secure remote services - dell › en-us › collaterals › unauth › ... · https 443 usage of...

Secure Remote ServicesRelease 3.40

Port Requirements

REV 01

October 16, 2019

Note: EMC Secure Remote Services (ESRS) has been rebranded to SecureRemote Services (SRS).

This document contains supplemental information about SecureRemote Services (SRS), Release 3.40. SRS 3.40 is the virtual edition ofSRS. This document includes the following topics:

◆ Communication between SRS and Dell EMC .................................. 2◆ Communication between SRS and Policy Manager........................ 2◆ Communication between SRS and devices ...................................... 2◆ Port requirements for SRS and Policy Manager (PM) servers ....... 4◆ Port requirements for devices............................................................. 7

Note: Some ports used by SRS and devices may be registered for use by otherparties, or may not be registered by Dell EMC. Dell EMC is addressing theseregistration issues. In the meantime, be aware that all ports listed for use by theSRS servers and devices will be in use by the Dell EMC applications listed.

1

2

Communication between SRS and Dell EMC

Communication between SRS and Dell EMCTo enable communication between your Secure Remote Services(SRS) Virtual Edition Server and Dell EMC, you must configure yourexternal network and/or firewalls to allow traffic over the specificports as shown in Table 1 on page 5. These tables identify theinstallation site network firewall configuration open-portrequirements for SRS. The protocol/ports number and direction areidentified relative to the SRS servers and storage devices. Figure 1 onpage 3 shows the communication paths.

Communication between SRS and Policy ManagerTo enable communication between SRS and Policy Manager, youmust configure your internal firewalls to allow traffic over thespecific ports as shown in Table 1 on page 5. These tables identify theinstallation site network firewall configuration open-portrequirements for SRS. The protocol/ports number and direction areidentified relative to the SRS servers and storage devices. Figure 1 onpage 3 shows the communication paths.

Communication between SRS and devicesThere are two connection requirements between the SRS server andyour managed devices:

◆ The first is the communication between SRS and your manageddevices for remote access connections. SRS secures remote accessconnections to your Dell EMC® devices by using a session-basedIP port-mapped solution.

◆ The second communication requirement is between SRS and yourmanaged devices for Connect Home messages. SRS brokersConnect Home file transfers from your managed devices thatsupport Connect Home through SRS, thus ensuring securetransport, authorization, and auditing for those transfers.

To enable communication between SRS and your devices, you mustconfigure your internal firewalls to allow traffic over the specificports as shown in Table 1 on page 5 and Table 2 on page 7. Thesetables identify the installation site network firewall configurationopen-port requirements for SRS IP. The protocol/ports number and

Secure Remote Services Port Requirements

direction are identified relative to the SRS servers and storagedevices. Figure 1 on page 3 shows the communication paths.

Figure 1 Port diagram for generic Dell EMC managed product

Note: For the optional failover, ports 990 and 25 are used on the SRS VirtualEdition outbound to Dell EMC only when the failover Connect Home isconfigured for FTPS and/or the email option is used as the failover channel.

3Secure Remote Services Port Requirements

4

Port requirements for SRS and Policy Manager (PM) servers

Port requirements for SRS and Policy Manager (PM) serversTable 1 on page 5 lists the port requirements as follows:

Note: See Knowledgebase (KB) Article 494729, “What IP addresses are usedby Secure Remote Services IP Solution.” You can access this article throughhttps://support.emc.com/kb/494729.


Table 1 Port requirements for SRS and Policy Manager servers

Dell EMCproduct

TCP portor Protocol Notes for port settings

Directionopen

Source -or-Destination

Applicationname

Communication(network traffic)type

Performed byauthorized Dell EMCGlobal Servicespersonnel: Supportobjective (frequency)

SRS HTTPS 443 Outbound to Dell EMC Client service Servicenotification,setup, all trafficexcept remotesupport

N/A

HTTPS 443and 8443

Outbound to Dell EMCGlobal AccessServers (GAS)

Client service Remote support N/A

IMPORTANT:Port 8443 is not required for functionality, however without this port beingopened, there will be a significant decrease in remote supportperformance, which will directly impact the time to resolve the issues on theend devices.

