Help
  • Explore Community
  • Get Started
  • Ask the Community
  • How-To & Best Practices
  • Contact Support
Notifications
Login / Register
Community
Community
Notifications
close
  • Forums
  • Knowledge Center
  • Events & Webinars
  • Ideas
  • Blogs
Help
Help
  • Explore Community
  • Get Started
  • Ask the Community
  • How-To & Best Practices
  • Contact Support
Login / Register
Sustainability
Sustainability

Join our "Ask Me About" community webinar on May 20th at 9 AM CET and 5 PM CET to explore cybersecurity and monitoring for Data Center and edge IT. Learn about market trends, cutting-edge technologies, and best practices from industry experts.
Register and secure your Critical IT infrastructure

Firewall and security considerations for Powerchute Network Shutdown (pcns)

APC UPS Data Center & Enterprise Solutions Forum

Schneider, APC support forum to share knowledge about installation and configuration for Data Center and Business Power UPSs, Accessories, Software, Services.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
  • Home
  • Schneider Electric Community
  • APC UPS, Critical Power, Cooling and Racks
  • APC UPS Data Center & Enterprise Solutions Forum
  • Firewall and security considerations for Powerchute Network Shutdown (pcns)
Options
  • Subscribe to RSS Feed
  • Mark Topic as New
  • Mark Topic as Read
  • Float this Topic for Current User
  • Bookmark
  • Subscribe
  • Mute
  • Printer Friendly Page
Invite a Co-worker
Send a co-worker an invite to the portal.Just enter their email address and we'll connect them to register. After joining, they will belong to the same company.
You have entered an invalid email address. Please re-enter the email address.
This co-worker has already been invited to the Exchange portal. Please invite another co-worker.
Please enter email address
Send Invite Cancel
Invitation Sent
Your invitation was sent.Thanks for sharing Exchange with your co-worker.
Send New Invite Close
Top Experts
User Count
BillP
Administrator BillP Administrator
5060
voidstar_apc
Janeway voidstar_apc
196
Erasmus_apc
Sisko Erasmus_apc
112
TheNotoriousKMP_apc
Sisko TheNotoriousKMP_apc
108
View All

Invite a Colleague

Found this content useful? Share it with a Colleague!

Invite a Colleague Invite
Solved Go to Solution
Back to APC UPS Data Center & Enterprise Solutions Forum
Solved
Anonymous user
Not applicable

Posted: ‎2021-07-08 11:19 PM . Last Modified: ‎2024-02-15 12:04 AM

0 Likes
3
851
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2021-07-08 11:19 PM . Last Modified: ‎2024-02-15 12:04 AM

Firewall and security considerations for Powerchute Network Shutdown (pcns)

I have been unable to find convincing, complete documentation on this subject.

- The PowerChute v4 installation guides says "PowerChute needs to be able to connect to the NMC Web Access port (default: TCP port 80) and receive data inbound to UDP port 3052"

- FAQ FA159753 confuses the issue by listing "allowed port values" of  "80 or 3052 (when HTTP is selected), 443 or 6547 (when HTTPS is selected), 5000 - 32768 (when either HTTP or HTTPS is selected)"

- A forum thread on this subject, from 2013, includes the following summary:

  • PCNS  -->  443/tcp  --> NMC  uni-directional
  • PCNS <--> 3052/udp <--> NMC  bi-directional
  • PCNS <--  6547/tcp <-- (admin web browser access) uni-directional

My network security team wants more information before they will allow these connections through our firewall.  They are asking me:

  1. What protocol and authentication mechanism is used on UDP:3052 ?  Is the traffic encrypted?
  2. Do we really require bidirectional connections UDP:3052.  The installation guide stays inbound (NMC --> pcns) only, but that previous forum thread seems to say it is required in both directions. 
  3. What authentication mechanism is used for the TCP:443 connection from pcns --> NMC

Labels
  • Labels:
  • UPS Management Devices & PowerChute Software
Reply

Link copied. Please paste this link to share this article on your social media post.

  • All forum topics
  • Previous Topic
  • Next Topic

Accepted Solutions
BillP
Administrator BillP Administrator
Administrator

Posted: ‎2021-07-08 11:20 PM . Last Modified: ‎2024-02-15 12:04 AM

0 Likes
0
851
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2021-07-08 11:20 PM . Last Modified: ‎2024-02-15 12:04 AM

Hi,

PCNS stores the NMC IP address in pcnsconfig.ini and it will listen for UDP packets from that IP. It will not react to UDP packets from other IPs. 

Addition: The communications mechanism between the NMC and PowerChute uses an MD5-based authentication scheme. 

  • Ensuring that the password is never sent in plain text.
  • Proving that the sender of a message is an authentic user as only those with knowledge of the password phrase can send valid messages.
  • Detecting if a message has been tampered with in transit.  Detecting if a message is being replayed. 

