XClarity Administrator - Port availability

Several ports must be available, depending on how the firewalls are implemented in your environment. If the required ports are blocked or used by another process, some Lenovo XClarity Administrator functions might not work.

To determine which ports must be opened based on your environment, review the following sections. The tables in these sections include information about how each port is used in XClarity Administrator, the managed device that is affected, the protocol (TCP or UDP), and the direction of traffic flow. Inbound traffic identifies flows from the managed device or external systems to XClarity Administrator, so ports need to open on the XClarity Administrator appliance. Outbound traffic flows from XClarity Administrator to the managed device.

Access to the XClarity Administrator server
Access between XClarity Administrator and managed devices
Access between XClarity Administrator and data network for OS deployment and device-driver updates

Access to the XClarity Administrator server

If the XClarity Administrator server and all managed devices are behind a firewall, and you intend to access those devices from a browser that is outside of the firewall, you must ensure that the XClarity Administrator ports are open. If you are using SNMP and SMTP for event management, you might also need to ensure that the ports that are used by the XClarity Administrator server for event forwarding are open.

The XClarity Administrator server listens on and responds through the ports that are listed in the following table.

Note:

XClarity Administrator is a RESTful application that communicates securely over TCP on port 443.
XClarity Administrator can be optionally configured to make outbound connections to external services, such as LDAP, SMTP, or syslog. These connections might require additional ports that are generally user configurable and not included in this list. These connections might also require access to a domain name service (DNS) server on TCP or UDP port 53 to resolve external server names.

Communication	XClarity Administrator appliance	External authentication servers	Event forwarding services	Lenovo services (including Call Home)
Outbound (ports open on external systems)	DNS – TCP/UDP on port 53	LDAP– TCP on port 389¹ LDAPS – TCP on port 636 SAML authentication – TCP on ports 3268, 3269	FTP server – TCP on port 21¹ Email server (SMTP) – UDP on port 25¹ REST Web Service (HTTP) – UPD on port 80¹ SNMP manager – UDP on port 161², 162¹ MS Azure – UDP o port 443¹ Syslog – UDP on port 514¹ Apple push³ – TCP on ports 443, 2195, 5223 Google push⁴ – TCP on ports 443, 5288, 5299, 5230	Warranty (China only) – TCP on port 83⁵ HTTPS (Call Home) – TCP on port 443
Inbound (ports open on XClarity Administrator appliance)	HTTPS – TCP on port 443	Not applicable	SNMP – UDP on port 161	Not applicable

Communication

XClarity Administrator appliance

External authentication servers

Event forwarding services

Lenovo services (including Call Home)

Outbound (ports open on external systems)

DNS – TCP/UDP on port 53

LDAP– TCP on port 389¹
LDAPS – TCP on port 636
SAML authentication – TCP on ports 3268, 3269

FTP server – TCP on port 21¹
Email server (SMTP) – UDP on port 25¹
REST Web Service (HTTP) – UPD on port 80¹
SNMP manager – UDP on port 161², 162¹
MS Azure – UDP o port 443¹
Syslog – UDP on port 514¹
Apple push³ – TCP on ports 443, 2195, 5223
Google push⁴ – TCP on ports 443, 5288, 5299, 5230

Warranty (China only) – TCP on port 83⁵
HTTPS (Call Home) – TCP on port 443

Inbound (ports open on XClarity Administrator appliance)

HTTPS – TCP on port 443

Not applicable

SNMP – UDP on port 161

Not applicable

This is the default port. You can configure this port from the user interface.
This port is used when SNMP event forwarding with user authentication is configured.
Open this port when Wi-Fi is behind a firewall or private Access Point Name (APN) for cellular data. A direct, unproxied connection is required to the APN servers on this port. This port is used as a failback on Wi-Fi only, when devices cannot reach the Apple Push Notifications service on port 5223. The IP address range is 17.0.0.0/8.
For the IP address range, see Google ASN 15169. The domain is android.googleapis.com.
Though not required outside of China, XClarity Administrator might attempt to connect to this service in other countries.

Access between XClarity Administrator and managed devices

If managed devices (such as compute nodes or rack servers) are behind a firewall and if you intend to manage those devices from a XClarity Administrator server that is outside of that firewall, you must ensure that all ports involved with communications between XClarity Administrator and the baseboard management controller in each managed device are open.

If you intend to install operating systems on managed devices using XClarity Administrator, ensure that you review the list of ports in Access between XClarity Administrator and data network for OS deployment and device-driver updates.

Flex chassis CMM

Communication	Flex Chassis CMMs
Outbound (ports open on external systems)	SSH – TCP on port 22¹ SLP – UDP/TCP on port 427 CIM HTTP – TCP on port 5988² CIM HTTPS – TCP on port 5989 TCP command – TCP on port 6090² Secure TCP command – TCP on port 6091
Inbound (ports open on XClarity Administrator appliance)	CIM indications HTTPS – TCP 9090 LDAPS – TCP on ports 50637

This port is used to transfer firmware-updates using SFTP.
By default, management is performed over secure ports. The non-secure ports are optional.

