Port availability
Several ports must be available, depending on how the firewalls are implemented in your environment. If the required ports are blocked or used by another process, some Lenovo XClarity Administrator functions might not work.
Access to the XClarity Administrator server
If the XClarity Administrator server and all managed devices are behind a firewall, and you intend to access those devices from a browser that is outside of the firewall, you must ensure that the XClarity Administrator ports are open. If you are using SNMP and SMTP for event management, you might also need to ensure that the ports that are used by the XClarity Administrator server for event forwarding are open.
The XClarity Administrator server listens on and responds through the ports that are listed in the following table.
XClarity Administrator is a RESTful application that communicates securely over TCP on port 443.
XClarity Administrator can be optionally configured to make outbound connections to external services, such as LDAP, SMTP, or syslog. These connections might require additional ports that are generally user configurable and not included in this list. These connections might also require access to a domain name service (DNS) server on TCP or UDP port 53 to resolve external server names.
Service | Outbound (ports open on external systems) | Inbound (ports open on XClarity Administrator appliance) |
---|---|---|
XClarity Administrator appliance |
|
|
External authentication servers |
| Not applicable |
Event forwarding services |
|
|
Lenovo services (including Call Home) |
| Not applicable |
This is the default port. You can configure this port from the user interface.
This port is used when SNMP event forwarding with user authentication is configured.
Open this port when Wi-Fi is behind a firewall or private Access Point Name (APN) for cellular data. A direct, unproxied connection is required to the APN servers on this port. This port is used as a failback on Wi-Fi only, when devices cannot reach the Apple Push Notifications service on port 5223. The IP address range is 17.0.0.0/8.
For the IP address range, see Google ASN 15169. The domain is android.googleapis.com.
Though not required outside of China, XClarity Administrator might attempt to connect to this service in other countries.
Access between XClarity Administrator and managed devices
If managed devices (such as compute nodes or rack servers) are behind a firewall and if you intend to manage those devices from a XClarity Administrator server that is outside of that firewall, you must ensure that all ports involved with communications between XClarity Administrator and the baseboard management controller in each managed device are open.
If you intend to install operating systems on managed devices using XClarity Administrator, ensure that you review the list of ports in Access between XClarity Administrator and data network for OS deployment and device-driver updates.
- Flex chassis CMM
Device type Outbound (ports open on external systems) Inbound (ports open on XClarity Administrator appliance) Flex Chassis CMMs - SLP – UDP/TCP on port 427
- CIM HTTP – TCP on port 59882
- CIM HTTPS – TCP on port 5989
- TCP command – TCP on port 60902
- Secure TCP command – TCP on port 6091
- SFTP – TCP on port 221
- CIM indications HTTPS – TCP 9090
- LDAPS – TCP on ports 50637
This port is used to transfer firmware-updates using SFTP.
By default, management is performed over secure ports. The non-secure ports are optional.
- Servers and compute nodes
Device type Outbound (ports open on external systems) Inbound (ports open on XClarity Administrator appliance) ThinkSystem and ThinkAgile - SSDP discovery – UDP on port 1900
- SFTP – TCP on port 1154
- HTTPS – TCP on port 443
- Remote control – TCP on port 38883
- CIM HTTPS – TCP on port 59898
- Firmware updates - TCP on port 69904, 7
- SLP – UDP/TCP on port 4276
- SFTP – TCP on port 221
- HTTPS – TCP on port 443
- Firmware updates - TCP on port 69904, 7
- CIM indications HTTPS – TCP 9090
- LDAPS – TCP on ports 506365
- LDAPS – TCP on ports 506379
System x - SLP – UDP/TCP on port 427
- HTTPS – TCP on port 443
- IPMI – TCP on port 623
- Remote control – TCP on port 38883
- CIM HTTP – TCP on port 59882
- CIM HTTPS – TCP on port 59892,8
- Firmware updates - TCP on port 69904, 7
- SFTP – TCP on port 221
- HTTPS – TCP on port 443
- Firmware updates - TCP on port 69904, 7
- CIM indications HTTPS – TCP 90908
- LDAPS – TCP on ports 506365
- LDAPS – TCP on ports 506379
Flex System - SLP – UDP/TCP on port 427
- Remote control – TCP on port 38883
- CIM HTTP – TCP on port 59882
- CIM HTTPS – TCP on port 59892,8
- Firmware updates - TCP on port 69904, 7
- SFTP – TCP on port 221
- HTTPS – TCP on port 443
- Firmware updates - TCP on port 69904, 7
- CIM indications HTTPS – TCP 9090
- LDAPS – TCP on ports 506365
- LDAPS – TCP on ports 506379
ThinkServer - SNMP traps – UDP on port 162
- IPMI – UDP on port 623
- SNMP traps – UDP on port 162
This port is used to transfer firmware-updates using SFTP, to upload, download and remove service data files, and to store drive erase tool that is fetched by the BMU OS when securely erasing drive data.