Port 990 forConnect Homefailover (ifconfigured)

Supports Connect Home failover if the SRS Channel isunavailable

Outbound FTPS to DellEMC FEP

HTTPS 443 Usage of the HTTPS for the inbound service notificationsis dependent on the version of ConnectEMC used by themanaged device. For more information, refer to theproduct documentation. If configured, you MUST use thecustomer SMTP server.

Inbound fromManaged device(Dell EMCproduct)

Apache httpdlistener

Servicenotification fromdevice

N/A

Port 9443HTTPS 9443

• Customer access to SRS GUI• Use HTTPS 9443 for making RESTful service calls to

add/remove/update manage devices, to sendConnect Homes, to utilize Managed File Transfer(MFT), and to send device heartbeat check to SRS

Inbound • fromcustomernetwork

• fromManageddevice (DellEMCproduct)

• SRS VirtualEdition WebUI

• SRS VirtualEdition RESTCommunication Channel

• SRSv3serverManagement traffic

• Servicenotificationfrom device

N/A

Port 22 Customer access to SRS Virtual Edition console Inbound from customernetwork

CLI (via SSH) SRSv3 serverManagementtraffic

N/A

Passive FTPports: 21,5400–5413

During the SRS-IP installer execution, the value forPassive Port Range in FTP is set to 21 and 5400 through5413. This range indicates the data channel portsavailable for response to the PASV commands. See RFC959 for the passive FTP definition. These ports are usedfor the Passive FTP mode of the Connect Home messagesas well as for the GWExt loading and output. GWExt usesHTTPS by default but can be configured to use FTP.

Inbound fromManaged device(Dell EMCproduct)

SRS: Apachehttpdftp

Servicenotification fromdevice

N/A

SMTP 25 • Acts as failover if heartbeat fails• Alert customer’s contact

Outbound from SRS VirtualEdition

Customer’s emailserver

Servicenotification

N/A

Process Connect Home files Inbound from SRSmonitoreddevices

SRS: postfix Action request N/A

IMPORTANT:When opening the ports for the devices in Table 2, you must also open the same ports on the SRS server, identified as “Inbound from SRS Virtual Edition (VE) server”.

HTTP(configurable)Default = 8090

Outbound toPolicy Manager

Client service Policy query N/A

HTTPS 8443

HTTP 8118 To support SRS proxy Inbound ToGateway

Proxy client ServiceseLicensingrequests andinbound traffic tothe gateway forMFT. Leveragedby standaloneembedded SRSDevice Clients.

N/A


6

Port requirements for SRS and Policy Manager (PM) servers

PolicyManager

HTTP(configurable)Default = 8090

Inbound from SRS Clients(and customernetwork)

Policy Managerservice

Policy query(and policymanagement bycustomer)

N/A

HTTPS 8443

SMTP 25 Outbound to Customeremail server

Action request

Dell EMCproduct


Directionopen


Applicationname

Communication(network traffic)type



Dp

A

A

A

Port requirements for devicesTable 2 on page 7 lists the port requirements for Dell EMC devices.

IMPORTANT!The SRS team highly recommends using HTTPS transport protocolas FTP and SMTP are plain text protocols.

Note: Any device using REST to communicate to SRS will use port 9443 onthe gateway (that is, HTTPS 9443 needs to be opened from device to SRS).

Note: If using integrated model see product documentation.

