Brand Logo
Help
  • Get started
  • Ask the Community
  • How-To & Best Practices
  • Contact Support
Login / Register
Help
  • Get started
  • Ask the Community
  • How-To & Best Practices
  • Contact Support
close
  • Community Home
  • Forums
    • By Topic
    • By Topic
      EcoStruxure Building
      • Field Devices Forum
      • SmartConnector Forum
      EcoStruxure Power & Grid
      • Gateways and Energy Servers
      • Metering & Power Quality
      APC UPS, Critical Power, Cooling and Racks
      • APC UPS Data Center & Enterprise Solutions Forum
      • APC UPS for Home and Office Forum
      EcoStruxure IT
      • EcoStruxure IT forum
      Remote Operations
      • EcoStruxure Geo SCADA Expert Forum
      • Remote Operations Forum
      Industrial Automation
      • Alliance System Integrators Forum
      • AVEVA Plant SCADA Forum
      • CPG Expert Forum DACH
      • EcoStruxure Automation Expert / IEC 61499 Forum
      • Fabrika ve Makina Otomasyonu Çözümleri
      • Harmony Control Customization Forum
      • Industrial Edge Computing Forum
      • Industry Automation and Control Forum
      • Korea Industrial Automation Forum
      • Machine Automation Forum
      • Modicon PAC Forum
      • PLC Club Indonesia
      Schneider Electric Wiser
      • Schneider Electric Wiser Forum
      Power Distribution IEC
      • Eldistribution & Fastighetsautomation
      • Elektrik Tasarım Dağıtım ve Uygulama Çözümleri
      • Paneelbouw & Energie Distributie
      • Power Distribution and Digital
      • Solutions for Motor Management
      • Specifiers Club ZA Forum
      • Електропроектанти България
      Power Distribution NEMA
      • Power Monitoring and Energy Automation NAM
      Power Distribution Software
      • EcoStruxure Power Design Forum
      • LayoutFAST User Group Forum
      Light and Room Control
      • SpaceLogic C-Bus Forum
      Solutions for your Business
      • Solutions for your Business Forum
      Support
      • Ask the Community
  • Knowledge Center
    • Building Automation Knowledge Base
    • Geo SCADA Knowledge Base
    • Industrial Automation How-to videos
    • Digital E-books
    • Success Stories Corner
  • Events & Webinars
    • All Events
    • Innovation Talks
    • Innovation Summit
    • Let's Exchange Series
    • Partner Success
    • Process Automation Talks
    • Technology Partners
  • Ideas
    • EcoStruxure Building
      • EcoStruxure Building Advisor Ideas
      Remote Operations
      • EcoStruxure Geo SCADA Expert Ideas
      • Remote Operations Devices Ideas
      Industrial Automation
      • Modicon Ideas & new features
  • Blogs
    • By Topic
    • By Topic
      EcoStruxure Power & Grid
      • Backstage Access Resources
      Remote Operations
      • Remote Operations Blog
      Industrial Automation
      • Industrie du Futur France
      • Industry 4.0 Blog
      Power Distribution NEMA
      • NEMA Power Foundations Blog
      Light and Room Control
      • KNX Blog
      Knowledge Center
      • Digital E-books
      • Geo SCADA Knowledge Base
      • Industrial Automation How-to videos
      • Success Stories Corner

Firewall limitations between NMC and PCNS ?

APC UPS Data Center & Enterprise Solutions Forum

Schneider Electric support forum for our Data Center and Business Power UPS, UPS Accessories, Software, Services, and associated commercial products designed to share knowledge, installation, and configuration.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
  • Home
  • Communities
  • APC UPS, Critical Power, Cooling and Racks
  • APC UPS Data Center & Enterprise Solutions Forum
  • Firewall limitations between NMC and PCNS ?
Options
  • Subscribe to RSS Feed
  • Mark Topic as New
  • Mark Topic as Read
  • Float this Topic for Current User
  • Bookmark
  • Subscribe
  • Mute
  • Printer Friendly Page
Invite a Co-worker
Send a co-worker an invite to the Exchange portal.Just enter their email address and we’ll connect them to register. After joining, they will belong to the same company.
You have entered an invalid email address. Please re-enter the email address.
This co-worker has already been invited to the Exchange portal. Please invite another co-worker.
Please enter email address
Send Invite Cancel
Invitation Sent
Your invitation was sent.Thanks for sharing Exchange with your co-worker.
Send New Invite Close
Top Experts
User Count
BillP
Administrator BillP Administrator
5022
voidstar_apc
Janeway voidstar_apc
195
Erasmus_apc
Sisko Erasmus_apc
111
TheNotoriousKMP_apc
Sisko TheNotoriousKMP_apc
108
View All
Invite a Colleague

