Port availability

Several ports must be available, depending on how the firewalls are implemented in your environment. If the required ports are blocked or used by another process, some Lenovo XClarity Administrator functions might not work.

To determine which ports must be opened based on your environment, review the following sections. The tables in these sections include information about how each port is used in XClarity Administrator, the managed device that is affected, the protocol (TCP or UDP), and the direction of traffic flow between the managed device and XClarity Administrator. Inbound traffic flows from the managed device to XClarity Administrator. Outbound traffic flows from XClarity Administrator to the managed device.

Access to the XClarity Administrator server

If the XClarity Administrator server and all managed devices are behind a firewall, and you intend to access those devices from a browser that is outside of the firewall, you must ensure that the XClarity Administrator ports are open. If you are using SNMP and SMTP for event management, you might also need to ensure that the ports that are used by the XClarity Administrator server for event forwarding are open.

The XClarity Administrator server listens on and responds through the following ports that are listed in the following table.

Note: XClarity Administrator can be optionally configured to make outgoing connections to a number of external services, such as LDAP, SMTP, or syslog. These connections might require additional ports that are generally user configurable and not included in this list. They might also require access to a domain name service (DNS) server on TCP or UDP port 53 to resolve external server names.
Table 1. Ports that must be open for the XClarity Administrator server
Port TCP or UDP Direction Affected devices Purpose
53 UDP Inbound/ Outbound Domain name service (DNS) Used for DNS resolution.
83 TCP Inbound/ Outbound (China only) Warranty service Used when collecting warranty information for devices that were purchased in China.
Note: Though not required outside of China, XClarity Administrator might attempt to connect to this service in other countries.
389 TCP Inbound/ Outbound External authentication server Used when an external authentication server is configured.
443 TCP Inbound/ Outbound Client computers that access XClarity Administrator
  • Used by HTTPS for web access and REST communications.

    Note: If Call Home is enabled, you must open ports 443. Outbound direction is used for Call Home.
  • Used when forwarding events to the Apple push notifications service and Wi-Fi is behind a firewall or private Access Point Name (APN) for cellular data. A direct, unproxied connection is required to the APN servers on this port. This port is used as a failback on Wi-Fi only, when devices cannot reach the Apple Push Notifications service on port 5223.

    IP address range: 17.0.0.0/8

  • Used when forwarding events the Google push service.

    Domain: android.googleapis.com

636 TCP Inbound/ Outbound External authentication server Used when an external authentication server is configured.
3268 TCP Inbound/ Outbound External authentication server Used when an external authentication server is configured.
3269 TCP Inbound/ Outbound External authentication server Used when an external authentication server is configured.
Optionally, the ports that are listed in the following table must be open for event forwarding from the Lenovo XClarity Administrator server to other event management tools.
Table 2. Ports that must be open for event management
Port TCP or UDP Direction Affected devices Purpose
21 UDP Outbound FTP server that is to receive events Used when FTP event forwarding is configured.
Note: This port number is configurable from the XClarity Administrator interface.
25 UDP Outbound Email (SMTP) server that is to receive events Used when email (SMTP) event forwarding is configured.
Note: This port number is configurable from the XClarity Administrator interface.
80 UDP Outbound REST interface that is to receive events Used when REST event forwarding is configured.
Note: This port number is configurable from the XClarity Administrator interface.
161 UDP Inbound / Outbound SNMP manager that is to receive traps Used when SNMP event forwarding with user authentication is configured.
162 UDP Inbound SNMP manager that is to receive traps Used when SNMP event forwarding is configured.
Note: This port number is configurable from the XClarity Administrator interface.
443 UDP Outbound Microsoft®Azure Log Analytics interface that is to receive events Used when Azure Log Analytics event forwarding is configured.
Note: This port number is configurable from the XClarity Administrator interface.
514 UDP Outbound Syslog server that is to receive events. Used when Syslog event forwarding is configured.
Note: This port number is configurable from the XClarity Administrator interface.
2195 TCP Outbound Apple push server that is to receive events Used when forwarding events to the Apple push notifications service and Wi-Fi is behind a firewall or private Access Point Name (APN) for cellular data. A direct, unproxied connection is required to the APN servers on this port.

