CM Ports
This topic lists the ports used by the BMC Client Management agent for all different modules and provides some details on each.
Port overview
Component | Source | Destina-tion | TCP/ UDP | Service | Port number | Description |
|---|---|---|---|---|---|---|
Database connection * | Master Server | Database Server | TCP | TCP | Oracle: 1521 Postgres: 5432 SQL Server: 1433 | For communication between the master server and the database. (* only if the database is on another server than the master) |
Agent Rollout for Windows | Rollout Server | Client Devices | TCP | SMB | 445,139 | To install the CM agent on the Windows target devices. |
| Agent Rollout for Linux and macOS | Rollout Server | Client Devices | TCP | SSH | 22 | To install the CM agent on the Unix target devices. |
Client Agent communication | Client Devices | Master Server | HTTP | 1610, 1611 | The connection must be bidirectional between the client and its parent for optimal settings. Port flow: Client -> Parent, Parent -> Client If bidirectional connection is not possible then it must be unidirectional from the client to the parent and, in this case, a tunnel on the port 1611 is used. The downwards direction can be replaced by a tunnel. 1610 is the default main agent communication port. Addition information about tunnels in BMC Client Management:
Blocking ports 1610 or 1611 If you close port 1610, clients cannot connect to their parent. If you close port 1611 instead then the tunnel uses the port 1610 which may lower the agent performance. If you modify the agent configuration by deleting | |
CM console | Administra-tive computer | Master Server and Client Devices | HTTP | 1611 (1610) | The default console management port. | |
Bandwidth Throttling * | Relay | Client | TCP | TCP | 1609 | The bandwidth management port on relay servers. (* only used if transfer windows are defined with a percentage) |
MyApps | 1611 (1610) | The MyApps port on the master server. | ||||
AutoDiscovery | TCP | TCP, HTTP | 135,22, 23,139, 1610 | TCP ports scanned for auto-discovery. | ||
Multicast Traffic | Relay | Client | UDP | UDP | 2500 * | The multicast transfer agent listen port as configured. * An IP range must also be configured. |
Active Directory LDAP | Master Server | LDAP Server | TCP | LDAP | 389 | To synchronize data from LDAP server to CM . |
Email Server | Master Server, console | Email Server | TCP | SMTP | 25 | To send alerts and reports on email to users. This port must be open on all devices from which emails are sent via the console. |
WebAPI | Browser, Web service caller | Master Server | TCP | HTTP | 1616 | The port for the web services. |
Asset discovery
The ports and ranges documented below are the default values. These values can be changed in the RemoteInventory.ini (TcpPortRange and UdpPortRange) file.
Component | Source | Destination | TCP/UDP | Port number | Description |
|---|---|---|---|---|---|
Asset Discovery | Asset Discovery Server | IP Devices | TCP | 15, 22, 23, 35, 80, 135, 137, 139, 443, 445, 515, 9100-9102 | TCP ports and ranges to be used for the Asset Discovery scans |
Asset Discovery | Asset Discovery Server | IP Devices | UDP | 161 | UDP ports and ranges to be used for the Asset Discovery scans |
| Asset Discovery | Asset Discovery Server | IP Devices | TCP | 1024 -1030 | Restricted WMI (DCOM) |
| Asset Discovery | Asset Discovery Server | IP Devices | TCP | 49152 - 65535 | Unrestricted WMI (DCOM) |
By default, WMI (DCOM) uses a randomly selected TCP port between 1024 and 65535. To simplify configuration of the firewall, you should restrict this usage if you scan through firewalls. For more information, see https://docs.microsoft.com/en-us/windows/win32/wmisdk/setting-up-a-fixed-port-for-wmi.
Notifications
XML-RPC packets are sent between the communicating agents as notifications to execute actions.
Direction | Parent Server | Client | Description |
|---|---|---|---|
Parameter | Any | Agent | Downstream notification |
Parameter | Agent | Any | Upstream notification |
HTTP Files Transfer
File transfer is executed via the HTTP protocol and passes via the FileStore, it concerns all types of inventories, synchronizations, packages, files, assignments, status, and so on.
Direction | Parent Server | Client | Description |
|---|---|---|---|
Parameter | Any | Agent | Downstream (Package/Assign/Delete/Scripts ...) |
Parameter | Agent | Any | Upstream (Status/Identity/Inventories...) |
Parameter | Any | Multicast | Multicast |
Bandwidth Calculation
To measure the currently available bandwidth, some TCP/IP packets are sent to the bandwidth management port at the defined rate, by default every 60 seconds, for the defined period of time, by default 200 ms.
Direction | Parent Server | Client | Description |
|---|---|---|---|
Parameter | Bandwidth | Any | Data sent to calculate available bandwidth |
Parameter | Any | Broadcast | Wake-on-LAN notification |
Wake-On-LAN
The Wake-On-LAN sends a magic packet to the target devices to wake them up.
Direction | Parent Server | Client | Description |
|---|---|---|---|
Parameter | Any | Broadcast | Wake-on-LAN notification |
Remote Control
Remote control communication passes via images for the actual remote control connections, and uses notifications for access right verifications.
Direction | Console PC | Client | Description |
|---|---|---|---|
Parameter | Any | Agent | Images transfer / keyboard orders |
Direction | CM Master | Client | Description |
Parameter | Any | Agent | Downstream notification for Privacy check + client answer |
HCHL Web Interface
The agent web interface allows to access agent data via a browser.
Direction | Web Browser | Client | Description |
|---|---|---|---|
Parameter | Any | Agent | General web interface features |
MyApps Application Kiosk
MyApps is part of the agent web interface and allows to execute specific operations and install software packages via a browser and per user.