Found this content useful? Share it with a Colleague!

Invite a Colleague Invite
Solved Go to Solution
Back to APC UPS Data Center & Enterprise Solutions Forum
Solved
ygor_apc
Ensign ygor_apc
Ensign

Posted: ‎2021-07-01 02:12 AM

0 Likes
10
847
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content
Share

Posted: ‎2021-07-01 02:12 AM

Firewall limitations between NMC and PCNS ?

This was originally posted on APC forums on 3/1/2013


The documentation says to open ports 80/443 (tcp) and 3052/6547 (tcp/udp) bi-directionally between client and server.

Are both necessary ?

Can I operate with JUST 443 and 6547 ?

The Security folks want to know !  cool

APC 9617 NMC / PCNS 3.0.1

Labels
  • Labels:
  • UPS Management Devices & PowerChute Software
  • Tags:
  • ap9617
  • firewall
  • pcns
Reply
Share
  • All forum topics
  • Previous Topic
  • Next Topic

Accepted Solutions
BillP
Administrator BillP Administrator
Administrator

Posted: ‎2021-07-01 02:12 AM

0 Likes
0
847
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content
Share

Posted: ‎2021-07-01 02:12 AM

This reply was originally posted by Angela on APC forums on 3/4/2013


Here is what I had saved now that I can look at all my documentation. I provide trainings myself on the Network Management Card as that is one of the products I primarily support and here is what is in my training. I keep getting headaches after looking at this as I am sure you are too, so I will just repaste that, lol. 😉

  • NMC ->PCNS for shutdown command, any other communication: TCP/UDP 3052
  • NMC and PCNS maintaining communication: UDP 3052
  • PCNS registration->NMC: TCP 80 or 443 (depending on NMC web access configuration - the port can also be changed as you know so just make sure this matches)

Then, it seems in addition, for PCNS web access/management of the PCNS service itself, you need TCP 6547 open as you've noted for each client.

Keeping this in mind, my understanding is that you'll at least need TCP/UDP open 3052 on those clients that will be getting a re-broadcast over the different VLANs.

I would definitely suggest a test at some point but I am sure you've considered that.

I will see about the documentation suggestion. I will have to contact that product group.

See Answer In Context

Reply
Share
Replies 10
ygor_apc
Ensign ygor_apc
Ensign

Posted: ‎2021-07-01 02:12 AM

0 Likes
0
847
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content
Share

Posted: ‎2021-07-01 02:12 AM

This was originally posted on APC forums on 3/1/2013


The documentation says to open ports 80/443 (tcp) and 3052/6547 (tcp/udp) bi-directionally between client and server.

Are both necessary ?

Can I operate with JUST 443 and 6547 ?

The Security folks want to know !  cool

APC 9617 NMC / PCNS 3.0.1

Reply
Share
BillP
Administrator BillP Administrator
Administrator

Posted: ‎2021-07-01 02:12 AM

0 Likes
0
847
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content
Share

Posted: ‎2021-07-01 02:12 AM

This reply was originally posted by Bernard on APC forums on 3/1/2013


The allowed values are:

80 or 3052 (when HTTP is selected)

443 or 6547 (when HTTPS is selected)

5000 - 32768 (when either HTTP or HTTPS is selected)

So you can use 443 and 6547 as long as you have HTTPS selected. But ports 5000 to 32768 should be open as well because that is what the NMC uses to communicate with the PCNS client. Click the link http://www.apcmedia.com/salestools/TDOY-5UQVBV/TDOY-5UQVBV_R3_EN.pdf you want to read more about the communication process of Powerchute Network Shutdown. I hope this helps

Reply
Share
ygor_apc
Ensign ygor_apc
Ensign

Posted: ‎2021-07-01 02:12 AM

0 Likes
0
847
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content
Share

Posted: ‎2021-07-01 02:12 AM

This was originally posted on APC forums on 3/1/2013


The referenced document does not talk about port numbers at all.