IP address range: 17.0.0.0/8

5223 TCP Outbound Apple push server that is to receive events Used when forwarding events to the Apple push notifications service and Wi-Fi is behind a firewall or private Access Point Name (APN) for cellular data. A direct, unproxied connection is required to the APN servers on this port.

IP address range: 17.0.0.0/8

5228   Outbound Google push server that is to receive events. Used when event forwarding to the Google push service is configured.

IP address range: see Google ASN 15169

5229   Outbound Google push server that is to receive events. Used when event forwarding to the Google push service is configured.

IP address range: see Google ASN 15169

5230   Outbound Google push server that is to receive events. Used when event forwarding to the Google push service is configured.

IP address range: see Google ASN 15169

Access between XClarity Administrator and managed devices

If managed devices (such as compute nodes or rack servers) are behind a firewall and if you intend to manage those devices from a XClarity Administrator server that is outside of that firewall, you must ensure that all ports involved with communications between XClarity Administrator and the baseboard management controller in each managed device are open.

If you intend to install operating systems on managed devices using XClarity Administrator, ensure that you review the list of ports in Access between XClarity Administrator and data network for OS deployment.

Table 3. Ports that must be open between XClarity Administrator and managed devices
Port TCP or UDP Direction Affected devices Purpose
21 TCP Inbound/ Outbound Lenovo Storage controllers Used for FTP access when updating the storage device firmware.
22 TCP Inbound/ Outbound
  • Baseboard management controller in each managed server (except ThinkServer)
  • CMMs in each managed chassis
  • Flex switches in each managed Flex System chassis
  • Flex and RackSwitch switches
Used launch a remote SSH session and for SFTP file transfer

(RackSwitch ENOS switches) Used to configure HoS credentials, activate the firmware slot, and clear SSH host keys before SFTP file transfer operations

115 TCP Inbound/ Outbound Management controller in each managed ThinkSystem server Used to push maintenance mode images to the management controller.
161 UDP Inbound/ Outbound
  • Flex switches in each managed Flex System chassis
  • RackSwitch ENOS switches
Flex switches) Use to enable/disable ports and to configure through configuration patterns.

(RackSwitch switches) Used to retrieve inventory and to configure switches through configuration patterns using the SNMP protocol

Attention: If Flex or RackSwitch switches are on a different network than XClarity Administrator, that network must be configured to allow inbound UDP through port 161 so that XClarity Administrator can send/receive SNMP messages to/from the switch.
162 UDP Inbound
  • Flex switches in each managed Flex System chassis
  • RackSwitch switches
  • ThinkServer System Manager (TSM) in each managed ThinkServer server
  • Lenovo Storage controllers
Used to receive SNMP traps from Flex System and RackSwitch switches, ThinkServer servers, and storage devices.
Attention: If ThinkServer servers and RackSwitch switches are on a different network than XClarity Administrator, that network must be configured to allow inbound UDP through port 162 so that XClarity Administrator can receive events for those devices.
427 UDP, TCP Inbound/ Outbound
  • Management controller in each managed server (except ThinkServer)
  • CMMs in each managed Flex System chassis
  • Flex switches in each managed chassis
  • TSM in each managed ThinkServer server
  • Lenovo Storage controllers
  • Flex and RackSwitch switches
Used by Service Location Protocol (SLP) for device discovery and initial management.
443 TCP Inbound/ Outbound
  • Lenovo Storage controllers
  • RackSwitch CNOS switches
  • System x M4 server
(M4 servers and storage devices) Used for management

(RackSwitch switches) Used for HTTPS communication to retrieve inventory and configuration

