Configure Firewall Ports
Use this information to configure local ports for incoming and outgoing HTTP, HTTPS, iSCSI, SCP, SNMP, SSH, TCP, and other data and management protocols.
Port Number | Service | Protocol | Destination DNS/IP |
---|---|---|---|
443 TCP | DNA, heartbeat | HTTPS | nsdiag.nimblestorage.com |
443 TCP | Storage array alerts * | HTTPS | nsalerts.nimblestorage.com |
443 TCP | Storage array statistics | HTTPS | nsstats.nimblestorage.com |
443 TCP | Software downloads | HTTPS | update.nimblestorage.com |
2222 TCP | Secure tunnel | SSH | hogan.nimblestorage.com |
4311 TCP | Nimble Protection Manager | SOAP/HTTP | application server IP ** |
8443 TCP | vCenter VASA/VVol integration | HTTPS | Management IP address and both diagnostic IP addresses |
* An array sends DNA messages using HTTPS POST back to Nimble Storage Support, if it is enabled. If three HTTPS POST attempts are made and they all fail, these notifications will revert to email relay. ** If the application server connecting with these ports on a Nimble array is on the same side of the firewall as the array, you do not need to open these ports in the firewall. Note: The array may initiate connections to these external addresses
from the Management IP or any controller support IP
address.
Note: When configuring firewall rules for the destinations
listed above, it is recommended that you specify the destination
by host name rather than by IP address, and allow DNS to resolve
the IP address. In the event that there is a change in the
publicly available IP address for one of these destinations, the
change will be communicated by a notification on the InfoSight
portal. Other methods of sending notifications of such changes
may be chosen as needed.
|
Port Number | Service | Protocol | IP Address |
---|---|---|---|
4211 TCP | Array setup (incoming) and management (intra-group) | SOAP/HTTP | Data IP(s) |
4212 TCP | Group controller management | HTTP | Data IP(s) |
4241 TCP | Group controller management | DTS | Data IP(s) |
5432 TCP | Group configuration synchronization | DTS | Data IP(s) |
5521 TCP | Group data services | DTS | Data IP(s) |
5706 TCP | Group event reporting | SOAP/HTTP | Data IP(s) |
6716 TCP | DSD miscellaneous management | SOAP/HTTP | Data IP(s) |
6717 TCP | GMD array management (GAI) | SOAP/HTTP | Data IP(s) |
6718 TCP | Group controller management | DTS | Data IP(s) |
6719 TCP | Data forwarding | DTS | Data IP(s) |
6720 TCP | Bin migration | DTS | Data IP(s) |
6721 TCP | Bin map management – DSD | DTS | Data IP(s) |
6722 TCP | iSCSI | DTS | Data IP(s) |
6723 TCP | Bin map management - GDD | DTS | Data IP(s) |
6724 TCP | iSCSI | DTS | Data IP(s) |
6725 TCP | DSD volume management | SOAP/HTTP | Data IP(s) |
6726 TCP | SCSI | DTS | Data IP(s) |
6727 TCP | SCSI | DTS | Data IP(s) |
6728 TCP | Key Protocol | DTS | Data IP(s) |
6729 TCP | LU cache (DSD-GDD) | DTS | Data IP(s) |
6730 TCP | Key Protocol | DTS | Data IP(s) |
6731 TCP | LU cache (DSD-DSD) | DTS | Data IP(s) |
Note: If the
arrays within the group are on the same side of the firewall,
you do not need to open these ports in the firewall.
|
Port Number | Service | Protocol | IP Address |
---|---|---|---|
4213 TCP | Replication control (exchange of replication configuration information between groups) |
SOAP/HTTP | Management IP address and both diagnostic IP addresses of all replication partners and group members |
4214 TCP | Replication data (transfer of replicated data) |
NS-REPL | Note: Use either:
1 — All IP addresses in the management subnet
of all replication partners and group membersor 2 — All data IP addresses in the chosen data subnet of all replication partners and group members * |
5391 TCP |
Secure web-service communications Exchange of SSL keys for encrypted volumes |
SOAP/HTTPS | Management IP address and both diagnostic IP addresses |
*
Assumes that all replication partners were chosen to perform
replication transfer over the data subnet. Important:
There are two options for replication:
Note: If the arrays in
the two groups are on the same side of the firewall, you do not
need to open these ports in the firewall.
|
Port Number | Service | Protocol | IP Address |
---|---|---|---|
22 TCP | Group management (CLI) | SSH | Management IP address and both diagnostic IP addresses |
161 UDP | SNMP get | SNMP | Management IP address and both diagnostic IP addresses |
redirect 80 TCP to 443 TCP | Group management (GUI), redirects to 443 TCP | HTTP | Management IP address and both diagnostic IP addresses |
443 TCP / 5392 TCP | Group management (GUI) | HTTPS | Management IP address and both diagnostic IP addresses |
3260 TCP | SNMP statistics | iSCSI | Data IP(s) and discovery IP(s) |
4210 TCP | Group management (GUI charts and NPM) |
SOAP/HTTP | Management IP address and both diagnostic IP addresses |
4211 TCP | Array setup (incoming) and management (intra-group) | SOAP/HTTP | Data IP(s) |
5988 TCP | CIM server ** | HTTP | Management IP address and both diagnostic IP addresses |
5989 TCP | CIM server | HTTPS/CIM-XML | Management IP address and both diagnostic IP addresses |
5390 TCP | Secure web-service communications | SOAP/HTTPS | Data IP(s) |
5391 TCP * | Third-party agents and utilities | SOAP/HTTPS | Management IP address and both diagnostic IP addresses * |
5392 TCP * | Group management, third-party agents and utilities | Nimble REST API | Management IP address and both diagnostic IP addresses * |
8443 TCP | vCenter VASA/VVol integration | HTTPS | Management IP address and both diagnostic IP addresses |
* Some third-party utilities may use both TCP port 5391 and TCP port 5392. Refer to the relevant integration guides available on InfoSight, or from the third-party software vendor for more information. ** Fibre Channel arrays do not use the CIM server (cimserver) service, so port 5989 does not need to be open on them. Note: If the client and the Nimble arrays within the group are on the
same side of the firewall, you do not need to open these ports
in the firewall.
|
Port Number | Service | Protocol | Destination DNS/IP |
---|---|---|---|
25 * UDP & 25 * TCP |
SMTP | SMTP | SMTP server IP |
53 / UDP & 53 TCP |
DNS | DNS | DNS server IP |
123 / UDP | NTP | NTP | NTP server IP |
162 * / UDP | SNMP trap | SNMP | SNMP trap listener |
443 TCP | HTTPS | HTTPS | vCenter IP |
514 UDP | Syslogd | UDP | Syslog server IP |
4311 TCP | Microsoft VSS | VSS | Application server IP |
Configurable TCP | HTTP | HTTP | HTTP proxy server IP |
53 TCP/UDP ** 88 TCP/UDP ** 123 UDP *** 137 TCP/UDP 139 TCP/UDP 389 TCP/UDP |
Active Directory Authentication |
DNS, Kerberos, SMB |
All Active Directory domain controllers |
* Default, but can be changed. ** DNS services should be provided by the domain controller, or by an alternative with the appropriate zones and AD records. *** Array should be configured to use the Active Directory server as the NTP server, or the array and domain controllers should be configured to use the same NTP server. Array clock must remain within 5 minutes of the domain controller clock, or domain authentication will fail. Note: If the
service is on the same side of the firewall as the array, you do
not need to open these ports in the firewall.
|