BMC Client Management Ports

This topic lists the ports used by the BMC Client Management agent for all different modules and provides some details on each.

Port overview

Component	Source	Destination	TCP/ UDP	Service	Port number	Description
Database connection *	Master Server	Database Server	TCP	TCP	Oracle: 1521 Postgres: 5432 SQL Server: 1433	For communication between the master server and the database. (* only if the database is on another server than the master)
Agent Rollout for Windows	Rollout Server	Client Devices	TCP	SMB	445,139	To install the CM agent on the Windows target devices.
Agent Rollout for Linux and macOS	Rollout Server	Client Devices	TCP	SSH	22	To install the CM agent on the Unix target devices.
Client Agent communication	Client Devices	Master Server		HTTP	1610, 1611	The connection must be bidirectional between the client and its parent for optimal settings. Port flow: Client -> Parent, Parent -> Client If bidirectional connection is not possible then it must be unidirectional from the client to the parent and, in this case, a tunnel on the port 1611 is used. The downwards direction can be replaced by a tunnel. 1610 is the default main agent communication port. Addition information about tunnels in BMC Client Management: If a client can be contacted by its parent, the tunnel is not required. When necessary, the parent connects to the client and calls one or more web services. If a client cannot be contacted by its parent, the tunnel is required. When tunnels are used by clients to communicate with their parent, the agent uses the 1611 port so it must be opened. It is created and monitored by the client and all the downstream communication occurs within. Note that this tunnel can be used for the upstream communication also, which is not mandatory (the parent is visible from the client so new transient TCP connections can be opened). Blocking ports 1610 or 1611 If you close port 1610, clients cannot connect to their parent. If you close port 1611 instead then the tunnel uses the port 1610 which may lower the agent performance. If you modify the agent configuration by deleting Console in VirtualHosts=Console in the client's HttpProtocoleHandler.ini then the console port will be the port of the agent with no priority given to the console communications. However, it is not recommended.
CM console	Administra-tive computer	Master Server and Client Devices		HTTP	1611 (1610)	The default console management port.
Bandwidth Throttling *	Relay	Client	TCP	TCP	1609	The bandwidth management port on relay servers. (* only used if transfer windows are defined with a percentage)
MyApps					1611 (1610)	The MyApps port on the master server.
AutoDiscovery			TCP	TCP, HTTP	135,22, 23,139, 1610	TCP ports scanned for auto-discovery.
Multicast Traffic	Relay	Client	UDP	UDP	2500 *	The multicast transfer agent listen port as configured. * An IP range must also be configured.
Active Directory LDAP	Master Server	LDAP Server	TCP	LDAP	389	To synchronize data from LDAP server to CM .
Email Server	Master Server, console	Email Server	TCP	SMTP	25	To send alerts and reports on email to users. This port must be open on all devices from which emails are sent via the console.
WebAPI	Browser, Web service caller	Master Server	TCP	HTTP	1616	The port for the web services.

Asset discovery

The ports and ranges documented below are the default values. These values can be changed in the RemoteInventory.ini (TcpPortRange and UdpPortRange) file.

Component	Source	Destination	TCP/UDP	Port number	Description
Asset Discovery	Asset Discovery Server	IP Devices	TCP	15, 22, 23, 35, 80, 135, 137, 139, 443, 445, 515, 9100-9102	TCP ports and ranges to be used for the Asset Discovery scans
Asset Discovery	Asset Discovery Server	IP Devices	UDP	161	UDP ports and ranges to be used for the Asset Discovery scans
Asset Discovery	Asset Discovery Server	IP Devices	TCP	1024 -1030	Restricted WMI (DCOM)
Asset Discovery	Asset Discovery Server	IP Devices	TCP	49152 - 65535	Unrestricted WMI (DCOM)

By default, WMI (DCOM) uses a randomly selected TCP port between 1024 and 65535. To simplify configuration of the firewall, you should restrict this usage if you scan through firewalls. For more information, see https://docs.microsoft.com/en-us/windows/win32/wmisdk/setting-up-a-fixed-port-for-wmi.

Mobile Device Management

The following ports are used by the Mobile Device Management feature. Some ports are required for the management of Apple devices whereas others are required for the management of Android devices.

Platform	Source	Destination	Protocol	Port number	Description
Apple	Master or Mobile Device Manager	ac.bmc.com	HTTPS	10610	The management of Apple devices requires a specific certificate delivered by Apple. To get this certificate, you must generate a certificate signing request (CSR) which must then be signed by a BMC cloud server. The certificate must be renewed every year.
Apple	IP Devices or Web browser	Mobile Device Manager	HTTPS	1661	Apple devices communicate with the manager on which they have been enrolled. While this endpoint is mainly reserved for the management of Apple devices, it also serves as the portal that end users can use to enroll their Apple or Android mobile devices. This port number can be configured.
Apple	Mobile Device Manager	api.push.apple.com	HTTPS	443	Mobile device managers communicate with the Apple servers to send notifications. On receipt of a notification, the mobile devices connect to their mobile device manager.
Android	Mobile Device Manager	androidmanagement.googleapis.com	HTTPS	443	Mobile device managers communicate with the Google servers to execute Web services using the Android Management API.
Android	Mobile Device Manager	oauth2.googleapis.com	HTTPS	443	Mobile device managers communicate with the Google servers to execute Web services using the Android Management API. This endpoint is used as part of the OAuth flow.

Notifications

XML-RPC packets are sent between the communicating agents as notifications to execute actions.

