CM Ports
This topic lists the ports used by the BMC Client Management agent for all different modules and provides some details on each.
Port overview
Component | Source | Destina-tion | TCP/ UDP | Service | Port number | Description |
|---|---|---|---|---|---|---|
Database connection * | Master Server | Database Server | TCP | TCP | Oracle: 1521 Postgres: 5432 SQL Server: 1433 | For communication between the master server and the database. (* only if the database is on another server than the master) |
Agent Rollout for Windows | Rollout Server | Client Devices | TCP | SMB | 445,139 | To install the CM agent on the Windows target devices. |
| Agent Rollout for Linux and macOS | Rollout Server | Client Devices | TCP | SSH | 22 | To install the CM agent on the Unix target devices. |
Client Agent communi-cation | Client Devices | Master Server | HTTP | 1610, 1611 | 1610 is the default agent communication port. The connection must be bidirectional between the client and its parent for optimal settings. If it is unidirectional then it must be unidirectional from the client to the parent and in this case a tunnel on the port 1611 is used. The downwards direction can be replaced by a tunnel.
| |
CM console | Administra-tive computer | Master Server and Client Devices | HTTP | 1611 (1610) | The default console management port. | |
Bandwidth Throttling * | Relay | Client | TCP | TCP | 1609 | The bandwidth management port on relay servers. (* only used if transfer windows are defined with a percentage) |
MyApps | 1611 (1610) | The MyApps port on the master server. | ||||
AutoDiscovery | TCP | TCP, HTTP | 135,22, 23,139, 1610 | TCP ports scanned for auto-discovery. | ||
Multicast Traffic | Relay | Client | UDP | UDP | 2500 * | The multicast transfer agent listen port as configured. * An IP range must also be configured. |
Active Directory LDAP | Master Server | LDAP Server | TCP | LDAP | 389 | To synchronize data from LDAP server to CM . |
Email Server | Master Server, console | Email Server | TCP | SMTP | 25 | To send alerts and reports on email to users. This port must be open on all devices from which emails are sent via the console. |
WebAPI | Browser, Web service caller | Master Server | TCP | HTTP | 1616 | The port for the web services. |
Asset discovery
The ports and ranges documented below are the default values. These values can be changed in the RemoteInventory.ini (TcpPortRange and UdpPortRange) file.
Component | Source | Destination | TCP/UDP | Port number | Description |
|---|---|---|---|---|---|
Asset Discovery | Asset Discovery Server | IP Devices | TCP | 15, 22, 23, 35, 80, 135, 137, 139, 443, 445, 515, 9100-9102 | TCP ports and ranges to be used for the Asset Discovery scans |
Asset Discovery | Asset Discovery Server | IP Devices | UDP | 161 | UDP ports and ranges to be used for the Asset Discovery scans |
| Asset Discovery | Asset Discovery Server | IP Devices | TCP | 1024 -1030 | Restricted WMI (DCOM) |
| Asset Discovery | Asset Discovery Server | IP Devices | TCP | 49152 - 65535 | Unrestricted WMI (DCOM) |
By default, WMI (DCOM) uses a randomly selected TCP port between 1024 and 65535. To simplify configuration of the firewall, you should restrict this usage if you scan through firewalls. For more information, see https://docs.microsoft.com/en-us/windows/win32/wmisdk/setting-up-a-fixed-port-for-wmi.
Notifications
XML-RPC packets are sent between the communicating agents as notifications to execute actions.
Direction | Parent Server | Client | Description |
|---|---|---|---|
Parameter | Any | Agent | Downstream notification |
Parameter | Agent | Any | Upstream notification |
HTTP Files Transfer
File transfer is executed via the HTTP protocol and passes via the FileStore, it concerns all types of inventories, synchronizations, packages, files, assignments, status, and so on.
Direction | Parent Server | Client | Description |
|---|---|---|---|
Parameter | Any | Agent | Downstream (Package/Assign/Delete/Scripts ...) |
Parameter | Agent | Any | Upstream (Status/Identity/Inventories...) |
Parameter | Any | Multicast | Multicast |
Bandwidth Calculation
To measure the currently available bandwidth, some TCP/IP packets are sent to the bandwidth management port at the defined rate, by default every 60 seconds, for the defined period of time, by default 200 ms.
Direction | Parent Server | Client | Description |
|---|---|---|---|
Parameter | Bandwidth | Any | Data sent to calculate available bandwidth |
Parameter | Any | Broadcast | Wake-on-LAN notification |
Wake-On-LAN
The Wake-On-LAN sends a magic packet to the target devices to wake them up.
