Planning firewall access
Determine the firewalls that are set and the ports that must be open for the IBM Spectrum Protect solution to work.
Table 1 describes the ports that are used by the server, client, and Operations Center.
| Item | Default | Direction | Description |
|---|---|---|---|
| Base port (TCPPORT) | 1500 | Outbound/inbound | Each server instance requires a unique port. You can specify an alternative port number instead of using the default. The TCPPORT option listens for both TCP/IP and SSL-enabled sessions from the client. For administrative client traffic, you can use the TCPADMINPORT and ADMINONCLIENTPORT options to set port values. |
| SSL-only port (SSLTCPPORT) | No default | Outbound/inbound | This port is used if you want to restrict communication on the port to SSL-enabled sessions only. To support both SSL and non-SSL communications, use the TCPPORT or TCPADMINPORT options. |
| SMB | 45 | Inbound/outbound | This port is used by configuration wizards that communicate by using native protocols with multiple hosts. |
| SSH | 22 | Inbound/outbound | This port is used by configuration wizards that communicate by using native protocols with multiple hosts. |
| SMTP | 25 | Outbound | This port is used to send email alerts from the server. |
| NDMP | No default | Inbound/outbound |
The server must be able to open an outbound NDMP control port connection to the NAS device. The outbound control port is the Low-Level Address in the data mover definition for the NAS device. During an NDMP filer-to-server restore, the server must be able to open an outbound NDMP data connection to the NAS device. The data connection port that is used during a restore can be configured on the NAS device. During NDMP filer-to-server backups, the NAS device must be able to open outbound data connections to the server and the server must be able to accept inbound NDMP data connections. You can use the server option NDMPPORTRANGE to restrict the set of ports available for use as NDMP data connections. You can configure a firewall for connections to these ports. |
| Replication | No default | Outbound/inbound |
The port and protocol for the outbound port for replication are set by the DEFINE SERVER command that is used to set up replication. The inbound ports for replication are the TCP ports and SSL ports that the source server names in the DEFINE SERVER command. |
| Client schedule port | Client port: 1501 | Outbound | The client listens on the port that is named and communicates the port number to the server. The server contacts the client if server prompted scheduling is used. You can specify an alternative port number in the client options file. |
| Long running sessions | KEEPALIVE setting: YES | Outbound | When the KEEPALIVE option is enabled, keepalive packets are sent during client-server sessions to prevent the firewall software from closing long-running, inactive connections. |
| Operations Center | HTTPS: 11090 | Inbound | These ports are used for the Operations Center web browser. You can specify an alternative port number. |
| Client management service port | Client port: 9028 | Inbound | The client management service port must be accessible from the Operations Center. Ensure that firewalls cannot prevent connections. The client management service uses the TCP port of the server for the client node for authentication by using an administrative session. |