IBM Support

List of firewall ports in WebSphere Application Server V7, V8, and V8.5

Technical Blog Post


Abstract

List of firewall ports in WebSphere Application Server V7, V8, and V8.5

Body

 

List of firewall ports that must be open for communication between the deployment manager, nodeagent, and Application Server

 

It's very important to know the ports that should be opened in the firewall for proper communication between deployment manager, nodeagent, and application servers. Follow the below steps to achieve this task.

 

Find the port numbers in the serverindex.xml file or from the ISC (Integrated Solution Console)

The serverindex.xml file can be found under the profile-root/config/cells/cellName/nodes/nodeName folder.

 

From Integrated Solution Console:

Application Server ports

Click on servers -> server Name -> Expand ports under communication

Nodeagent ports

Click on System administration -> node agents -> nodeagent -> Expand ports under Additional Properties

Deployment Manager ports

Click on System administration -> Deployment manager -> Expand ports under Additional Properties

 

Note: The example endpoints are derived from version 8.5 configuration, please ignore the endpoints/ports if you don't find it in your configuration.

 

DMGR Ports to be opened with security enabled and disabled

Port/Endpoint Name

Security Disabled

Security Enabled

Reason/Comment

CELL_DISCOVERY_ADDRESS

Yes

Yes

Discovery between nodeagent and DMgr will not work

BOOTSTRAP_ADDRESS

Yes

Yes

Naming service or RMI service between DMgr and node might not work

SOAP_CONNECTOR_ADDRESS

Yes

Yes

Synchronization will not work

ORB_LISTENER_ADDRESS

Yes

Yes

Port value can't be zero. Should have a static value. More info

WC_adminhost

Yes

Yes

File transfer application will not work

DCS_UNICAST_ADDRESS

Yes

Yes

HA Manager won't work properly (i.e., WLM, DRS, Transaction log recovery )

IPC_CONNECTOR_ADDRESS

Yes

Yes

Internal communication might fail

WC_adminhost_secure

No

Yes

File Transfer won't work

SAS_SSL_SERVERAUTH_LISTENER_ADDRESS

No

No

This port is used for communication with version 6.0.x servers federated in a 6.1 or later cell. Should open if you have V6.0 mixed node.

CSIV2_SSL_MUTUALAUTH_LISTENER_ADDRESS

No

Yes

Required when security enabled

CSIV2_SSL_SERVERAUTH_LISTENER_ADDRESS

No

Yes

Required when security enabled

DataPowerMgr_inbound_secure

Yes

Yes

Required only when you use DataPower

 

 

Nodeagent Ports to be opened with security enabled and disabled

Port Name/Endpoint Name

Security Disabled

Security Enabled

Reason/Comment

BOOTSTRAP_ADDRESS

Yes

Yes

Naming service or RMI service between dmgr and node might not work

ORB_LISTENER_ADDRESS

Yes

Yes

Port value can't be zero. Should have a static value. More info

DCS_UNICAST_ADDRESS

Yes

Yes

HA Manager won't work(WLM, DRS, Transaction log recovery etc)

NODE_DISCOVERY_ADDRESS

Yes

Yes

Discovery between nodeagent and dmgr will not work

NODE_IPV6_MULTICAST_DISCOVERY_ADDRESS

Yes (if NO to ipv4)

Yes (if NO to ipv4)

Multicast discovery for application servers (during startup) to discover nodeagent. The endpoint can be removed, if you prefer to use IPV4.

NODE_MULTICAST_DISCOVERY_ADDRESS (ipV4)

Yes (if NO to ipv6)

Yes (if NO to ipv6)

Multicast discovery for application servers (during startup) to discover nodeagent. The endpoint can be removed, if you prefer to use IPV6

SOAP_CONNECTOR_ADDRESS

Yes

Yes

Synchronization will not work

IPC_CONNECTOR_ADDRESS

Yes

Yes

Internal WebSphere communication might fail

SAS_SSL_SERVERAUTH_LISTENER_ADDRESS

No

No

This port is used for communication with version 6.0.x servers federated in a 6.1 or later cell. Should open if you have V6.0 mixed node.

CSIV2_SSL_MUTUALAUTH_LISTENER_ADDRESS

No

Yes

Required when security enabled

CSIV2_SSL_SERVERAUTH_LISTENER_ADDRESS

No

Yes

Required when security enabled

 

 

Application Server ports to be opened

Port Name/Endpoint Name

Security Disabled

Security Enabled

Reason/Comment

DCS_UNICAST_ADDRESS

Yes

Yes

HA Manager won't work(WLM, DRS, Transaction log recovery etc). All application server DCS ports should be opened.

 

 

Additional firewall considerations

You might choose to separate the WebSphere application servers from your database and LDAP servers with a firewall. If so, you might have to open the following ports. The following ports are default ports, please consult with your admin to find out the right port numbers:

  • DB2: 50000 and 50001
  • Oracle: 1521
  • SQL Server: 1433
  • LDAP: 389

 

The same scenario is applicable for other backend resources like MQ, TAM etc.  

 

 

title image (modified) credit: (cc) Some rights reserved by OpenClips

 

[{"Business Unit":{"code":"BU004","label":"Hybrid Cloud"},"Product":{"code":"","label":""},"Component":"","Platform":[{"code":"","label":""}],"Version":"","Edition":""}]

UID

ibm11081053