Direction	Parent Server	Client	Description
Parameter	Any	Agent	Downstream notification
Parameter	Agent	Any	Upstream notification

HTTP Files Transfer

File transfer is executed via the HTTP protocol and passes via the FileStore, it concerns all types of inventories, synchronizations, packages, files, assignments, status, and so on.

Direction	Parent Server	Client	Description
Parameter	Any	Agent	Downstream (Package/Assign/Delete/Scripts ...)
Parameter	Agent	Any	Upstream (Status/Identity/Inventories...)
Parameter	Any	Multicast	Multicast

Bandwidth Calculation

To measure the currently available bandwidth, some TCP/IP packets are sent to the bandwidth management port at the defined rate, by default every 60 seconds, for the defined period of time, by default 200 ms.

Direction	Parent Server	Client	Description
Parameter	Bandwidth	Any	Data sent to calculate available bandwidth
Parameter	Any	Broadcast	Wake-on-LAN notification

Wake-On-LAN

The Wake-On-LAN sends a magic packet to the target devices to wake them up.

Direction	Parent Server	Client	Description
Parameter	Any	Broadcast	Wake-on-LAN notification

Remote Control

Remote control communication passes via images for the actual remote control connections, and uses notifications for access right verifications.

Direction	Console PC	Client	Description
Parameter	Any	Agent	Images transfer / keyboard orders
Direction	CM Master	Client	Description
Parameter	Any	Agent	Downstream notification for Privacy check + client answer

HCHL Web Interface

The agent web interface allows to access agent data via a browser.

Direction	Web Browser	Client	Description
Parameter	Any	Agent	General web interface features

MyApps Application Kiosk

MyApps is part of the agent web interface and allows to execute specific operations and install software packages via a browser and per user.

Direction	Web Browser	Client	Description
Parameter	Any	Kiosk	Web interface for user application kiosk

Direct Access

The Direct Access functionality provides access to specific areas (file system, Registry, services, Task Manager, ...) of a device via the console.

Direction	Console PC	Client	Description
Parameter	Any	Agent	Direct access functionalities

AutoDiscovery

The AutoDiscovery functionality scans the network for a any type of hardware (PCs, printers, servers, firewalls, routers, ...).

Direction	PC1	PC2	Description
Parameter	Any	ICMP	Ping
Parameter	Any	TCP	TCP port scan
Parameter	Any	Agent	Check for the presence of the CM agent (AgentGetIdentity)
Parameter	Any	Agent	Ask for the Autodiscovery list of other devices if the parameter CanLearn is enabled (AutodiscoveryListDevices)
Parameter	Any	Agent	Check if the device is a relay (RelayGetValue)

LDAP Synchronization

The CM master acts as a client to the LDAP server to synchronize its groups with those of the LDAP server, that is, devices and users (translated in CM into administrators and users).

Direction	CM Master	LDAP Server	Description
Parameter	Any	LDAP	LDAP synchronization

OSD

The following ports should be open on the LAN that you are using to deploy devices. These ports must be bidirectional.

Source	Destination	Type	Port	Description
OSD Target Subnet	Network Boot Listener	UDP	68	DHCP
DHCP Server	Network Boot Listener	UDP	67	DHCP
DHCP Server	OSD Target Subnet	UDP	67	DHCP
OSD Target Subnet	Network Boot Listener	UDP	67	DHCP
OSD Target Subnet	Network Boot Listener	UDP	69	TFTP
OSD Target Subnet	Network Boot Listener	TCP	1610	Client Management
OSD Target Subnet	Network Boot Listener	TCP	1611	Client Management
OSD Target Subnet	Network Boot Listener	TCP	1613	Client Management
Network Boot Listener / Image Repository	OSD Manager	TCP	1610	Client Management
Network Boot Listener / Image Repository	OSD Manager	TCP	1611	Client Management
Network Boot Listener / Image Repository	OSD Manager	TCP	1613	Client Management
OSD Target Subnet	Image Repository	TCP	1610	Client Management
OSD Target Subnet	Image Repository	TCP	1611	Client Management
OSD Target Subnet	Image Repository	TCP	1613	Client Management
OSD Target Subnet	Image Repository (captures)	TCP	139	SMB
OSD Target Subnet	Image Repository (captures)	TCP	445	SMB
OSD Target Subnet	Network Boot Listener	TCP	Depends on their configuration (see screenshot below)	Multicast Ports
OSD Target Subnet	All network on which other devices will be deployed	TCP	Depends on their configuration (see screenshot below)	Multicast Ports

If you are using this mode to deploy your OS deployment projects the you should also open the multicast ports as shown in the following image:

Ensure the following:

If the DHCP server is a switch, the IP Helper is not used.
If the DHCP server is not a switch and the IP Helper is set, it should have the name of the network boot listener.
No other setting discards DHCP servers that are not specifically white-listed, as an example.

To manage port redirections between an agent and its parent

If port 1610 is blocked and only port 443 is allowed to open between the clients in the WAN and their DMZ relay, you should redirect the ports between the WAN to the port 443 on the DMZ relay. Set the following DMZ Relay configuration if the port 1610 are blocked on the clients which are connecting though internet.

On DMZ relay

1. Open the HttpProtocolHandler.ini located at C:\Program Files\BMC Software\Client Management\Client\config.
2. Search for ForwardedPorts= and set 443 as its value.

On the client devices which are on the off-site locations (where port 1610 disabled)

1. Open the Relay.ini located at C:\Program Files\BMC Software\Client Management\Client\config.
2. Search for ParentPort= and set 443 as its value.