Configure Firewall Ports
Use this information to configure local ports for incoming and outgoing HTTP, HTTPS, iSCSI, SCP, SNMP, SRM, SSH, TCP, and other data and management protocols.
Port Number | Service | Protocol | Destination DNS/IP |
---|---|---|---|
443 TCP | DNA, heartbeat | HTTPS | nsdiag.nimblestorage.com |
443 TCP | Storage array alerts * | HTTPS | nsalerts.nimblestorage.com |
443 TCP | Storage array statistics | HTTPS | nsstats.nimblestorage.com |
443 TCP | Software downloads | HTTPS | update.nimblestorage.com |
443 TCP | Storage array initialization | HTTPS | device.cloud.hpe.com |
443 TCP | Storage array initialization | HTTPS | common.cloud.hpe.com |
443 TCP | Data Services Cloud Console | HTTPS |
console-instance.data.cloud.hpe.com tunnel-instance.data.cloud.hpe.com instance.data.cloud.hpe.com Where instance can be eu1 for Europe, jp1 for Japan, or us1 for America. For example: console-eu1.data.cloud.hpe.com tunnel-eu1.data.cloud.hpe.com |
2222 TCP | Secure tunnel | SSH | hogan.nimblestorage.com |
4311 TCP | HPE Storage Protection Manager | SOAP/HTTP | application server IP ** |
8443 TCP | vCenter VASA/vVol integration | HTTPS | Management IP address and both diagnostic IP addresses |
* An array sends DNA messages using HTTPS POST back to support, if it is enabled. If three HTTPS POST attempts are made and they all fail, these notifications will revert to email relay. ** If the application server connecting with these ports on an array is on the same side of the firewall as the array, you do not need to open these ports in the firewall. NOTE: The array may initiate connections to these
external addresses from the Management and Data IP addresses or
any controller support IP address.
NOTE: When configuring firewall rules for
the destinations listed above, it is recommended that you
specify the destination by host name rather than by IP address,
and allow DNS to resolve the IP address. In the event that there
is a change in the publicly available IP address for one of
these destinations, the change will be communicated by a
notification on the InfoSight portal. Other methods of sending
notifications of such changes may be chosen as needed.
|
Port Number | Service | Protocol | IP Address |
---|---|---|---|
4211 TCP | Array setup (incoming) and management (intra-group) | SOAP/HTTP | Data IP(s) |
4212 TCP | Group controller management | HTTP | Data IP(s) |
4241 TCP | Group controller management | DTS | Data IP(s) |
5394 TCP | Group leader failover communication | HTTPS | Management IP(s) |
5395 TCP | Witness daemon communication | HTTPS | Management IP(s) |
5432 TCP | Group configuration synchronization | DTS | Data IP(s) |
5521 TCP | Group data services | DTS | Data IP(s) |
5525 TCP | Synchronous Replication (ASD) | DTS | Management/Data IP(s) |
5526 TCP | Synchronous Replication (ASD) | DTS | Management/Data IP(s) |
5527 TCP | Synchronous Replication (ASD) | DTS | Management/Data IP(s) |
5706 TCP | Group event reporting | SOAP/HTTP | Data IP(s) |
6716 TCP | DSD miscellaneous management | SOAP/HTTP | Data IP(s) |
6717 TCP | GMD array management (GAI) | SOAP/HTTP | Data IP(s) |
6718 TCP | Group controller management | DTS | Data IP(s) |
6719 TCP | Data forwarding | DTS | Data IP(s) |
6720 TCP | Bin migration | DTS | Data IP(s) |
6721 TCP | Bin map management – DSD | DTS | Data IP(s) |
6722 TCP | iSCSI | DTS | Data IP(s) |
6723 TCP | Bin map management - GDD | DTS | Data IP(s) |
6724 TCP | iSCSI | DTS | Data IP(s) |
6725 TCP | DSD volume management | SOAP/HTTP | Data IP(s) |
6726 TCP | SCSI | DTS | Data IP(s) |
6727 TCP | SCSI | DTS | Data IP(s) |
6728 TCP | Key Protocol | DTS | Data IP(s) |
6729 TCP | LU cache (DSD-GDD) | DTS | Data IP(s) |
6730 TCP | Key Protocol | DTS | Data IP(s) |
6731 TCP | LU cache (DSD-DSD) | DTS | Data IP(s) |
6732 TCP | Synchronous Replication (DSD-GDD) | DTS | Data IP(s) |
6733 TCP | Synchronous Replication (DSD-GDD) | DTS | Data IP(s) |
6740 TCP | Synchronous Replication | DTS | Data IP(s) |
6741 TCP | Synchronous Replication Resynchronization | DTS | Data IP(s) |
NOTE: If the
arrays within the group are on the same side of the firewall,
you do not need to open these ports in the firewall.