Table 2 Port requirements for devices

ell EMCroduct


Directionopen


Applicationname

Communi-cation(networktraffic)type


ppSync HTTPS 9443 Outbound to SRS REST Servicenotification

N/A

HTTPSa

tmos® HTTPSa Outbound to SRS ConnectEMC Servicenotification

N/A

Passive FTP(21)

SMTP (25) to SRS or toCustomerSMTP server

22 Inbound from SRS CLI (via SSH) Remotesupport

Administration (occasional)

443 Secure Web UI Troubleshooting (frequent)

vamar® HTTPS 9443 Outbound toSRS

REST Servicenotification

N/A

HTTPSa ConnectEMC

Passive FTP(21)

SMTP (25) to SRS or toCustomerSMTP server

22 Inbound fromSRS

CLI (via SSH) Remotesupport


443 AVInstaller Troubleshooting (frequent)

80,443, 8778,8779, 8780,8781, 8580,8543, 9443,7778, 7779,7780, and 7781

Enterprise Manager

7778, 7779,7780, 7781, and9443

MCGUI


8

Port requirements for devices

C

DC

CaCp

C

Dp

elerra® HTTPSa Outbound toSRS

ConnectEMC Servicenotification

Note: NAS code 5.5.30.x andearlier supports only FTP;NAS code 5.5.31.x supportsboth FTP and SMTP forConnect Home by using SRS.

Passive FTP(21)

SMTP (25)

All of: 80, 443,and 8000

Inbound fromSRS

Celerra Manager(Web UI)

Remotesupport


22 CLI (via SSH) Troubleshooting (frequent)

23 This Telnet port should be enabled onlyif SSH (port 22) cannot be used.

Telnet Troubleshooting (rare)Use only if CLI cannot beused

ell EMCentera®

SMTP (25) Outbound to CustomerSMTP server


N/A

Both 3218 and3682

Inbound fromSRS

Dell EMC CenteraViewer

Remotesupport

Diagnostics (frequent)

22 CLI (via SSH) Troubleshooting (frequent)

LARiiON®

ndLARiiONortion of EDL

HTTPSa The service notification for CLARiiONand EDL is supported only on thecentrally managed devices via amanagement server. For the servicenotifications, the distributed CLARiiONdevices (including EDL) use SRS or theCustomer email server (SMTP).

Outbound toSRS


N/A

Passive FTPa

(21)

SMTP (25) ConnectEMC,Navisphere® SPAgent

13456 Inbound fromSRS

KTCONS,RemoteKTrace

Remotesupport

Troubleshooting (occasional)

Both 80 and443, oroptionally(depending onconfiguration),both 2162 and2163

For more information, refer to theCLARiiON documentation.

NavisphereManager;also allowsNavisphereSecureCLI

Administration (frequent) forNavisphere Manager

Troubleshooting (frequent) forNavisphere SecureCLI

9519 RemotelyAnywhere,RemoteKTrace

5414 EMCRemote

All of: 6389,6390

Navisphere CLI

6391, 6392 Remote DiagnosticAgent

Diagnostics (occasional)

9519, 22 RemoteKTrace Administration (occasional)

loudArray HTTPS 9443 Outbound toSRS


N/A

HTTPSa ConnectEMC orDialEMC

Passive FTPa

(21)

SMTP (25)



443 BMCUICLOUDARRAYUI

Troubleshooting (frequent)

ell EMCroduct


Directionopen


Applicationname




C

C

C

CMm

D

DS

DE

Dp

loudBoost HTTPS 9443 Outbound to SRS REST Servicenotification

N/A


Passive FTPa

(21)

SMTP (25)



loudIQ-CLTR HTTPS 9443 Outbound to SRS REST Servicenotification

N/A


Passive FTPa

(21)

SMTP (25)



onnectrix® HTTPSa When using Connectrix Manager Outbound toSRS

ConnectEMC orDialEMC

Servicenotification

N/A

Passive FTPa

(21)

SMTP (25)