What are ports 5000-32768 used for ?

I have an ISSO that wants to know !

Reply
Share
BillP
Administrator BillP Administrator
Administrator

Posted: ‎2021-07-01 02:12 AM

0 Likes
0
847
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content
Share

Posted: ‎2021-07-01 02:12 AM

This reply was originally posted by Bernard on APC forums on 3/1/2013


The ports are specified in FA159753, you can look it up at http://www.apc.com/site/support/index.cfm/faq/.

Ports 5000-32768 are used by the NMC for the Normal UPS Packets (sent every 25 seconds) & UPS Status Packets (sent immediately if for example the UPS goes on battery).

Reply
Share
ygor_apc
Ensign ygor_apc
Ensign

Posted: ‎2021-07-01 02:12 AM

0 Likes
0
847
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content
Share

Posted: ‎2021-07-01 02:12 AM

This was originally posted on APC forums on 3/1/2013


How do you think my ISSO will react when I tell him that I need 27768 ports opened up for PCNS ?

It would be nice to have a way to narrow that down a bit.

Also, your document reference was no help.

All it says is:

HTTP and HTTPS Allowed Port Values for PowerChute Network Shutdown (PCNS)

"The allowed values are:

80 or 3052 (when HTTP is selected)

443 or 6547 (when HTTPS is selected)

5000 - 32768 (when either HTTP or HTTPS is selected)"

FA159753 | 2.0 | Published date: 19-Nov-2012


And we already knew that.

Reply
Share
BillP
Administrator BillP Administrator
Administrator

Posted: ‎2021-07-01 02:12 AM

0 Likes
0
847
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content
Share

Posted: ‎2021-07-01 02:12 AM

This reply was originally posted by Angela on APC forums on 3/2/2013


You only need to open the ones you are using in general. These ports in the knowledge base are the allowed ports that you can choose (5000-32768) for more security, rather than the defaults, so maybe there was some misunderstanding here on the knowledge base sent. I would suggest you just open what the documentation says. I believe you can open the HTTP or HTTPS port but definitely 3052 tcp/UDP bi directional is required no matter what. It is not realistic or required to require all those ports to be opened.

The network management card supports many different protocols as well (SNMP, FTP, etc) so you'd want to open any ports there for any services you will be using with the NMC.

Reply
Share
ygor_apc
Ensign ygor_apc
Ensign

Posted: ‎2021-07-01 02:12 AM

0 Likes
0
847
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content
Share

Posted: ‎2021-07-01 02:12 AM

This was originally posted on APC forums on 3/2/2013


This is still a bit confusing.

I found firewall info in the PCNS install guide:

If you are using a firewall, PCNS needs to be able to connect to the NMC Web Access port (default: TCP port 80) and receive data inbound to UDP port 3052 on the PCNS server machine.

On Windows, when the Windows Firewall is enabled, you can allow the PCNS installation to configure the firewall automatically. That is, the NMC communication port (UDP 3052) is registered as an exception in the firewall and enabled. Also, exceptions are created for TCP ports 3052 (HTTP) and 6547 (HTTPS) but are left disabled for security reasons. If you want to enable remote access to a particular Web user interface, you can enable the appropriate exception.

So if I am setting the protocol to HTTPS, what is the bare minimum list of port numbers that need to be opened ?

I would like to only open 443 and 6547.  I feel the above verbiage might be interpreted that way, but I need the correct information.

The computer will not work with less and my ISSO will not accept less.

