TCP Port Requirements and Firewall Exceptions

The following table summarizes the TCP ports that need to be allowed by the firewall in order for the Application Discovery Suite to function as intended.

In all cases, communication is bidirectional. The firewall must allow both the incoming traffic, which represents requests, for the mentioned ports, and the outgoing traffic, which represents the answers to these requests.

From (Sender) To (Listener Component) Default Listener Port Note
  • IBM® AD Analyze Client
  • IBM AD Audit Service
  • IBM AD Batch Server
  • IBM AD Build Client
  • IBM AD Build Configuration
  • IBM AD Catalog
  • Db2® for LUW (Linux®, UNIX, and Windows)
  • Db2 for LUW (Linux, UNIX, and Windows)
    • TCP 50000 (Db2 11.5.5 and previous versions)
    • TCP 25000 (Db2 11.5.6 and later versions)

For Db2 for LUW (Linux, UNIX, and Windows), you can use the default ports depending on the installed version.

  • IBM AD Analyze Client
  • IBM AD Audit Service
  • IBM AD Batch Server
  • IBM AD Build Client
  • IBM AD Build Configuration
  • IBM AD Catalog
SQL Server TCP 1433 The port of the SQL Server Database Engine instance that hosts the AD databases. Majority of the AD components use this port to read/write data from/into the SQL databases.

The default instance of the SQL ServerDatabase Engine listens on TCP port 1433, but it can be changed via SQL Server admin tools. Ask your database server administrator what port is used by the SQL Server instance that is used by AD. Make sure not to use TCP port 1434, which is used by Dedicated Administration Console (DAC).

The computer where the browser session is opened IBM AD Configuration Server TCP 9443 The port that is used to access the web interface of IBM AD Configuration Server.

The default port is 9443, but it can be changed through Admin UI > Configure > environment > General Settings or by updating the server.xml file in the \IBM AD Web Services\wlp\usr\servers\ad_server folder.

If the web interface is accessed only locally on IBM AD Configuration Server, this port does not have to be opened in the firewall.

  • IBM AD Analyze Client
  • IBM AD Batch Server
  • IBM AD Build Client
  • IBM AD Build Configuration
  • IBM AD Catalog
IBM AD Configuration Server
  • TCP 2181
The port that IBM AD Configuration Server listens on for requests from various AD components that need to obtain the configuration settings from IBM AD Configuration Server.

The default port is 2181, but it can be changed through the Admin UI > Configure > environment > General Settings .

IBM AD Analyze Client IBM AD Batch Server
  • TCP 2424
The port of the OrientDB database instance that is hosted by IBM AD Batch Server.

IBM AD Analyze Client makes requests to this port for retrieving the data that is related to callgraph analyses.

The default port is 2424, but it can be changed through the Admin UI > Configure > environment > General Settings .

  • IBM AD Build Client
  • IBM AD Build Configuration
IBM AD Connect for Mainframe Any available TCP port (no default value) The port that IBM AD Connect for Mainframe listens on. It is used by IBM AD Build Configuration to retrieve source code information and operational information from the mainframe, and used by IBM AD Build Client to retrieve source code files from the mainframe.

For how to set or change the port that is used by IBM AD Connect for Mainframe, see section Configuring the Listener PROC. There is no default port that is specified. Any available port can be selected. For example, port 6000 or port 46000.

After you change this port in IBM AD Connect for Mainframe, the z/OS®z/OS connection setup needs to be reconfigured to use the new port. To configure the setting, click the zOS tab in the IBM AD Build Configuration tool.

IBM AD Connect for Mainframe IBM AD Validation Service Any available TCP port (no default value) The port that IBM AD Validation Service listens on for validation requests from IBM AD Connect for Mainframe.

It can be configured in the ServicePort.txt configuration file that is located in the IBM AD Validation Service installation folder. No default port is set by default. Any available TCP port can be used. For example, port 48000.

IBM AD Validation Service is an optional component. If it is not used, this port does not have to be opened in the firewall.

