Skip to content
CA Unified Infrastructure Management - 8.4
Documentation powered by DocOps

Firewall Port Reference

Last update November 27, 2017

The following table describes the port assignments for various CA Unified Infrastructure Management (CA UIM) components and configurations. These port assignments apply to single-hub installations and to multiple-hub installations with and without a firewall.

All installations require:

  • Robot controller
  • Robot spooler
  • Robot-to-hub and manager-to-hub communications
  • A port for each probe
  • service_host to Admin Console through HTTP
  • service_host to Admin Console through HTTPS

Multiple-hub installations for tunnels that are NOT SSL tunnels also require:

  • Tunnel server

Multiple-hub installations for tunnels that ARE SSL tunnels also require:

  • service_host to tunnel client

Installations that enable discovery across a firewall without a hub and tunnel require the port for the appropriate protocol to be open in the discovery_agent probe.

Note: Protocols for all components are TCP except for controller, hub, and spooler, which also require UDP.

In the following table, Firewall Rules define the ports and directions that must be open through the firewall.

CA UIM Component Ports Direction Firewall Rules Details
Controller 48000; configurable Inbound, outbound Allow inbound on 48000+ for probe access on all robots.

The controller listening port.  

For an enterprise, enable communication both ways on port 48000 through a firewall. Communication both ways allow CA UIM to contact and control hubs, robots, and probes. This port also receives status from BUS components.

The hub spooler and the spooler for robots transmit alarm and QoS data. A port must be set in the controller configuration for Infrastructure Manager (IM) and Admin Console to connect to remote tunnels through the tunnel server and client IPs: for example, 192.168.1.10:50003.

For tunnel hubs, set the First Probe port number in Setup > Advanced for the controller to 50000 or higher. If necessary, open the same port and higher in the firewall.

Note: You only need ports 48000 for the controller and 48002 for the hub open between the primary hub and the UMP hub. You don’t need these ports open between every hub in the domain and the UMP server as the hub controllers will talk to the primary hub controller.


Spooler 48001; configurable Inbound, outbound Allow inbound on 48001 on all robots. Enable inbound communication from robot to hub so that probes can send messages to hubs through the spooler port. Probes send messages to hubs using the spooler port 48001. This port must be enabled from the robot to the hub.
Hub 48002; configurable Inbound, outbound Allow inbound on 48002 to the hub.

The hub listening port. This connection allows robot-to-hub and manager-to-hub communications.

  • Allow outbound traffic on all hub and robot ports.
  • All hubs must have port 48002 open inbound and outbound for robot-to-hub and manager-to-hub communications.
  • All hubs must have port 48000 open inbound and outbound for communication with the robot controller.
  • All child robots must also have port 48000 open inbound.
  • Open port 48001 on the hub for spooler communications.  

We recommend that you have ports 48000 through 48099 open inbound to all robots.

Note: You only need ports 48000 for the controller and 48002 for the hub open between the primary hub and the UMP hub. You don’t need these ports open between every hub in the domain and the UMP server as the hub controllers will talk to the primary hub controller.


Tunnels 48003 or 443; configurable    

Tunnels using tunnel-server-to-tunnel-clients model or tunnel-client-to-tunnel-servers need port 48003, 443, or another configured port for incoming traffic. For example, a port must be open for the enterprise data center and MSP firewall.

Note: Port 443 is the default port for https but can be used for other purposes.

Multi-hub infrastructures can use a tunnel with or without SSL. For tunnels that are NOT SSL tunnels, ports use the same assignment as for single-hub installations.

Secure (SSL) Tunnels 48003; configurable Unidirectional Allow inbound, outbound through a firewall.

If you are using a CA UIM SSL tunnel, you need the tunnel port open between tunneled hubs. All other CA UIM traffic flows over the tunnel. For tunnels that are SSL tunnels:

  • The controller port must be set to 48000.
  • The hub port must be set to 48002.
  • The tunnel client port must be set to 48003 to allow access to the tunnel server.
  • The service_host probe must be set to port 8443 or 8080 to access Admin Console and the CA UIM web page.
Discovery_agent

DNS - port 53

NetBIOS - port 137

SSH - port 22

SNMP - port 161; configurable

WMI - port 135 and others

Outbound Allow outbound on ports for the protocol Discovery_agent makes calls, as a client, to the services hosted on target machines.
Probes 48004-48050; configurable Inbound Allow inbound on 48004-48050 (or higher) on all robots.

Probes listen on their respective ports and await incoming connections from other clients. The inbound port for each probe must be open so that outside clients and hubs can communicate. Ports are assigned to probes sequentially as available beginning with the first probe port number.