Direction | Parent Server | Client | Description |
|---|---|---|---|
Parameter | Any | Broadcast | Wake-on-LAN notification |
Remote Control
Remote control communication passes via images for the actual remote control connections, and uses notifications for access right verifications.
Direction | Console PC | Client | Description |
|---|---|---|---|
Parameter | Any | Agent | Images transfer / keyboard orders |
Direction | CM Master | Client | Description |
Parameter | Any | Agent | Downstream notification for Privacy check + client answer |
HCHL Web Interface
The agent web interface allows to access agent data via a browser.
Direction | Web Browser | Client | Description |
|---|---|---|---|
Parameter | Any | Agent | General web interface features |
MyApps Application Kiosk
MyApps is part of the agent web interface and allows to execute specific operations and install software packages via a browser and per user.
Direction | Web Browser | Client | Description |
|---|---|---|---|
Parameter | Any | Kiosk | Web interface for user application kiosk |
Direct Access
The Direct Access functionality provides access to specific areas (file system, Registry, services, Task Manager, ...) of a device via the console.
Direction | Console PC | Client | Description |
|---|---|---|---|
Parameter | Any | Agent | Direct access functionalities |
AutoDiscovery
The AutoDiscovery functionality scans the network for a any type of hardware (PCs, printers, servers, firewalls, routers, ...).
Direction | PC1 | PC2 | Description |
|---|---|---|---|
Parameter | Any | ICMP | Ping |
Parameter | Any | TCP | TCP port scan |
Parameter | Any | Agent | Check for the presence of the CM agent (AgentGetIdentity) |
Parameter | Any | Agent | Ask for the Autodiscovery list of other devices if the parameter CanLearn is enabled (AutodiscoveryListDevices) |
Parameter | Any | Agent | Check if the device is a relay (RelayGetValue) |
Ldap Synchronization
The CM master acts as a client to the LDAP server to synchronize its groups with those of the LDAP server, that is, devices and users (translated in CM into administrators and users).
Direction | CM Master | LDAP Server | Description |
|---|---|---|---|
Parameter | Any | LDAP | LDAP synchronization |
OSD
The following ports should be open on the LAN that you are using to deploy devices. These ports must be bidirectional.
| Source | Destination | Type | Port | Description |
|---|---|---|---|---|
| OSD Target Subnet | Network Boot Listener | UDP | 68 | DHCP |
| DHCP Server | Network Boot Listener | UDP | 67 | DHCP |
| DHCP Server | OSD Target Subnet | UDP | 67 | DHCP |
| OSD Target Subnet | Network Boot Listener | UDP | 67 | DHCP |
| OSD Target Subnet | Network Boot Listener | UDP | 69 | TFTP |
| OSD Target Subnet | Network Boot Listener | TCP | 1610 | Client Management |
| OSD Target Subnet | Network Boot Listener | TCP | 1611 | Client Management |
| OSD Target Subnet | Network Boot Listener | TCP | 1613 | Client Management |
| Network Boot Listener / Image Repository | OSD Manager | TCP | 1610 | Client Management |
| Network Boot Listener / Image Repository | OSD Manager | TCP | 1611 | Client Management |
| Network Boot Listener / Image Repository | OSD Manager | TCP | 1613 | Client Management |
| OSD Target Subnet | Image Repository | TCP | 1610 | Client Management |
| OSD Target Subnet | Image Repository | TCP | 1611 | Client Management |
| OSD Target Subnet | Image Repository | TCP | 1613 | Client Management |
| OSD Target Subnet | Image Repository (captures) | TCP | 139 | SMB |
| OSD Target Subnet | Image Repository (captures) | TCP | 445 | SMB |
| OSD Target Subnet | Network Boot Listener | TCP | Depends on their configuration (see screenshot below) | Multicast Ports |
| OSD Target Subnet | All network on which other devices will be deployed | TCP | Depends on their configuration (see screenshot below) | Multicast Ports |
If you are using this mode to deploy your OS deployment projects the you should also open the multicast ports as shown in the following image:
Ensure the following:
- If the DHCP server is a switch, the IP Helper is not used.
- If the DHCP server is not a switch and the IP Helper is set, it should have the name of the network boot listener.
- No other setting discards DHCP servers that are not specifically white-listed, as an example.
Comments
This page should be completed with some details:
For example, Agent Rollout: the Source is Master Server, and it CAN BE correct, but IMHO a more correct definition would be "Rollout server". In some cases it can be the Master itself, but in many cases it is a different server
The same consideration can be done for Asset Discovery (Scanner), Active Directory (when using a Directory Server Proxy)
Log in or register to comment.