  • IBM AD Analyze Client
  • IBM AD Batch Server
  • IBM AD Build Client
IBM AD Audit Service
  • TCP 9080
  • TCP 9443 (*)
The port that IBM AD Audit Service listens on to receive requests from various AD components for logging audit events.

The port number can be changed by altering the httpPort value in the server.xml file. The file is located in the folder of the IBM Liberty instance that hosts IBM AD Audit Service. After you change this port, make sure to reconfigure the AD components that audit events to use the new port. For more information, see Configuring IBM AD Components to Use the Audit Service.

The IBM AD Audit Service and IBM AD Catalog Service are optional AD components. They are both hosted by the same WebSphere® Liberty instance. If neither of them is used, the port does not have to be opened in the firewall.

(*) If the ssl implementation is used, the default port is 9443.

  • IBM AD Analyze Client
  • IBM AD Data Collector
IBM AD Catalog Service TCP 9080 The port that IBM AD Catalog Service listens on. This port is used by IBM AD Data Collector to push data into IBM AD Catalog Service, and it is used by IBM AD Analyze Client to retrieve the data that is needed for displaying API analyses.

The port number can be changed by altering the httpPort value in the server.xml file. The file is located in the folder of the IBM Liberty instance that hosts IBM AD Catalog Service. After you change this port, make sure to reconfigure IBM AD Data Collector and IBM AD Analyze Client to use the new port. For more information, see Configuring the Data Collector and Configuring IBM AD Analyze Client.

The IBM AD Audit and IBM AD Catalog Service are optional AD components. They are both hosted by the same WebSphere Liberty instance. If neither of them is used, the port does not have to be opened in the firewall.

  • IBM AD File Service
  • IBM AD Analyze Client
  • IBM AD Search Service
  • IBM AD Manual Resolutions Service
  • IBM AD Mainframe Projects Service
  • IBM AD Cross Applications Service
  • Secure Storage
Authentication Server (DEX) TCP 7600 The default port on which Authentication Server (DEX) listens to different requests is 7600. It can be modified in the conf.yaml file.
  • IBM AD Analyze Client
  • (Optional) Authentication Server (DEX)
IBM AD File Service TCP 7700 The default port on which IBM AD File Service listens to different requests is 7700. It can be modified in the conf.yaml file.
  • IBM AD Analyze Client
  • (Optional) Authentication Server (DEX)
IBM AD Search Service TCP 7800 The default port on which IBM AD Search Service listens to different requests is 7800. It can be modified in the conf.yaml file.
  • IBM AD Analyze Client
  • IBM AD Batch Server
  • (Optional) Authentication Server (DEX)
IBM AD Manual Resolutions Service TCP 7900 The default port on which AD Manual Resolutions Service listens to different requests is 7900. It can be modified in the conf.yaml file.
  • IBM AD Analyze Client
  • IBM AD Batch Server
  • (Optional) Authentication Server (DEX)
IBM AD Mainframe Projects Service TCP 7650 The default port on which IBM AD Mainframe Projects Service listens to different requests is 7650. It can be modified in the conf.yaml file.
  • IBM AD Analyze Client
  • IBM AD Batch Server
  • (Optional) Authentication Server (DEX)
IBM AD Cross Applications Service TCP 7850 The default port on which IBM AD Cross Applications Service listens to different requests is 7850. It can be modified in the conf.yaml file.
Authentication Server (DEX) IBM AD Analyze Client TCP 55555 The port that is used by Authentication Server (DEX), opened on all Analyze Client machines (in environments using DEX), and used for callback.
Note: Make sure that the firewall does not prevent IBM AD Analyze Client from communicating with IBM AD Batch Server, IBM AD Configuration Server, and the relational database server. Program rules in the firewall might need to be created to allow both the inbound and outbound traffic for the eclipse.exe instance on each IBM AD Analyze Client that is located under the installation folder of your Eclipse or IDz instance.