What Ports the NX and the GMS Use

Specifications, Compliance, and Regulatory Statements : What Ports the NX and the GMS Use

What Ports the NX and the GMS Use

Following are lists of ports that are used by the appliances and by the Global Management System (GMS). These are the ports used for “listening”.

If you intend to use a port, make sure that it is open in the firewall(s).

List of ports used by the GMS

Following is the list of ports used by the GMS. All are part of the management plane.

It is mandatory for certain ports to be open. Opening other ports is optional (opt.), depending on your network, applications, and chosen deployment.

Must open port?

TCP

UDP

Port

Application

Direction relative to the GMS

Comments

yes

x

22

SSH

bidirectional

SNMP trap receivers

yes

x

443

HTTPS

bi-directional

communications between the GMS and a physical or virtual appliance (NX or VX)

opt.

x

21

FTP

outgoing

for GMS backup

This is the default port. If you’ve configured a different port, then you also need to configure the firewall with that port number.

opt.

x

22

SCP

outgoing

for GMS backup

This is the default port. If you’ve configured a different port, then you also need to configure the firewall with that port number.

opt.

x

49

TACACS+

outgoing

user authentication and authorization

opt.

x

x

53

DNS

outgoing

domain name services

opt.

x

80

HTTP

outgoing

If the appliance’s web configuration is for HTTP only, then you must open this port.

opt.

x

123

NTP

outgoing

synchronizes clocks

opt.

x

162

SNMP

outgoing

SNMP trap receivers

opt.

x

1812

RADIUS

outgoing

user authentication and authorization

opt.

x

2055

Netflow

outgoing

Netflow collector

List of ports used by the NX

Data Plane

This is for packets that traverse the optimization path. For creating tunnels, at least one of the first three applications — GRE, IPsec, or UDP — is required.

Application

Ports and Protocols

Use

GRE

Protocol 47

If tunnel mode is GRE

IPsec

Protocol ESP 50;
UDP port 500 (for IKE key exchange)

If tunnel mode is IPsec

UDP

UDP Port 4163

If tunnel mode is UDP

WCCP

UDP Port 2048

For WCCP redirection

Flow redirection

TCP Port 4164 and UDP Port 4164

If flow direction is enabled and clustered via routers

iperf

TCP Port 5001 and UDP Port 5001

For testing link integrity outside the tunnel.

Management Plane

It is mandatory for certain ports to be open. Opening other ports is optional (opt.), depending on your network, applications, and chosen deployment.

Must open port ?

TCP

UDP

Port

Application

Direction relative to the appliance

Used for ...

yes

x

22

SSH and SCP

bidirectional

•

configuration backup

•

software upgrades

yes

x

80

HTTP

bidirectional

communication with NX clients and with GMS

yes

x

443

HTTPS

bidrectional

communication with NX clients

opt.

x

20 [data channel]

21 [control channel]

FTP

bidirectional

•

configuration backup

•

software upgrades

opt.

x

49

TACACS+

outgoing

user authentication and authorization

opt.

x

x

53

DNS

outgoing

domain name services

opt.

x

123

NTP

outgoing

synchronizes clocks

opt.

x

1812

RADIUS

outgoing

user authentication and authorization

opt.

x

162

SNMP

outgoing

SNMP trap receivers

opt.

x

2055

Netflow

outgoing

Netflow collector

Diagrams of TCP/IP Port Use

See the following two pages.

Must open port?	TCP	UDP	Port	Application	Direction relative to the GMS	Comments
yes	x		22	SSH	bidirectional	SNMP trap receivers
yes	x		443	HTTPS	bi-directional	communications between the GMS and a physical or virtual appliance (NX or VX)
opt.	x		21	FTP	outgoing	for GMS backup This is the default port. If you’ve configured a different port, then you also need to configure the firewall with that port number.
opt.	x		22	SCP	outgoing	for GMS backup This is the default port. If you’ve configured a different port, then you also need to configure the firewall with that port number.
opt.	x		49	TACACS+	outgoing	user authentication and authorization
opt.	x	x	53	DNS	outgoing	domain name services
opt.	x		80	HTTP	outgoing	If the appliance’s web configuration is for HTTP only, then you must open this port.
opt.		x	123	NTP	outgoing	synchronizes clocks
opt.		x	162	SNMP	outgoing	SNMP trap receivers
opt.		x	1812	RADIUS	outgoing	user authentication and authorization
opt.		x	2055	Netflow	outgoing	Netflow collector

Application	Ports and Protocols	Use
GRE	Protocol 47	If tunnel mode is GRE
IPsec	Protocol ESP 50; UDP port 500 (for IKE key exchange)	If tunnel mode is IPsec
UDP	UDP Port 4163	If tunnel mode is UDP
WCCP	UDP Port 2048	For WCCP redirection
Flow redirection	TCP Port 4164 and UDP Port 4164	If flow direction is enabled and clustered via routers
iperf	TCP Port 5001 and UDP Port 5001	For testing link integrity outside the tunnel.

Please send comments or suggestions regarding user documentation to techpubs@silver-peak.com.