Firewall limitations between NMC and PCNS ?

This reply was originally posted by Bernard on APC forums on 3/1/2013

The allowed values are:

80 or 3052 (when HTTP is selected)

443 or 6547 (when HTTPS is selected)

5000 - 32768 (when either HTTP or HTTPS is selected)

So you can use 443 and 6547 as long as you have HTTPS selected. But ports 5000 to 32768 should be open as well because that is what the NMC uses to communicate with the PCNS client. Click the link http://www.apcmedia.com/salestools/TDOY-5UQVBV/TDOY-5UQVBV_R3_EN.pdf you want to read more about the communication process of Powerchute Network Shutdown. I hope this helps

This was originally posted on APC forums on 3/1/2013

The referenced document does not talk about port numbers at all.

What are ports 5000-32768 used for ?

I have an ISSO that wants to know !

This reply was originally posted by Bernard on APC forums on 3/1/2013

The ports are specified in FA159753, you can look it up at http://www.apc.com/site/support/index.cfm/faq/.

Ports 5000-32768 are used by the NMC for the Normal UPS Packets (sent every 25 seconds) & UPS Status Packets (sent immediately if for example the UPS goes on battery).

This was originally posted on APC forums on 3/1/2013

How do you think my ISSO will react when I tell him that I need 27768 ports opened up for PCNS ?

It would be nice to have a way to narrow that down a bit.

Also, your document reference was no help.

All it says is:

HTTP and HTTPS Allowed Port Values for PowerChute Network Shutdown (PCNS)

"The allowed values are:

80 or 3052 (when HTTP is selected)

443 or 6547 (when HTTPS is selected)

5000 - 32768 (when either HTTP or HTTPS is selected)"

FA159753 | 2.0 | Published date: 19-Nov-2012

And we already knew that.

This reply was originally posted by Angela on APC forums on 3/2/2013

You only need to open the ones you are using in general. These ports in the knowledge base are the allowed ports that you can choose (5000-32768) for more security, rather than the defaults, so maybe there was some misunderstanding here on the knowledge base sent. I would suggest you just open what the documentation says. I believe you can open the HTTP or HTTPS port but definitely 3052 tcp/UDP bi directional is required no matter what. It is not realistic or required to require all those ports to be opened.

The network management card supports many different protocols as well (SNMP, FTP, etc) so you'd want to open any ports there for any services you will be using with the NMC.

This was originally posted on APC forums on 3/2/2013

This is still a bit confusing.

I found firewall info in the PCNS install guide:

If you are using a firewall, PCNS needs to be able to connect to the NMC Web Access port (default: TCP port 80) and receive data inbound to UDP port 3052 on the PCNS server machine.
On Windows, when the Windows Firewall is enabled, you can allow the PCNS installation to configure the firewall automatically. That is, the NMC communication port (UDP 3052) is registered as an exception in the firewall and enabled. Also, exceptions are created for TCP ports 3052 (HTTP) and 6547 (HTTPS) but are left disabled for security reasons. If you want to enable remote access to a particular Web user interface, you can enable the appropriate exception.

So if I am setting the protocol to HTTPS, what is the bare minimum list of port numbers that need to be opened ?

I would like to only open 443 and 6547.  I feel the above verbiage might be interpreted that way, but I need the correct information.

The computer will not work with less and my ISSO will not accept less.

This reply was originally posted by Angela on APC forums on 3/2/2013

The blurb above has jogged my memory

you are talking about enabling HTTPS on the AP9617 Network Management Card in your UPS, correct? That is what it is referring to. So if you leave that at 443, then open tcp 443 because your computer running PCNS needs to talk to the NMC on that. Then you need inbound UDP 3052 for your computer open as well to get status updates from the NMC. Lastly, for access to your PCNS client computer via a web browser, open 6547 which is the default HTTPS port it configures on or you can turn on HTTP only and the port for access then is 3052 (again). Accessing the PCNS client refers to accessing the PCNS service on your computer for graceful shutdown and other options.

Hope that hopes clarify..

This was originally posted on APC forums on 3/2/2013

Yes, HTTPS on the AP9617 Network Management Card.

This info is very helpful.  Would you be able to make a request/suggestion to clarify the installation documentation ?  It needs it  

Let's see if I understand:

PCNS  -->  443/tcp  --> NMC  uni-directional

PCNS <--> 3052/udp <--> NMC  bi-directional

PCNS <--  6547/tcp <-- (admin web browser access) uni-directional

Is that accurate ?

Oh ! and one last add-on question:

The NMC is on its own VLAN (not my network design) and there are more than 50 devices plugged into it, so we have to do the trick from Application Note #101 ( BKIR-6QWKC5_R2_EN.pdf ) and register two devices per VLAN to broadcast to the rest of the local VLAN.

One of the VLAN's in question is an outward facing DMZ that has a firewall that is tighter than a crab's butt (and that is water-tight !), so I need to account for communication between servers in the same VLAN.  For the servers that are NOT registered with the NMC, are any of the above firewall holes unnecessary ?

Thanks again for the details.