HTTPS 9443 When using CMCNE 14.0.1+ REST


EMCRemote Remotesupport


3389 Remote desktop

22 CLI (via SSH)

ustomeranage-ent Station


EMCRemote Remotesupport


9519 RemotelyAnywhere

3389 Remote desktop

80, 443, 8443 WebHTTP/HTTPS

22 CLI (via SSH)

ata Domain HTTPS 9443 Outbound to SRS REST Servicenotification

N/A

443, 25, 21 ConnectEMC

80, 443 Inbound fromSRS

Enterprise Manager Remotesupport

Administration (occasional)Troubleshooting (frequent)

22 CLI (via SSH) Remotesupport




ellEMCymphony

HTTPS 9443 Outbound to SRS REST Servicenotification

N/A



L3Dngine

SMTP (25) Outbound to CustomerSMTP server

CentOS Servicenotification

N/A

22 Inbound fromSRS



443 Secure Web UI

11576 EDL Mgt Console

ell EMCroduct


Directionopen


Applicationname




10


DD

D

D

D

Eo

Dp

Lm, DLm3,Lm4

HTTPSa Outbound toSRS


N/A

Passive FTPa

(21)

SMTP (25)

22 Inbound fromSRS



80, 443, 8000 Celerra Manager(Only for DLm)

80, 443 DLmConsole (Onlyfor DLm3 andDLm4)


Telnet (Only forDLm)

Troubleshooting (rare)Use only if CLI cannot beused

PA HTTPS 9443 Outbound to SRS REST Servicenotification

N/A

HTTPSa ConnectEMC

Passive FTPa

(21)

SMTP (25)



9002, 9003,9004

DPA GUI

3389 Remote desktop

PAppliance HTTPSa Outbound to SRS ConnectEMC Servicenotification

N/A

Passive FTPa

(21)

SMTP (25)



8543 DPAppliance ACM

443 Data ProtectionSearch UI, vSphereWeb Client, IDRACWeb

SSD HTTPS 9443 Outbound to SRS REST Servicenotification

N/A

HTTPSa ConnectEMC

Passive FTPa

(21)

SMTP (25)



lasticCloudStrage (ECS)

HTTPSa Outbound to SRS ConnectEMC Servicenotification

N/A

Passive FTPa

(21)

SMTP (25)

HTTPS 9443 REST



80, 443, 4443 ECS UI

ell EMCroduct


Directionopen


Applicationname




EE(

EN

DECM

GDCA(

IEM

IC

Dp

DLngine

except DL3D)

HTTPSa The service notification for EDL issupported only on the centrallymanaged devices via a managementserver. For the service notifications, thedistributed CLARiiON devices (includingEDL) use SRS or the Customer emailserver (SMTP).

Outbound toSRS


Passive FTPa

(21)

SMTP (25)

22 Inbound fromSRS



11576 EDL Mgt Console Administration (occasional)

443 Secure Web UI Diagnostics (occasional)

mbeddedAS (eNAS)

22 Inbound fromSRS



2022 Troubleshooting (rare)

ell EMCnterpriseopy Dataanagement


N/A

HTTPSa ConnectEMC

Passive FTP(21)

SMTP (25)



9000 Skyline UI

14443 SkylineUpgradeUI

8443 SkylineRESTAPIUI

reenplumataomputingppliance

DCA)®

HTTPSa Outbound to CustomerSMTP server


Passive FTP(21)

SMTP (25)

22 Inbound fromSRS

CLI (via SSH) N/A Administration (occasional)


nvista®

lementanager


ConnectEMC N/A Troubleshooting (frequent)

Passive FTPa

(21)

SMTP (25)

nvistaPCs


EMCRemote N/A Troubleshooting (frequent)

All of: 80, 443,2162, and 2163

Invista ElementManager andInvistaSecCLI

5201, 6390,6391, 6392

ClassicCLI(InvistaCLI)

ell EMCroduct


Directionopen


Applicationname




12


I

I

N

N

P

PA

PD

RP

Dp

silon® HTTPS 9443 Outbound toSRS


N/A

HTTPSa ConnectEMC

Passive FTP(21)

SMTP (25)

Managed FileTransfer (MFT)8118

• Within Isilon OneFS 7.1, theisi_gather_info script will send theIsilon log file back to Dell EMC viaMFT using port 8118 on SRS. Allother Connect Homes will useConnectEMC to send the files toSRS using HTTPS, Passive FTP, orSMTP.