623 UDP Outbound Management controller in each managed ThinkServer and System x M4 servers Used for IPMI communication with the Management controller.
3888 TCP Inbound/ Outbound Management controller in each managed server (except ThinkServer) Used for remote-control tunneling.
3900 TCP Inbound/ Outbound Management controller and host on each managed server (IMM2 and XCC only) Used for remote KVM sessions
5988 TCP Inbound/ Outbound
  • Management controller in each managed server (except ThinkServer)
  • CMMs in each managed Flex System chassis
Used by HTTP for CIM communication.
Note: This port number is configurable from the CMM and management-controller interfaces.
5989 TCP Inbound/ Outbound
  • Management controller in each managed server (except ThinkServer)
  • CMMs in each managed Flex System chassis
Used by HTTPS for CIM communication.
Note: This port number is configurable from the CMM and management-controller interfaces.
6091 TCP Inbound/ Outbound CMMs in each managed Flex System chassis Secure TCP Command Mode port.
Note: This port number is configurable from the CMM interface.
6990 TCP Inbound/ Outbound Management controller in each managed server (except ThinkServer) Used by HTTPS for CIM indications.
9090 TCP Inbound/ Outbound
  • Management controller in each managed server (except ThinkServer)
  • CMMs in each managed Flex System chassis
Used by HTTPS for CIM indications.
50636 TCP Inbound Management controller on each managed server (except ThinkServer) Used by the authentication server for secure traffic. Receives client certificates.
50637 TCP Inbound
  • Management controller in each managed server (except ThinkServer)
  • CMMs in each managed chassis
Used by the authentication server for secure traffic.

Access between XClarity Administrator and data network for OS deployment

To install operating systems on managed devices, ensure that the ports that are listed in the following table are open to the network that is used as the data network (or operating-system deployment network).

Note: Each XClarity Administrator instance has a unique Certificate Authority (CA) that is used for only OS deployment. That CA signs a certificate that is used for the target server on ports 3001 and 8443. When OS deployment is initiated, the CA certificate is included in the OS image that is pushed to the target server. As part of the deployment process, that server connects back to ports 3001 and 8443, and verifies the certificate that ports 3001 and 8443 provide during the handshake because they have the CA certificate.
Table 4. Ports that must be available to deploy operating systems
Port TCP or UDP Direction Affected devices Purpose
3001 TCP Inbound/ Outbound Management controller and host on each managed server (except ThinkServer) Used for operating-system deployment.
3900 TCP Inbound/ Outbound Management controller and host on each managed server (IMM2 only) Used for operating-system deployment.
8443 TCP Inbound/ Outbound Management controller and host in each managed server (except ThinkServer) Used for operating-system deployment.

For a list of ports that must be available for deploying operating systems, see Port availability for deployed operating systems.

Additionally, if you are deploying Microsoft Windows, the ports that are listed in the following table must also be available.

Table 5. Ports that must be available to deploy Microsoft Windows
Port TCP or UDP Direction Affected devices Purpose
137 UDP Inbound/ Outbound Host operating system on each managed server to which Microsoft Windows is deployed Used for Windows operating-system deployment (SMB client/server communications).
138 UDP Inbound/ Outbound Host operating system on each managed server to which Microsoft Windows is deployed Used for Windows operating-system deployment (SMB client/server communications).
139 UDP Inbound/ Outbound Host operating system on each managed server to which Microsoft Windows is deployed Used for Windows operating- system deployment (SMB client/server communications).
445 TCP Inbound/ Outbound Host operating system on each managed server to which Microsoft Windows is deployed Used for Windows operating-system deployment (SMB client/server communications).

Access between XClarity Administrator and data network for device-driver updates

To update OS device drivers on managed devices, ensure that the ports that are listed in the following table are open to the network that is used as the data network (or operating-system deployment network).

Table 6. Ports that must be available to update OS device drivers
Port TCP or UDP Direction Affected devices Purpose
5985 TCP Inbound/ Outbound Host operating system on each managed server to which Microsoft Windows is deployed Use for Microsoft Windows OS device driver updates to connect using Windows Remote Management (WinRM) listening over HTTP.
5986 TCP Inbound/ Outbound Host operating system on each managed server to which Microsoft Windows is deployed Use for Microsoft Windows OS device driver updates to connect using WinRM listening over HTTPS.