By default, management is performed over secure ports. The non-secure ports are optional.
Remote control and remote KVM is launched from the web browser, not the XClarity Administrator server.
This port is required to for BMU firmware updates to upload firmware update package to the management controller.
This port is required to configure servers using configuration patterns.
This port is required only for ThinkSystem SR635 and SR655 servers.
This port is required to mount the BMU image when securely erasing drive data. This port must be open in both the baseboard management controller and XClarity Administrator appliance.
This port is required for only ThinkSystem V1 servers. This port is required for System X, Flex System, and ThinkSystem V1 servers.
This port is required to use managed authentication.
- Rack and Flex switches
Device type Outbound (ports open on external systems) Inbound (ports open on XClarity Administrator appliance) Rack switches - SSH – TCP on port 221,3
- SNMP - UDP on port 1612
- SLP – UDP/TCP on port 4276
- HTTPS – TCP on port 4437
- SFTP – TCP on port 224
- SNMP traps – TCP on ports 1622
Flex switches - SSH – TCP on port 223
- SNMP - UDP on port 1615
- SFTP – TCP on port 224
- SNMP traps- TCP on port 1622
For ENOS rack switches, this port is used to configure Head of Stack (HoS) credentials used between CMM and Flex switches, activate the firmware slot, and clear SSH host keys before SFTP file transfer operations.
This port must be open on the XClarity Administrator appliance (inbound) when switches are on a different network than XClarity Administrator, so that XClarity Administrator can receive events for those devices.
This port is used for management (SSH).
This port is used to transfer firmware-updates using SFTP.
For ENOS rack switches, this port is used to transfer inventory data.
This port is used for discovery.
This port is used to apply firmware updates.
- Storage devices
Device type Outbound (ports open on external systems) Inbound (ports open on XClarity Administrator appliance) Storage devices - FTP – TCP on port 21
- SFTP- TCP on port 222
- SLP – UDP/TCP on port 427
- HTTPS – TCP on port 4431
- HTTPS – TCP on port 30313
- HTTPS – TCP on port 4432
- SNMP traps- UDP on port 115
This port is used to transfer firmware-updates.
This port is used to transfer and apply firmware-updates.
This port is used for discovery of Tape Library Storage devices.
Access between XClarity Administrator and data network for OS deployment and device-driver updates
Device type | Outbound (ports open on external systems) | Inbound (ports open on XClarity Administrator appliance) |
---|---|---|
OS deployment1, 2, 3 |
| |
OS device driver updates2 |
|
|
If you configured XClarity Administrator to use an operating-system deployment network, ports must be open on that network.
For a list of ports that must be available for the deploying operating systems, see Port availability for deployed operating systems.
For example, if operating-system deployment is configured to use the data network (eth1), then these ports must be open on that network.Each XClarity Administrator instance has a unique Certificate Authority (CA) that is used for only OS deployment. That CA signs a certificate that is used for the target server on port 8443. When OS deployment is initiated, the CA certificate is included in the OS image that is pushed to the target server. As part of the deployment process, that server connects back to port 8443, and verifies the certificate that port 8443 provide during the handshake because they have the CA certificate.
This port is used to transfer Windows driver files.
This port is used to connect to the target server WinRM.
This port is used to exchange data between the target OS and XClarity Administrator, including OS images and status.