Port availability

Several ports must be available, depending on how the firewalls are implemented in your environment. If the required ports are blocked or used by another process, some Lenovo XClarity Administrator functions might not work.

To determine which ports must be opened based on your environment, review the following sections. The tables in these sections include information about how each port is used in XClarity Administrator, the managed device that is affected, the protocol (TCP or UDP), and the direction of traffic flow. Inbound traffic identifies flows from the managed device or external systems to XClarity Administrator, so ports need to open on the XClarity Administrator appliance. Outbound traffic flows from XClarity Administrator to the managed device.

Access to the XClarity Administrator server

If the XClarity Administrator server and all managed devices are behind a firewall, and you intend to access those devices from a browser that is outside of the firewall, you must ensure that the XClarity Administrator ports are open. If you are using SNMP and SMTP for event management, you might also need to ensure that the ports that are used by the XClarity Administrator server for event forwarding are open.

The XClarity Administrator server listens on and responds through the ports that are listed in the following table.

Note:
  • XClarity Administrator is a RESTful application that communicates securely over TCP on port 443.

  • XClarity Administrator can be optionally configured to make outbound connections to external services, such as LDAP, SMTP, or syslog. These connections might require additional ports that are generally user configurable and not included in this list. These connections might also require access to a domain name service (DNS) server on TCP or UDP port 53 to resolve external server names.

Service Outbound (ports open on external systems) Inbound (ports open on XClarity Administrator appliance)
XClarity Administrator appliance
  • DNS – TCP/UDP on port 53
  • HTTPS – TCP on port 443
External authentication servers
  • LDAP– TCP on port 3891
  • LDAPS – TCP on port 636
  • SAML authentication – TCP on ports 3268, 3269
Not applicable
Event forwarding services
  • FTP server – TCP on port 211
  • Email server (SMTP) – UDP on port 251
  • REST Web Service (HTTP) – TCP on port 801
  • SNMP manager – UDP on port 1612, 1621
  • MS Azure – UDP on port 4431
  • Syslog – UDP on port 5141
  • Apple push3 – TCP on ports 443, 2195, 5223
  • Google push4 – TCP on ports 443, 5288, 5299, 5230
  • SNMP – UDP on port 161
Lenovo services (including Call Home)
  • Warranty (China only) – TCP on port 835
  • HTTPS (Call Home) – TCP on port 443
Not applicable
  1. This is the default port. You can configure this port from the user interface.

  2. This port is used when SNMP event forwarding with user authentication is configured.

  3. Open this port when Wi-Fi is behind a firewall or private Access Point Name (APN) for cellular data. A direct, unproxied connection is required to the APN servers on this port. This port is used as a failback on Wi-Fi only, when devices cannot reach the Apple Push Notifications service on port 5223. The IP address range is 17.0.0.0/8.

  4. For the IP address range, see Google ASN 15169. The domain is android.googleapis.com.

  5. Though not required outside of China, XClarity Administrator might attempt to connect to this service in other countries.

Access between XClarity Administrator and managed devices

If managed devices (such as compute nodes or rack servers) are behind a firewall and if you intend to manage those devices from a XClarity Administrator server that is outside of that firewall, you must ensure that all ports involved with communications between XClarity Administrator and the baseboard management controller in each managed device are open.

If you intend to install operating systems on managed devices using XClarity Administrator, ensure that you review the list of ports in Access between XClarity Administrator and data network for OS deployment and device-driver updates.

Access between XClarity Administrator and data network for OS deployment and device-driver updates

Device type Outbound (ports open on external systems) Inbound (ports open on XClarity Administrator appliance)
OS deployment1, 2, 3  
  • SMB communication – TCP on port 4454
  • HTTPS (Except ThinkServer) – TCP on port 84436
OS device driver updates2
  • WinRM over HTTP – TCP on port 59855
  • WinRM over HTTPS – TCP on port 59866
  • SMB communication – TCP on port 4454
  1. If you configured XClarity Administrator to use an operating-system deployment network, ports must be open on that network.

  2. For a list of ports that must be available for the deploying operating systems, see Port availability for deployed operating systems.

    For example, if operating-system deployment is configured to use the data network (eth1), then these ports must be open on that network.
  3. Each XClarity Administrator instance has a unique Certificate Authority (CA) that is used for only OS deployment. That CA signs a certificate that is used for the target server on port 8443. When OS deployment is initiated, the CA certificate is included in the OS image that is pushed to the target server. As part of the deployment process, that server connects back to port 8443, and verifies the certificate that port 8443 provide during the handshake because they have the CA certificate.

  4. This port is used to transfer Windows driver files.

  5. This port is used to connect to the target server WinRM.

  6. This port is used to exchange data between the target OS and XClarity Administrator, including OS images and status.