IBM Support

HMC Firewall Information

Troubleshooting


Problem

This document lists the ports used by the HMC.

Resolving The Problem

The following is a list of ports used by the HMC.

The "Inbound application" column identifies ports where the HMC acts as a server that remote client applications connect to. Examples of remote client applications include the browser based remote access and remote 5250 console. Ports used by remote clients need to be enabled in the HMC firewall. They must also be enabled in any firewall that is between a remote client and HMC.

The "Outbound application" column identifies ports where the HMC acts as a client, initiating communications to the port on a remote server. Functions are further classified as intranet or internet. Intranet functions are typically limited to communications between the HMC and another HMC, partition, or server inside the network. Internet functions require access to the internet, directly or, in some cases, via a proxy. Because UDP is a directionless protocol, the HMC firewall must be enabled for UDP ports even though the communications might be initiated from the HMC. "Outbound" application ports must be enabled in external firewalls for the function to work.

HMC Version 9 and later. 
 
SERVICE PORT Numbers Inbound Application (HMC Daemon) (See Note.) Outbound Application (HMC client function) (See Note.)
Secure Web Access 443 Remote secure browser access. (Internet) https outbound remote support/ECC callhome, (optional) Informational links to IBM website.
(private/intranet): Managed Server ASMI,
"Launch Remote HMC" task.
Secure Web-Access 9960 V10R1 and earlier:
Browser Applet Communications, including Remote VTTY.
Secure Web-Access 12443 Remote secure browser access
Web Access 80 V9R1M92x and earlier: (Internet) Server Licensed Internal Code updates using the "IBM Service website" repository.
 
redfish 17443 tcp Power10 ebmc managed server - HMC connection. (private/intranet) Managed server - HMC connection.
Nets (HMC-FSP SSL communications) 30000,30001 (private/intranet) Managed Server HMC connection.
5250 2300 (non-SSL), 2301 (SSL) Remote 5250 console. (Intranet) 5250 remote console to another HMC, 5250 telnet.
Secure Shell 22 remote ssh clients (Intranet) ssh, secure FTP and secure copy
Ping
icmp echo
7 tcp
Incoming ping
(private/intranet) Managed server - HMC connection; 7:tcp HMC - e-bmc vmi connection.
FCS Datagram 9900:udp HMC-HMC call home negotiation. (Intranet) HMC-HMC call home negotiation.
FCS 9920 HMC-HMC communication including Data Replication. (Intranet) HMC-HMC communication including Data Replication.
RMC 657:udp, 657:tcp i5/OS: (optional) inventory/copy of error logs.

VIOS/AIX/Linux: LPM, DLPAR, VIOS tasks.

Cross HMC Power Enterprise Pools, Simplified Remote Restart.
(Intranet)
i5/OS: (optional) inventory/copy of error logs.

VIOS/AIX/Linux: LPM, DLPAR, VIOS tasks.

Cross HMC Power Enterprise Pools, Simplified Remote Restart.
RSCT Peer Domains 12347:upd, 12348:udp AIX Clustering: Reliable Scalable Cluster Technology (RSCT).
SNMP Agent 161:tcp
151: udp
Applications such as Tivoli Netcool that register for virtual network statistics.
PowerSC UI Agent 11125:tcp 11125:udp PowerSC server managing a HMC. 
Additional ports used only for outbound connections
SMTP 25 (configurable) (Intranet) email customer notification option.
SNMP Traps
162:tcp 162:udp
(configurable)
(Intranet) SNMP Trap customer notification option.
NTP 123:udp (Intranet) Network Time Protocol client.
NFS 2049 (Intranet) HMC backup/restore/updates.
Telnet 23 (Intranet) 5250 telnet client.
FTP n/a (Internet or intranet) sendfile command.
(Internet or intranet) Server Licensed Internal Code updates using the "FTP site" repository.
(Internet or Intranet) HMC Code Updates and network upgrades.
(Intranet) HMC network backup/restore.
rsyslog
udp or tcp 514
tcp 6514
configurable
(Intranet) HMC configured to use external rsyslog server.
Note: This list might vary depending on HMC version, release, and fix level.

The following ports are required for installios, and UI Install VIOS.
SERVICE PORT Numbers Inbound Application
ping icmp echo ping test
rsh 513-1023 tcp remote shell
bootp 67-68 udp bootp server
tftp 69, 23768-65535 udp TFTP server
nfs 2049 tcp NFS server
mountd 32,768-65535 tcp NFS server
portmapper 111 udp NFS server

Examples

An example of a typical configuration is as follows:
o Firewall between the HMC and remote users: 443, 12443, 2301, 22.
o Firewall between HMC and other HMC's/partitions: Bidirectional 657 tcp/udp, 9900 udp, 9920 tcp/udp.
o Firewall between the HMC and the Internet: outbound 443.
o Firewall between the HMC and the Managed Server: TCP outbound 443, 30000, 30001, 17443; inbound 17443.

[{"Product":{"code":"SSB6AA","label":"Power System Hardware Management Console Physical Appliance"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Component":"HMC","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}}]

Historical Number

376410391

Document Information

Modified date:
04 December 2023

UID

nas8N1019111