For information about probe-specific port requirements, refer to the probe documentation at CA Unified Infrastructure Management Probe Space.

Distribution Server (distsrv)
48005 or automatically assigned Inbound, outbound See Details The distsrv probe on the hub must have its TCP port open on the hub for licensing of probes on the robots. Without this port, open probes fail to start on the robots. Unlike the controller, spooler, and hub, the distsrv probe does not have a reserved port. The port can change each time the hub restarts.
UIM database

1433 (Microsoft SQL Server); configurable

1521 (Oracle); configurable

3306 (MySQL); configurable

Inbound Allow inbound for database.

The primary hub (data_engine) to UIM database is preferably local/on the same subnet as CA UIM. If the database for the primary hub is behind an internal firewall, then the appropriate port has to be open from the CA UIM server to the UIM database, outbound from hub server, and inbound on the CA UIM database server.  Responses from the database server to the primary hub come back over the same connection/port.

Tip: Port information for your UIM database is located in the Database Configuration section of the data_engine probe GUI.

ADE 22 Outbound   The automated_deployment engine probe uses port 22 to deploy robots using ssh file transfer to the target system. If you cannot open port 22 on the primary hub:
    1. Deploy the automated_deployment_engine a secondary hub where port 22 is not blocked.

    2. Log in to Infrastructure Manager directly from the secondary hub.

    3. Drag and drop the robot packages that you want to deploy into the archive on the secondary hub.

    4. Deploy the robots to the secondary hub through an XML file. For more information, see the topic Bulk Robot Deployment with an XML File.

udm_manager 4334; configurable Inbound Allow inbound on 4334 for UDM Manager. UDM clients (Datomic peer), including UMP, Trellis, and the Discovery Server, must  connect to the SQL database and also to UDM Manager on this port.
UMP server
8080, 80, or 443; configurable range: 1–65535 Inbound, outbound Allow inbound on 8080, 80, or 443 on UMP server.

The port assignment for the UMP server can vary by client/browser to UMP and depends on your choice during the UMP installation. 

If you are using a configuration with multiple UMP servers, the servers communicate through multicasting on the following IP address and ports:

  • IP addresses 239.255.0.1 through 239.255.0.5

  • Ports 23301 through 23305

UMP (Tomcat connector)
8009 Inbound, outbound Allow inbound on 8009 on UMP server.

The UMP portal engine.

Allow inbound on port 8009 from the CA UIM server to the UMP instance (wasp probe).

UMP database

1433 (Microsoft SQL Server);

1521 (Oracle);

3306 (MySQL)

Inbound Allow inbound on respective port to Database server.

Inbound from UMP to the chosen database.

The wasp probe requires a connection to the UIM database. Ensure that the database ports between the UMP and database servers are open.

CA UIM Server home page 8080; configurable service_host probe Inbound Allow inbound to port 8080 (internal enterprise). The CA UIM Server home page is typically internal-access only. Open the port in the firewall for any systems that must be able to contact the primary hub to run applications or download and install the client software.
SMTP 25; configurable Outbound Allow outbound Report Scheduler creates output in PDF and CVS that is transmitted via email to users. Email transmission requires a designated server with this SMTP port open.
SNMP 161; configurable    

SNMP is an internet-standard protocol for managing devices on IP networks. The snmpcollector probe uses port 161 by default to communicate with the SNMP port on a device.

Hub to LDAP/AD server 389, 686; configurable Outbound Allow outbound to LDAP/AD server. Allow outbound to any custom port set in wasp probe configuration.
Web clients, browsers to UMP, UMP clients
80, 443; configurable N/A Allow inbound on port 80 or 443. Portal access over the Internet.
Admin Console 8080, 8443; configurable service_host probe Inbound Allow inbound on port 8080 or 8443 on primary hub.

Admin Console is hosted on the primary hub with service_host.

  • 8080 is the default port to access Admin Console and CA UIM web page through HTTP.
  • 8443 is the default port to access Admin Console and CA UIM web page through HTTPS.

 

Was this helpful?

Please log in to post comments.

  1. Rowan Collis
    2017-10-17 11:54

    Hub port is not configurable as the above states - it will always be 48002

    1. Mark Riffe
      2017-10-19 01:05

      Rowan: thanks for the note. I'll verify the detail and modify documentation as needed. —Mark

    1. Mark Riffe
      2017-10-25 12:14

      Rowan: developers here verify that hub is configurable—as are spooller and controller. Updated documentation reflects these conditions. —Mark