Firewall limitations between NMC and PCNS ?

Anonymous user · ‎2021-07-01

The documentation says to open ports 80/443 (tcp) and 3052/6547 (tcp/udp) bi-directionally between client and server.

Are both necessary ?

Can I operate with JUST 443 and 6547 ?

The Security folks want to know !

APC 9617 NMC / PCNS 3.0.1

BillP · ‎2021-07-01

Here is what I had saved now that I can look at all my documentation. I provide trainings myself on the Network Management Card as that is one of the products I primarily support and here is what is in my training. I keep getting headaches after looking at this as I am sure you are too, so I will just repaste that, lol. 😉

NMC ->PCNS for shutdown command, any other communication: TCP/UDP 3052
NMC and PCNS maintaining communication: UDP 3052
PCNS registration->NMC: TCP 80 or 443 (depending on NMC web access configuration - the port can also be changed as you know so just make sure this matches)

Then, it seems in addition, for PCNS web access/management of the PCNS service itself, you need TCP 6547 open as you've noted for each client.

Keeping this in mind, my understanding is that you'll at least need TCP/UDP open 3052 on those clients that will be getting a re-broadcast over the different VLANs.

I would definitely suggest a test at some point but I am sure you've considered that.

I will see about the documentation suggestion. I will have to contact that product group.

See Answer In Context

Anonymous user · ‎2021-07-01

The documentation says to open ports 80/443 (tcp) and 3052/6547 (tcp/udp) bi-directionally between client and server.

Are both necessary ?

Can I operate with JUST 443 and 6547 ?

The Security folks want to know !

APC 9617 NMC / PCNS 3.0.1

BillP · ‎2021-07-01

The allowed values are:

80 or 3052 (when HTTP is selected)

443 or 6547 (when HTTPS is selected)

5000 - 32768 (when either HTTP or HTTPS is selected)

So you can use 443 and 6547 as long as you have HTTPS selected. But ports 5000 to 32768 should be open as well because that is what the NMC uses to communicate with the PCNS client. Click the link http://www.apcmedia.com/salestools/TDOY-5UQVBV/TDOY-5UQVBV_R3_EN.pdf you want to read more about the communication process of Powerchute Network Shutdown. I hope this helps

Anonymous user · ‎2021-07-01

The referenced document does not talk about port numbers at all.

What are ports 5000-32768 used for ?

I have an ISSO that wants to know !

BillP · ‎2021-07-01

The ports are specified in FA159753, you can look it up at http://www.apc.com/site/support/index.cfm/faq/.

Ports 5000-32768 are used by the NMC for the Normal UPS Packets (sent every 25 seconds) & UPS Status Packets (sent immediately if for example the UPS goes on battery).

Anonymous user · ‎2021-07-01

How do you think my ISSO will react when I tell him that I need 27768 ports opened up for PCNS ?

It would be nice to have a way to narrow that down a bit.

Also, your document reference was no help.

All it says is:

HTTP and HTTPS Allowed Port Values for PowerChute Network Shutdown (PCNS)

"The allowed values are:

80 or 3052 (when HTTP is selected)

443 or 6547 (when HTTPS is selected)

5000 - 32768 (when either HTTP or HTTPS is selected)"

FA159753 | 2.0 | Published date: 19-Nov-2012

And we already knew that.

BillP · ‎2021-07-01

You only need to open the ones you are using in general. These ports in the knowledge base are the allowed ports that you can choose (5000-32768) for more security, rather than the defaults, so maybe there was some misunderstanding here on the knowledge base sent. I would suggest you just open what the documentation says. I believe you can open the HTTP or HTTPS port but definitely 3052 tcp/UDP bi directional is required no matter what. It is not realistic or required to require all those ports to be opened.

The network management card supports many different protocols as well (SNMP, FTP, etc) so you'd want to open any ports there for any services you will be using with the NMC.

Anonymous user · ‎2021-07-01

This is still a bit confusing.

I found firewall info in the PCNS install guide:

If you are using a firewall, PCNS needs to be able to connect to the NMC Web Access port (default: TCP port 80) and receive data inbound to UDP port 3052 on the PCNS server machine.

On Windows, when the Windows Firewall is enabled, you can allow the PCNS installation to configure the firewall automatically. That is, the NMC communication port (UDP 3052) is registered as an exception in the firewall and enabled. Also, exceptions are created for TCP ports 3052 (HTTP) and 6547 (HTTPS) but are left disabled for security reasons. If you want to enable remote access to a particular Web user interface, you can enable the appropriate exception.

So if I am setting the protocol to HTTPS, what is the bare minimum list of port numbers that need to be opened ?

I would like to only open 443 and 6547. I feel the above verbiage might be interpreted that way, but I need the correct information.

The computer will not work with less and my ISSO will not accept less.

BillP · ‎2021-07-01

The blurb above has jogged my memory

you are talking about enabling HTTPS on the AP9617 Network Management Card in your UPS, correct? That is what it is referring to. So if you leave that at 443, then open tcp 443 because your computer running PCNS needs to talk to the NMC on that. Then you need inbound UDP 3052 for your computer open as well to get status updates from the NMC. Lastly, for access to your PCNS client computer via a web browser, open 6547 which is the default HTTPS port it configures on or you can turn on HTTP only and the port for access then is 3052 (again). Accessing the PCNS client refers to accessing the PCNS service on your computer for graceful shutdown and other options.

Hope that hopes clarify..

Anonymous user · ‎2021-07-01

Yes, HTTPS on the AP9617 Network Management Card.

This info is very helpful. Would you be able to make a request/suggestion to clarify the installation documentation ? It needs it

Let's see if I understand:

PCNS --> 443/tcp --> NMC uni-directional

PCNS <--> 3052/udp <--> NMC bi-directional

PCNS <-- 6547/tcp <-- (admin web browser access) uni-directional

Is that accurate ?

Oh ! and one last add-on question:

The NMC is on its own VLAN (not my network design) and there are more than 50 devices plugged into it, so we have to do the trick from Application Note #101 ( BKIR-6QWKC5_R2_EN.pdf ) and register two devices per VLAN to broadcast to the rest of the local VLAN.

One of the VLAN's in question is an outward facing DMZ that has a firewall that is tighter than a crab's butt (and that is water-tight !), so I need to account for communication between servers in the same VLAN. For the servers that are NOT registered with the NMC, are any of the above firewall holes unnecessary ?

Thanks again for the details.

BillP · ‎2021-07-01

Here is what I had saved now that I can look at all my documentation. I provide trainings myself on the Network Management Card as that is one of the products I primarily support and here is what is in my training. I keep getting headaches after looking at this as I am sure you are too, so I will just repaste that, lol. 😉

NMC ->PCNS for shutdown command, any other communication: TCP/UDP 3052
NMC and PCNS maintaining communication: UDP 3052
PCNS registration->NMC: TCP 80 or 443 (depending on NMC web access configuration - the port can also be changed as you know so just make sure this matches)

Then, it seems in addition, for PCNS web access/management of the PCNS service itself, you need TCP 6547 open as you've noted for each client.

Keeping this in mind, my understanding is that you'll at least need TCP/UDP open 3052 on those clients that will be getting a re-broadcast over the different VLANs.

I would definitely suggest a test at some point but I am sure you've considered that.

I will see about the documentation suggestion. I will have to contact that product group.