UMP portal engine.
Allow inbound on port 8009 from the CA UIM server to the UMP instance (wasp probe).
 
UMP database
 
1433 (Microsoft SQL Server);
1521 (Oracle);
3306 (MySQL)
Inbound
Allow inbound on respective port to Database server.
Inbound from UMP to the chosen database.
The wasp probe requires a connection to the UIM database. Ensure that the database ports between the UMP and database servers are open.
CA UIM Server home page
 
80; configurable
Inbound
Allow inbound to port 80 (internal enterprise).
The CA UIM Server home page is typically internal-access only. Open the port in the firewall for any systems that must be able to contact the primary hub to run applications or download and install the client software.
 
SMTP
 
25; configurable
Outbound
Allow outbound
Report Scheduler creates output in PDF and CVS that is transmitted via email to users. Email transmission requires a designated server with this SMTP port open.
 
SNMP
 
161; configurable
SNMP is an internet-standard protocol for managing devices on IP networks. The snmpcollector probe uses port 
161
 by default to communicate with the SNMP port on a device.
 
Hub to LDAP/AD server
 
389, 686; configurable
Outbound
Allow outbound to LDAP/AD server.
Allow outbound to any custom port set in wasp probe configuration.
 
Web clients, browsers to UMP, UMP clients
 
80, 443; configurable
N/A
Allow inbound on port 80 or 443.
Portal access over the Internet.
 
Wasp RelationshipViewer WebApp
 
 
Relationship_Services
 
8182; configurable
Port 8182 is the default HTTP port used by relationship_services.
The wasp probe relationshipviewer webapp uses the custom properties GraphServiceHost and GraphServicePort. GraphServiceHost is the IP address of the robot running the relationship_services probe, and GraphServicePort is the HTTP port relationship_services is using (default: 8182).
 
Admin Console
 
80, 443; configurable wasp probe
Inbound
Allow inbound on port 80 or 443 on primary hub.
Admin Console is hosted on the primary hub with service_host.
  • 80 is the default port to access Admin Console and CA UIM web page through HTTP.
  • 443 is the default port to access Admin Console and CA UIM web page through HTTPS.
 
CABI Server, UIM database
 
1433, 1521 or 3306
Inbound
Allow inbound on respective port to database server.
 Inbound from CABI to the chosen database.
 
CABI Server, UMP
 
80 or 443; configurable
Inbound, outbound
Allow inbound on 80 or 443 to UMP and CABI Server.
This connection provides browser and customer client connectivity to CABI and UMP. Port 80 by default, or port 443 or another configured port for HTTPS. The port can vary from client/browser to CABI and UMP. The value depends on your choice during the CABI and UMP installation. For example, port 80 or port 443. The configurable range of ports is 1 through 65535.