This mechanism does not guarantee:

  • That all data is encrypted.
  • That a brute-force attack will fail to determine the password phrase.
  • Prevention of most Denial of Service attacks.

A well configured firewall and solid security policy is integral to the security of any network. 

See Answer In Context

Reply

Link copied. Please paste this link to share this article on your social media post.

Replies 3
BillP
Administrator BillP Administrator
Administrator

Posted: ‎2021-07-08 11:19 PM . Last Modified: ‎2024-02-15 12:04 AM

0 Likes
0
851
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2021-07-08 11:19 PM . Last Modified: ‎2024-02-15 12:04 AM

Hi,

When you log into PCNS web interface you are logging in over TCP port 6547. Example HTTPS://192.168.1.10:6547. When PCNS is first installed and the configuration wizard is run it will communicate with the NMC over TCP port 80 or TCP port 443 depending on your selection. This connection is to register the PCNS system with the NMC. The NMC stores the IP addresses of registered PCNS system. The addresses are use by the NMC as the list to who should receive UDP packets. Once registered PCNS listens for information from the NMC on UDP port 3052. 

On 3/25/2019 5:59 PM, Carlo said:

What protocol and authentication mechanism is used on UDP:3052 ?  Is the traffic encrypted?

The traffic is not encrypted. 

On 3/25/2019 5:59 PM, Carlo said:

Do we really require bidirectional connections UDP:3052.  The installation guide stays inbound (NMC --> pcns) only, but that previous forum thread seems to say it is required in both directions. 

The communication is from NMC to PCNS. However if you are on a different subnet then the NMC is on the PCNS client may also forward the UDP packet. See Schneider Electric FAQ FA159540 that discusses adding more than 50 PCNS clients and how packets are transferred. 

On 3/25/2019 5:59 PM, Carlo said:

What authentication mechanism is used for the TCP:443 connection from pcns --> NMC

TLS is used. 

Reply

Link copied. Please paste this link to share this article on your social media post.

Anonymous user
Not applicable

Posted: ‎2021-07-08 11:19 PM . Last Modified: ‎2024-02-15 12:04 AM

0 Likes
0
850
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2021-07-08 11:19 PM . Last Modified: ‎2024-02-15 12:04 AM

TLS provides encyrption, not authentication.  Let me put it differently.  How can we be sure only an authorized NMC can issue a shutdown instruction to PCNS?

 

Reply

Link copied. Please paste this link to share this article on your social media post.

BillP
Administrator BillP Administrator
Administrator

Posted: ‎2021-07-08 11:20 PM . Last Modified: ‎2024-02-15 12:04 AM

0 Likes
0
852
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2021-07-08 11:20 PM . Last Modified: ‎2024-02-15 12:04 AM

Hi,

PCNS stores the NMC IP address in pcnsconfig.ini and it will listen for UDP packets from that IP. It will not react to UDP packets from other IPs. 

Addition: The communications mechanism between the NMC and PowerChute uses an MD5-based authentication scheme. 

  • Ensuring that the password is never sent in plain text.
  • Proving that the sender of a message is an authentic user as only those with knowledge of the password phrase can send valid messages.
  • Detecting if a message has been tampered with in transit.  Detecting if a message is being replayed. 

This mechanism does not guarantee:

  • That all data is encrypted.
  • That a brute-force attack will fail to determine the password phrase.
  • Prevention of most Denial of Service attacks.

A well configured firewall and solid security policy is integral to the security of any network. 

Reply

Link copied. Please paste this link to share this article on your social media post.

Preview Exit Preview

never-displayed

You must be signed in to add attachments

never-displayed

 
To The Top!

Forums

  • APC UPS Data Center Backup Solutions
  • EcoStruxure IT
  • EcoStruxure Geo SCADA Expert
  • Metering & Power Quality
  • Schneider Electric Wiser

Knowledge Center

Events & webinars

Ideas

Blogs

Get Started

  • Ask the Community
  • Community Guidelines
  • Community User Guide
  • How-To & Best Practice
  • Experts Leaderboard
  • Contact Support
Brand-Logo
Subscribing is a smart move!
You can subscribe to this board after you log in or create your free account.
Forum-Icon

Create your free account or log in to subscribe to the board - and gain access to more than 10,000+ support articles along with insights from experts and peers.

Register today for FREE

Register Now

Already have an account? Login

Terms & Conditions Privacy Notice Change your Cookie Settings © 2025 Schneider Electric

This is a heading

With achievable small steps, users progress and continually feel satisfaction in task accomplishment.

Usetiful Onboarding Checklist remembers the progress of every user, allowing them to take bite-sized journeys and continue where they left.

of