Reply
Share
BillP
Administrator BillP Administrator
Administrator

Posted: ‎2021-07-01 02:12 AM

0 Likes
0
847
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content
Share

Posted: ‎2021-07-01 02:12 AM

This reply was originally posted by Angela on APC forums on 3/2/2013


The blurb above has jogged my memory embarassed

you are talking about enabling HTTPS on the AP9617 Network Management Card in your UPS, correct? That is what it is referring to. So if you leave that at 443, then open tcp 443 because your computer running PCNS needs to talk to the NMC on that. Then you need inbound UDP 3052 for your computer open as well to get status updates from the NMC. Lastly, for access to your PCNS client computer via a web browser, open 6547 which is the default HTTPS port it configures on or you can turn on HTTP only and the port for access then is 3052 (again). Accessing the PCNS client refers to accessing the PCNS service on your computer for graceful shutdown and other options.

Hope that hopes clarify..

Reply
Share
ygor_apc
Ensign ygor_apc
Ensign

Posted: ‎2021-07-01 02:12 AM

0 Likes
0
847
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content
Share

Posted: ‎2021-07-01 02:12 AM

This was originally posted on APC forums on 3/2/2013


Yes, HTTPS on the AP9617 Network Management Card.

This info is very helpful.  Would you be able to make a request/suggestion to clarify the installation documentation ?  It needs it   smile

Let's see if I understand:

PCNS  -->  443/tcp  --> NMC  uni-directional

PCNS <--> 3052/udp <--> NMC  bi-directional

PCNS <--  6547/tcp <-- (admin web browser access) uni-directional


Is that accurate ?

Oh ! and one last add-on question:

The NMC is on its own VLAN (not my network design) and there are more than 50 devices plugged into it, so we have to do the trick from Application Note #101 ( BKIR-6QWKC5_R2_EN.pdf ) and register two devices per VLAN to broadcast to the rest of the local VLAN.

One of the VLAN's in question is an outward facing DMZ that has a firewall that is tighter than a crab's butt (and that is water-tight !), so I need to account for communication between servers in the same VLAN.  For the servers that are NOT registered with the NMC, are any of the above firewall holes unnecessary ?

Thanks again for the details.

Reply
Share
BillP
Administrator BillP Administrator
Administrator

Posted: ‎2021-07-01 02:12 AM

0 Likes
0
848
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content
Share

Posted: ‎2021-07-01 02:12 AM

This reply was originally posted by Angela on APC forums on 3/4/2013


Here is what I had saved now that I can look at all my documentation. I provide trainings myself on the Network Management Card as that is one of the products I primarily support and here is what is in my training. I keep getting headaches after looking at this as I am sure you are too, so I will just repaste that, lol. 😉

  • NMC ->PCNS for shutdown command, any other communication: TCP/UDP 3052
  • NMC and PCNS maintaining communication: UDP 3052
  • PCNS registration->NMC: TCP 80 or 443 (depending on NMC web access configuration - the port can also be changed as you know so just make sure this matches)

Then, it seems in addition, for PCNS web access/management of the PCNS service itself, you need TCP 6547 open as you've noted for each client.

Keeping this in mind, my understanding is that you'll at least need TCP/UDP open 3052 on those clients that will be getting a re-broadcast over the different VLANs.

I would definitely suggest a test at some point but I am sure you've considered that.

I will see about the documentation suggestion. I will have to contact that product group.

Reply
Share
Preview Exit Preview

never-displayed

You must be signed in to add attachments

never-displayed

Additional options
You do not have permission to remove this product association.
 
To The Top!

Forums

  • APC UPS Data Center Backup Solutions
  • EcoStruxure IT
  • EcoStruxure Geo SCADA Expert
  • Metering & Power Quality
  • Schneider Electric Wiser

Knowledge Center

Events & webinars

Ideas

Blogs

Get Started

  • Ask the Community
  • Community Guidelines
  • Community User Guide
  • How-To & Best Practice
  • Experts Leaderboard
  • Contact Support
Brand-Logo
Subscribing is a smart move!
You can subscribe to this forum after you log in or create your free account.
Forum-Icon

Create your free account or log in to subscribe to the forum - and gain access to more than 10,000+ support articles along with insights from experts and peers.

Register today for FREE

Register Now

Already have an account?Login

Terms & Conditions Privacy Notice Change your Cookie Settings © 2023 Schneider Electric, Inc