|
Port Number | Service | Protocol | IP Address |
---|---|---|---|
4213 TCP ** | Replication control (exchange of replication configuration information between groups) |
SOAP/HTTP | Management IP address and both diagnostic IP addresses of all replication partners and group members |
4214 TCP ** | Replication data (transfer of replicated data) |
NS-REPL | Use either: 1 — All IP addresses in the management subnet of all replication partners and group members or 2 — All data IP addresses in the chosen data subnet of all replication partners and group members * |
5391 TCP ** |
Secure web-service communications Exchange of SSL keys for encrypted volumes |
SOAP/HTTPS | Management IP address and both diagnostic IP addresses |
*
Assumes that all replication partners were chosen to perform
replication transfer over the data subnet. IMPORTANT:
There are two options for replication:
NOTE: If the arrays in the two groups are on the same side of the
firewall, you do not need to open these ports in the firewall.
** This port must be open between the SRM server and the Nimble array. |
Port Number | Service | Protocol | IP Address |
---|---|---|---|
22 TCP | Group management (CLI) | SSH | Management IP address and both diagnostic IP addresses |
161 UDP | SNMP get | SNMP | Management IP address and both diagnostic IP addresses |
redirect 80 TCP to 443 TCP *** | Group management (GUI), redirects to 443 TCP | HTTP | Management IP address and both diagnostic IP addresses |
443 TCP / 5392 TCP | Group management (GUI) | HTTPS | Management IP address and both diagnostic IP addresses |
3260 TCP | SNMP statistics | iSCSI | Data IP(s) and discovery IP(s) |
4210 TCP *** | Group management (GUI charts and NPM) |
SOAP/HTTP | Management IP address and both diagnostic IP addresses |
4211 TCP | Array setup (incoming) and management (intra-group) | SOAP/HTTP | Data IP(s) |
5988 TCP | CIM server ** | HTTP | Management IP address and both diagnostic IP addresses |
5989 TCP | CIM server | HTTPS/CIM-XML | Management IP address and both diagnostic IP addresses |
5390 TCP | Secure web-service communications | SOAP/HTTPS | Data IP(s) |
5391 TCP *** | Third-party agents and utilities | SOAP/HTTPS | Management IP address and both diagnostic IP addresses * |
5392 TCP *** | Group management, third-party agents and utilities | REST API | Management IP address and both diagnostic IP addresses * |
5393 TCP | Array Management, third party utilities and agents | HTTPS | Management IP address and both diagnostic IP addresses * |
8443 TCP | vCenter VASA/vVol integration | HTTPS | Management IP address and both diagnostic IP addresses |
* Some third-party utilities may use both TCP port 5391 and TCP port 5392. Refer to the relevant integration guides available on InfoSight, or from the third-party software vendor for more information. ** Fibre Channel arrays do not use the CIM server (cimserver) service, so port 5989 does not need to be open on them. NOTE: If the client and the arrays within the group
are on the same side of the firewall, you do not need to open
these ports in the firewall.
*** This port must be open between the SRM server and the Nimble array. |
Port Number | Service | Protocol | Destination DNS/IP |
---|---|---|---|
25 * UDP & 25 * TCP |
SMTP | SMTP | SMTP server IP |
53 / UDP & 53 TCP |
DNS | DNS | DNS server IP |
123 / UDP | NTP | NTP | NTP server IP |
162 * / UDP | SNMP trap | SNMP | SNMP trap listener |
443 TCP | HTTPS | HTTPS | vCenter IP |
514 UDP | Syslogd | UDP | Syslog server IP |
4311 TCP | Microsoft VSS | VSS | Application server IP |
Configurable TCP | HTTP | HTTP | HTTP proxy server IP |
53 TCP/UDP ** 88 TCP/UDP ** 123 UDP *** 137 TCP/UDP 139 TCP/UDP 389 TCP/UDP 445 TCP |
Active Directory Authentication |
DNS, Kerberos, SMB |
All Active Directory domain controllers |
* Default, but can be changed. ** DNS services should be provided by the domain controller, or by an alternative with the appropriate zones and AD records. *** Array should be configured to use the Active Directory server as the NTP server, or the array and domain controllers should be configured to use the same NTP server. Array clock must remain within 5 minutes of the domain controller clock, or domain authentication will fail. NOTE: If the
service is on the same side of the firewall as the array, you do
not need to open these ports in the firewall.
|