The table below describes the services which are released in the base system of the Management Unit. Using ACL the services can be restricted further for specific networks, see section "Security at Net Unit level".
HNC and SU x86 are protected by default and are not described in detail.
Type | Name and Port | Application |
TCP | ssh (22) | Communication at shell level (e.g. BS2000 console/dialog, SVP console, shadow terminal) |
TCP | http (80) | Communication via this port is always redirected to https (443). |
TCP | https (443) | Communication between the browser (e.g. on the administrator PC) and the system’s web interface (e.g. SE Manager) |
TCP | iascontrol-oms (1156) | PRSC/prscx (Periodical Remote System Check) regularly sends sign of life messages to the Support Center |
TCP | storman (4178) | Optional: for communication with StorMan (add-on) |
TCP | 5800 | Browser access to the VNC shadow functionality of the remote service (AIS Connect) |
TCP | 5900 | VNC viewer access to the VNC shadow functionality of the remote service (AIS Connect) |
TCP | 10021-10022 | In the case of an SKP network (redundant SKP) for SKP-SKP communication |
TCP | rs2_rctd (13333) | for remote service connections of BS2000 |
UDP | domain (53) | Integration into the Domain Name Service (DNS) |
UDP | multicast-ping (9903) | for monitoring components |
UDP | ntp (123) | Integration into the Network Time Protocol (NTPl) |
UDP | snmp (161) | For reading SNMP access by management stations |
UDP | snmptrap (162) | For receiving SNMP traps from the hardware monitoring |
UDP | syslog (514) | for monitoring components |
UDP | dhcpv6-client (546) | Optional: the DHCPv6 client port is used when a LAN interface is configured accordingly |
ICMP | - | Internet Control Message Protocol (ping) |
These ports are released for incoming connections by means of the packet filter (SuSEfirewall2) which is installed on all the systems. All other ports are locked.
All ports are released for outgoing connections in the packet filter.
A port for incoming connections which is released in the packet filter does not constitute a security risk provided the service using this port is not started because the system blocks every connection attempt.
Note on HNC and SU x86
When using the Net-Storage functionality via the MANPU and DANPU networks, there are direct outgoing connections on these units, but these do not pose a security risk.
Settings of the external firewall
The ports described in table1 may need to be enabled in the external firewall. Exceptions are TCP 10021-10022, which serve the redundant SKP functionality of the MUs within the SE server.
In addition, if necessary, ports for further optional functions with outgoing connections must also be enabled.
- If LDAP is used the LDAP port set in SEM (depending on the chosen protocol 389 or 636 by default), and ports 88 and 750 for Kerberos.
- For the SNMP queries, port 161 must be open in the firewall.
- For traps, port 162.
Examples:
Connection to an LDAP server, TCP port 389 by default
NFSv4 port TCP 2049 using Net-Storage functionality
In the case of ROBAR, the ports required for access to the storage systems must be unlocked.