• MFT for Isilon is not considered fullMFT and therefore is not handled assuch in the SRS Web UI.

ISI-Gather LogProcess

Configurationinformation

22 Inbound fromSRS



8080 Secure Web UI Troubleshooting (frequent)

silon SD Inbound from SRS CLI (via SSH) Remotesupport


etWorker HTTPS 9443 Outbound to SRS REST Servicenotification

NA

7938 Inbound from SRS N/A Monitoring/polling

eutrino® HTTPS 9443 Outbound to SRS REST Servicenotification

N/A



80, 443 Neutrino® UI

owerPath HTTPS 9443 Outbound to SRS REST Servicenotification

N/A

22 Inbound fromSRS



owerProtectppliance


N/A

443 Inbound from SRS PowerProtectManagement

Remotesupport

443 PowerProtectApplianceManagement

22 CLI (via SSH)

owerProtectataManager


N/A

443 Inbound from SRS PowerProtectManagement

Remotesupport

22 CLI (via SSH)

ecover-oint

REST Outbound toSRS


N/A

22 Inbound fromSRS



80, 443, and7225

RecoverPointManagement GUI

ell EMCroduct


Directionopen


Applicationname




S

SB

SC

S

U

UU

U

Dp

caleIO HTTPS 9443 Outbound to SRS REST Servicenotification

N/A

6611 Inbound from SRS ScaleIOClient Remotesupport


22 CLI (via SSH)

3389 Remote desktop

witch–rocade-B


N/A

SMTP (25) Requires separate Windows monitoringworkstation running Fabric ManagerServer 5.x or higher

to CustomerSMTP server

22 Inbound fromSRS



23Note: Ifmanaged byConnectrixManager, thenuse port 5414

This Telnet port should be enabled onlyif SSH (port 22) cannot be used.


3389 Remote desktop Troubleshooting (frequent)

witch–isco


N/A

SMTP (25) Requires separate Windows monitoringworkstation running Fabric ManagerServer 5.x or higher

to CustomerSMTP server

22 SSH must be enabled and configured. Inbound fromSRS





ymmetrix® HTTPSa Outbound toSRS

ConnectEMC orDialEMC

Servicenotification

N/A

Passive FTPa

(21)

SMTP (25)

HTTPS 9443 MFT


RemotelyAnywhere Remotesupport


5414 EMCRemote

All of: 4444,5555, 7000,23003, and23004

SGBD/Swuch/ ChatServer/RemoteBrowser/InlineCS

Advanced troubleshooting (byDell EMC SymmetrixEngineering) (rare)

CC 22 Inbound from SRS CLI (via SSH) Remotesupport

N/A

nity®/nityVSA


N/A



80, 443 Unisphere

nisphere HTTPS 9443 Outbound to SRS REST Servicenotification

N/A



ell EMCroduct


Directionopen


Applicationname




14


V

V

V

VP

Dp

CE Vision HTTPS 9443 Outbound to SRS REST Servicenotification

N/A



443 Secure Web UI

iPR HTTPSa Outbound toSRS


N/A

Passive FTPa

(21)

SMTP (25)

22 Inbound fromSRS



443, 4443, 80 ViPR ManagementGUI (ViPRUI)

iPR SRM HTTPS 9443 Outbound toSRS


N/A

HTTPSa ConnectEMC

Passive FTPa

(21)

SMTP (25)

22 Inbound fromSRS



3389 Remote desktop

58443, 58080 ViPRSRM UI

MAX3/owerMax



N/A

Passive FTPa

(21)

SMTP (25)