Servers and compute nodes

Communication	ThinkSystem and ThinkAgile	System x	Flex System	ThinkServer
Outbound (ports open on external systems)	SSH,SFTP – TCP on port 22² SFTP – UDP on port 115 SLP – UDP/TCP on port 427 HTTPS – TCP on port 443 Remote control – TCP on port 3888⁴ Remote KVM – TCP on port 3889⁴ CIM HTTP – TCP on port 5988³ CIM HTTPS – TCP on port 5989³ Firmware updates -- TCP on port 6990	SSH,SFTP – TCP on port 22² SLP – UDP/TCP on port 427 HTTPS – TCP on port 443 IPMI – UDP on port 623 Remote control – TCP on port 3888⁴ Remote KVM – TCP on port 3889⁴ CIM HTTP – TCP on port 5988³ CIM HTTPS – TCP on port 5989³ Firmware updates -- TCP on port 6990	SSH,SFTP – TCP on port 22² SLP – UDP/TCP on port 427 Remote control – TCP on port 3888⁴ Remote KVM – TCP on port 3889^{1, 4} CIM HTTP – TCP on port 5988³ CIM HTTPS – TCP on port 5989³ Firmware updates -- TCP on port 6990	SNMP traps – UDP on port 162 IPMI – UDP on port 623
Inbound (ports open on XClarity Administrator appliance)	HTTPS – TCP on port 443 Firmware updates -- TCP on port 6990 CIM indications HTTPS – TCP 9090 LDAPS – TCP on ports 50636, 50637	HTTPS – TCP on port 443 CIM indications HTTPS – TCP 9090 Firmware updates -- TCP on port 6990 LDAPS – TCP on ports 50636, 50637	CIM indications HTTPS – TCP 9090 Firmware updates -- TCP on port 6990 LDAPS – TCP on ports 50636, 50637	SNMP traps – UDP on port 162

This port is required to be open for only servers with IMM2.
This port is used to transfer firmware-updates using SFTP.
By default, management is performed over secure ports. The non-secure ports are optional.
Remote control and remote KVM is launched from the web browser, not the XClarity Administrator server.

Rack and Flex switches

Communication	Rack switches	Flex switches
Outbound (ports open on external systems)	SSH,SFTP – TCP on port 22^1,3 SNMP - UDP on port 121 SNMP traps – UDP on port 162 SLP – UDP/TCP on port 427 HTTPS – TCP on port 443	SSH,SFTP – TCP on port 22³ SNMP - UDP on port 121 SNMP traps – UDP on port 162
Inbound (ports open on XClarity Administrator appliance)	SNMP - UDP on port 121² SNMP traps – UDP on port 162² HTTPS – TCP on port 443	SNMP - UDP on port 121²

For ENOS rack switches, this port is used to configure Head of Stack (HoS) credentials used between CMM and Flex switches, activate the firmware slot, and clear SSH host keys before SFTP file transfer operations.
This port must be open on the XClarity Administrator appliance (inbound) when switches are on a different network than XClarity Administrator, so that XClarity Administrator can receive events for those devices.
This port is used for management (SSH) and to transfer firmware-updates using SFTP.

Storage devices

Communication	Storage devices
Outbound (ports open on external systems)	FTP – TCP on port 21 SFTP – TCP on port 22¹ SNMP traps – UDP on port 162 SLP – UDP/TCP on port 427 HTTPS – TCP on port 443
Inbound (ports open on XClarity Administrator appliance)	HTTPS – TCP on port 443

This port is used to transfer firmware-updates using SFTP.

Access between XClarity Administrator and data network for OS deployment and device-driver updates

Communication	OS deployment^{1, 2, 3}	OS device driver updates²
Outbound (ports open on external systems)	SMB communication – UDP on port 139, 445 Data transfer (except ThinkServer) – TCP on port 3001 Data transfer (IMM2) – TCP on port 3900 HTTPS (Except ThinkServer) – TCP on port 8443	WinRM over HTTP – TCP on port 5985 WinRM over HTTPS – TCP on port 5986
Inbound (ports open on XClarity Administrator appliance)	SMB communication – UDP on port 139, 445 HTTPS (Except ThinkServer) – TCP on port 8443	WinRM over HTTP – TCP on port 5985 WinRM over HTTPS – TCP on port 5986

If you configured XClarity Administrator to use an operating-system deployment network, ports must be open on that network.
For a list of ports that must be available for the deploying operating systems, see Port availability for deployed operating systems.
For example, if operating-system deployment is configured to use the data network (eth1), then these ports must be open on that network.
Each XClarity Administrator instance has a unique Certificate Authority (CA) that is used for only OS deployment. That CA signs a certificate that is used for the target server on ports 3001 and 8443. When OS deployment is initiated, the CA certificate is included in the OS image that is pushed to the target server. As part of the deployment process, that server connects back to ports 3001 and 8443, and verifies the certificate that ports 3001 and 8443 provide during the handshake because they have the CA certificate.