Network Access Requirements Table
The following table lists the required network protocol ports needed while implementing network access restrictions when deploying CloudControl. These are the default port numbers. You can also use custom port numbers.
|
Service Name |
Traffic Direction |
Protocols |
Ports |
Interfaces |
Comments |
|---|---|---|---|---|---|
|
Active Directory service |
Outbound |
TCP |
389, 3268 |
All |
Active Directory communications for LDAP and Global Catalog (GC) communication. |
|
Active Directory service |
Outbound |
TCP |
636, 3269 |
All |
Active Directory secure communications (TLS/SSL) for LDAP and Global Catalog (GC) communication. |
|
DNS |
Outbound |
TCP, UDP |
53 |
All |
Domain Name Service communication |
|
CloudControl HA clustering |
Bidirectional |
TCP, UDP |
2224, 5405 |
|
These ports are used for 2 CloudControl nodes to communicate when in an HA cluster. |
|
HTTPS |
Outbound |
TCP |
443 |
All |
Including custom HTTPS ports referenced in the CloudControl configuration. |
|
HTTPS |
Inbound |
TCP |
443 |
All |
Including custom HTTPS ports referenced in the CloudControl configuration. |
|
NTP |
Outbound |
TCP, UDP |
123 |
All |
Network Time Protocol. |
|
Ping |
Inbound |
ICMP |
Types 0, 8, 11 |
All |
To test if remote servers are online. |
|
Ping |
Outbound |
ICMP |
Types 0, 8, 11 |
All |
To test if remote servers are online. |
|
PingFederate authentication |
Inbound |
TCP |
443 |
All |
PingFederate sends all requests to existing proxy urls from CloudControl. |
|
PingFederate authentication |
Outbound |
TCP |
443 |
All |
After logout, CloudControl redirects all proxies to PingFederate login page. |
|
RADIUS |
Bidirectional |
TCP, UDP |
1812 |
All |
This port is needed for communication between CloudControl and the RADIUS server. |
|
RADIUS Accounting |
Bidirectional |
TCP, UDP |
1812 |
All |
This port is needed for communication between CloudControl and the RADIUS server. |
|
SMTP |
Outbound |
TCP |
25, 465, 587 |
All |
Required for sending SMTP notifications and alerts. |
|
SNMP v2c |
Inbound |
TCP, UDP |
161 |
Network 1 |
SNMP is disabled by default. |
|
SNMP v2c Trap |
Outbound |
TCP, UDP |
162 |
All |
SNMP alerts are disabled by default. |
|
SNMP v3c |
Inbound |
TCP, UDP |
161, 10161 |
All |
Used for SNMP polling from the SNMP server. SNMP alerts are disabled by default. |
|
SNMP v3c Trap |
Outbound |
TCP, UDP |
162, 10162 |
All |
Used when sending SNMP traps to the SNMP server. SNMP alerts are disabled by default. |
|
SSH |
Inbound |
TCP |
22 |
All |
HA and Console SSH Access |
|
SSH |
Outbound |
TCP |
22 |
All |
HA and Console SSH Access |
|
SSH-Proxy |
Inbound |
TCP |
49152-65536 |
All |
External clients connect to the SSH Proxy over the ports ranging from 49152-65536 depending on the number of hosts in an environment. |
|
SSH-Proxy |
Outbound |
TCP |
22 |
All |
SSH Proxy connects to target host via SSH over port 22. |
|
Syslog |
Outbound |
TCP, UDP |
514, 6514 |
All |
Including custom syslog ports referenced in the CloudControl configuration. |
|
Syslog |
Outbound |
TCP, UDP |
514, 6514 |
All |
Including custom syslog ports referenced in the CloudControl configuration. |
|
vCenter Server Forwards |
Inbound |
TCP, UDP |
1-65535 |
All |
vCenter Server plug-ins and Windows Server can require additional ports in this port range. |
|
vCenter Server Forwards |
Outbound |
TCP, UDP |
1-65535 |
All |
vCenter Server plug-ins and Windows Server can require additional ports in this port range. |
|
vCenter Server Appliance |
Inbound |
TCP, UDP |
443 |
All |
Used by CloudControl to communicate with ESXi hosts. |
|
vCenter Server Appliance |
Outbound |
TCP, UDP |
443 |
All |
Used by CloudControl to communicate with ESXi hosts. |
|
vSphere Web Client (Flash) |
Inbound |
TCP |
9443 |
All |
By default open to CloudControl. Important: Support for the vSphere Web Client will be deprecated in a future release. |
|
vSphere Web Client (Flash) |
Outbound |
TCP |
9443 |
All |
By default open to CloudControl. Important: Support for the vSphere Web Client will be deprecated in a future release. |