HTTPS 9443 REST/MFT- VMAX3

22 Inbound fromSRS



5414 EMCRemote

4444, 5555,7000

InlineCS

7000 RemoteBrowser

9519 RemotelyAnywhere

5555, 23004,23003, 1300

SGDB

5555, 23004 SWUCH

ell EMCroduct


Directionopen


Applicationname




V

V

V

V

V

V

Dp

NX® HTTPSa Outbound toSRS


N/A

Passive FTPa

(21)

SMTP (25)

HTTPS 9443 MFT


KTCONS Remotesupport

Troubleshooting (occasional)

13456, 13457 RemoteKTrace Administration (frequent)


9519 Remotely-Anywhere

22, 2022 CLI (via SSH)

80, 443, 2162,2163, 8000

Unisphere/USM/NavisphereSecureCLI

6391,6392,60020

Remote DiagnosticAgent

Diagnostics (occasional)

NXe® HTTPSa Outbound to CustomerSMTP server


N/A

Passive FTP(21)

SMTP (25)

HTTPS 9443 to SRS MFT

22, 2022 Inbound fromSRS



80 and 443 Unisphere Troubleshooting (frequent)

PLEX® SMTP (25) Outbound toSRS


N/A

CLI (via SSH)

443 Inbound from SRS Invista ElementManager

Remotesupport


22 CLI (via SSH) Advanced troubleshooting (byDell EMC SymmetrixEngineering) (rare)

xFlexOS HTTPS 9443 Outbound to SRS REST Servicenotification

N/A

6611 Inbound from SRS ScaleIOClient Remotesupport


22 CLI (via SSH)

3389 Remote desktop

xRack FLEX HTTPS 9443 Outbound to SRS REST Servicenotification

N/A

8080 Inbound from SRS Secure Web UI RemoteSupport


3389 Remote desktop

22 CLI (via SSH)

xRack SDDC HTTPS 9443 Outbound to SRS REST Servicenotification

N/A



ell EMCroduct


Directionopen


Applicationname




16


V(B

X

Nn

Dp

xRailVSPEXLUE®)

HTTPS 9443 Outbound toSRS


N/A

HTTPSa ConnectEMC

Passive FTP(21)

SMTP (25)



tremIO® HTTPS 9443 Outbound toSRS


N/A

HTTPSa ConnectEMC

Passive FTPa

(21)

SMTP (25)

22, 80, 443 Inbound fromSRS



80, 443, 42502 XTREMIOGUI

a. The use of HTTPS for service notifications is dependent on the version of ConnectEMC used by the managed device. For moreinformation, refer to the product documentation. The default port for HTTPS is 443. The value for Passive Port Range in FTP is set to 21and 5400 through 5413. This range indicates the data channel ports available for the response to the PASV commands. These ports areused for the Passive FTP mode of the Connect Home messages as well as for the GWExt loading and output.

ote: If connectivity is restricted to allow only communication from your products to the SRS VE, then Dell EMC will only be able to receive connect home information and willot be able to use SRS to connect in remotely to your products. Customers choosing this configuration should have alternate connect-in means available.

ell EMCroduct


Directionopen


Applicationname




Copyright © 2019 Dell EMC Corporation. All rights reserved.

Dell EMC believes the information in this publication is accurate as of its publication date. The informationis subject to change without notice.

THE INFORMATION IN THIS PUBLICATION IS PROVIDED “AS IS.” DELL EMC CORPORATIONMAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THEINFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OFMERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Use, copying, and distribution of any Dell EMC software described in this publication requires an applicablesoftware license.

For the most up-to-date regulatory document for your product line, go to the Documentation and Advisoriessections on the Dell EMC Online Support Site (support.emc.com).

For the most up-to-date listing of Dell EMC product names, see Dell EMC Corporation Trademarks onEMC.com.

All other trademarks used herein are the property of their respective owners.


secure remote services - dell › en-us › collaterals › unauth › ... · https 443 usage of...

Documents