HMC Firewall Information

Troubleshooting

Problem

This document lists the ports used by the HMC.

Resolving The Problem

The following is a list of ports used by the HMC.

The "Inbound application" column identifies ports where the HMC acts as a server that remote client applications connect to. Examples of remote client applications include the browser based remote access and remote 5250 console. Ports used by remote clients need to be enabled in the HMC firewall. They must also be enabled in any firewall that is between a remote client and HMC.

The "Outbound application" column identifies ports where the HMC acts as a client, initiating communications to the port on a remote server. Functions are further classified as intranet or internet. Intranet functions are typically limited to communications between the HMC and another HMC, partition, or server inside the network. Internet functions require access to the internet, directly or, in some cases, via a proxy. Because UDP is a directionless protocol, the HMC firewall must be enabled for UDP ports even though the communications might be initiated from the HMC. "Outbound" application ports must be enabled in external firewalls for the function to work.

HMC Version 9 and later.

SERVICE	PORT Numbers	Inbound Application (HMC Daemon) (See Note.)	Outbound Application (HMC client function) (See Note.)
Secure Web Access	443	Remote secure browser access. HMC Version 11 and later: Port 443 is used for all REST API access	(Internet) https outbound remote support/ECC callhome, (optional) Informational links to IBM website. (private/intranet): Managed Server ASMI, "Launch Remote HMC" task.
Secure Web-Access	9960	V10R1 and earlier: Browser Applet Communications, including Remote VTTY.
Secure Web-Access	12443	V10R3 and earlier: Remote secure browser access , Used for REST API access
Web Access	80		V9R1M92x and earlier: (Internet) Server Licensed Internal Code updates using the "IBM Service website" repository.
redfish	17443 tcp	Power10 ebmc managed server - HMC connection.	(private/intranet) Managed server - HMC connection.
Nets (HMC-FSP SSL communications)	30000,30001		(private/intranet) Managed Server HMC connection.
5250	2300 (non-SSL), 2301 (SSL)	Remote 5250 console.	(Intranet) 5250 remote console to another HMC, 5250 telnet.
Secure Shell	22	remote ssh clients	(Intranet) ssh, secure FTP and secure copy
Ping	icmp echo 7 tcp	Incoming ping	(private/intranet) Managed server - HMC connection; 7:tcp HMC - e-bmc vmi connection.
FCS Datagram	9900:udp	HMC-HMC call home negotiation.	(Intranet) HMC-HMC call home negotiation.
FCS	9920	HMC-HMC communication including Data Replication.	(Intranet) HMC-HMC communication including Data Replication.
RMC	657:udp, 657:tcp	i5/OS: (optional) inventory/copy of error logs. VIOS/AIX/Linux: LPM, DLPAR, VIOS tasks. Cross HMC Power Enterprise Pools, Simplified Remote Restart.	(Intranet) i5/OS: (optional) inventory/copy of error logs. VIOS/AIX/Linux: LPM, DLPAR, VIOS tasks. Cross HMC Power Enterprise Pools, Simplified Remote Restart.
RSCT Peer Domains	12347:upd, 12348:udp	AIX Clustering: Reliable Scalable Cluster Technology (RSCT).
SNMP Agent	161:tcp 151: udp	Applications such as Tivoli Netcool that register for virtual network statistics.
PowerSC UI Agent	11125:tcp 11125:udp	PowerSC server managing a HMC.

Additional ports used only for outbound connections
SMTP	25 (configurable)		(Intranet) email customer notification option.
SNMP Traps	162:tcp 162:udp (configurable)		(Intranet) SNMP Trap customer notification option.
NTP	123:udp		(Intranet) Network Time Protocol client.
NFS	2049		(Intranet) HMC backup/restore/updates.
Telnet	23		(Intranet) 5250 telnet client.
FTP		n/a	(Internet or intranet) sendfile command. (Internet or intranet) Server Licensed Internal Code updates using the "FTP site" repository. (Internet or Intranet) HMC Code Updates and network upgrades. (Intranet) HMC network backup/restore.
rsyslog	udp or tcp 514 tcp 6514 configurable		(Intranet) HMC configured to use external rsyslog server.

Note: This list might vary depending on HMC version, release, and fix level.

eBMC servers require the network be open for both the VMI and BMC ip address.

The following ports are required for installios, and UI Install VIOS.

SERVICE	PORT Numbers	Inbound Application
ping	icmp echo	ping test
rsh	513-1023 tcp	remote shell
bootp	67-68 udp	bootp server
tftp	69, 23768-65535 udp	TFTP server
nfs	2049 tcp	NFS server
mountd	32,768-65535 tcp	NFS server
portmapper	111 udp	NFS server

Examples

An example of a typical configuration is as follows:

o	Firewall between the HMC and remote users: 443, 12443, 2301, 22.
o	Firewall between HMC and other HMC's/partitions: Bidirectional 657 tcp/udp, 9900 udp, 9920 tcp/udp.
o	Firewall between the HMC and the Internet: outbound 443.
o	Firewall between the HMC and a FSP-based Managed Server: TCP outbound 443, 30000, 30001.
o	Firewall between the HMC and an eBMC-based Managed Server: TCP outbound 7, 443, 30000, 30001, 17443; inbound 17443. Note that the firewall and switch port must allow IP aliasing: The server bmc and vmi ip addresses on the same BMC NIC.

[{"Product":{"code":"SSB6AA","label":"Power System Hardware Management Console Physical Appliance"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Component":"HMC","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}}]

Historical Number

376410391

Was this topic helpful?

Document Information

Modified date:
28 January 2026

UID

nas8N1019111

Tips