Direction | Web Browser | Client | Description |
|---|---|---|---|
Parameter | Any | Kiosk | Web interface for user application kiosk |
Direct Access
The Direct Access functionality provides access to specific areas (file system, Registry, services, Task Manager, ...) of a device via the console.
Direction | Console PC | Client | Description |
|---|---|---|---|
Parameter | Any | Agent | Direct access functionalities |
AutoDiscovery
The AutoDiscovery functionality scans the network for a any type of hardware (PCs, printers, servers, firewalls, routers, ...).
Direction | PC1 | PC2 | Description |
|---|---|---|---|
Parameter | Any | ICMP | Ping |
Parameter | Any | TCP | TCP port scan |
Parameter | Any | Agent | Check for the presence of the CM agent (AgentGetIdentity) |
Parameter | Any | Agent | Ask for the Autodiscovery list of other devices if the parameter CanLearn is enabled (AutodiscoveryListDevices) |
Parameter | Any | Agent | Check if the device is a relay (RelayGetValue) |
LDAP Synchronization
The CM master acts as a client to the LDAP server to synchronize its groups with those of the LDAP server, that is, devices and users (translated in CM into administrators and users).
Direction | CM Master | LDAP Server | Description |
|---|---|---|---|
Parameter | Any | LDAP | LDAP synchronization |
OSD
The following ports should be open on the LAN that you are using to deploy devices. These ports must be bidirectional.
| Source | Destination | Type | Port | Description |
|---|---|---|---|---|
| OSD Target Subnet | Network Boot Listener | UDP | 68 | DHCP |
| DHCP Server | Network Boot Listener | UDP | 67 | DHCP |
| DHCP Server | OSD Target Subnet | UDP | 67 | DHCP |
| OSD Target Subnet | Network Boot Listener | UDP | 67 | DHCP |
| OSD Target Subnet | Network Boot Listener | UDP | 69 | TFTP |
| OSD Target Subnet | Network Boot Listener | TCP | 1610 | Client Management |
| OSD Target Subnet | Network Boot Listener | TCP | 1611 | Client Management |
| OSD Target Subnet | Network Boot Listener | TCP | 1613 | Client Management |
| Network Boot Listener / Image Repository | OSD Manager | TCP | 1610 | Client Management |
| Network Boot Listener / Image Repository | OSD Manager | TCP | 1611 | Client Management |
| Network Boot Listener / Image Repository | OSD Manager | TCP | 1613 | Client Management |
| OSD Target Subnet | Image Repository | TCP | 1610 | Client Management |
| OSD Target Subnet | Image Repository | TCP | 1611 | Client Management |
| OSD Target Subnet | Image Repository | TCP | 1613 | Client Management |
| OSD Target Subnet | Image Repository (captures) | TCP | 139 | SMB |
| OSD Target Subnet | Image Repository (captures) | TCP | 445 | SMB |
| OSD Target Subnet | Network Boot Listener | TCP | Depends on their configuration (see screenshot below) | Multicast Ports |
| OSD Target Subnet | All network on which other devices will be deployed | TCP | Depends on their configuration (see screenshot below) | Multicast Ports |
If you are using this mode to deploy your OS deployment projects the you should also open the multicast ports as shown in the following image:
Ensure the following:
- If the DHCP server is a switch, the IP Helper is not used.
- If the DHCP server is not a switch and the IP Helper is set, it should have the name of the network boot listener.
- No other setting discards DHCP servers that are not specifically white-listed, as an example.
To manage port redirections between an agent and its parent
If port 1610 is blocked and only port 443 is allowed to open between the clients in the WAN and their DMZ relay, you should redirect the ports between the WAN to the port 443 on the DMZ relay. Set the following DMZ Relay configuration if the port 1610 are blocked on the clients which are connecting though internet.
- On DMZ relay
- Open the HttpProtocolHandler.ini located at C:\Program Files\BMC Software\Client Management\Client\config.
- Search for ForwardedPorts= and set 443 as its value.
- On the client devices which are on the off-site locations (where port 1610 disabled)
- Open the Relay.ini located at C:\Program Files\BMC Software\Client Management\Client\config.
- Search for ParentPort= and set 443 as its value.
Comments
@Darshana Bhangare Could you update the below information
Port overview -> Client Agent Communications -> Under Description.
Communication should be opened bidirectional on the port 1610. Client -> Parent,Parent -> Client.
Thanks, Sai! I have updated the page.
Could you modify Port overview -> Client Agent Communications -> Description with following text :
"The connection must be bidirectional between the client and its parent for optimal settings this is best practices.
In case bidirectional is not possible then it must be unidirectional from the client to the parent and in this case a tunnel on the port 1611 is used. The downwards direction can be replaced by a tunnel.
1610 is the default main agent communication port.
Addition information about tunnels in BMC Client Management : - If a client can be contacted by its parent, the tunnel is not required. When necessary, the parent connects to the client and calls one or more web services.
Thanks, Fabien! I have updated the page.
@Darshana Bhangare Could you please update the "Port Overview" -> Client communication-> TCP/UDP port to TCP. This information has been confirmed with Nathalie (Dev team)
Thanks, Cynthia. I have incorporated the change you suggested.
@Darshana Bhangare : Could you please update the Port Flow information at.
Port overview -> Client Agent Communications -> Under Description.
The connection must be bidirectional between the client and its parent for optimal settings.(Add below)
Port Flow : Client -> Parent, Parent -> Client.
Thanks, Sai. Updated the description.
Log in or register to comment.