Firewall Requirements
Please also see our Firewall Connectivity Guide for basic guidance when preparing to deploy an on-premise BMC Helix Network Management VA (whether as a stand-alone deployment or service engine).
External Communication
BMC Helix Network Management can operate without internet access. However, licensing, software updates, and remote support are greatly simplified with some basic Internet access.
Here are the firewall configuration requirements to get BMC Helix Network Management's online components working correctly.
For automatic license updates
BMC Helix Network Management can automatically update its license over the Internet, so manually renewing it is unnecessary.
If your firewall allows you to restrict access by domain name, you can use the following destination:
- Destination activation.netreo.net:443
Application-aware firewalls will need to configure this as SSL/TLS or HTTPS.
For software updates
BMC Helix Network Management allows you to perform online software updates to receive the latest patches and fixes.
If your firewall allows you to restrict access by domain name, you can use the following destination:
- Destination updates.netreo.com:443
For cloud features
BMC Helix Network Management uses various dynamic technologies to route and assign users to the best or closest cloud-hosted server, so it is not possible to restrict access to a specific group of IP addresses.
If your firewall allows you to restrict access by domain name, you can use the following destinations:
- Destination incident.api.netreo.com:443 - for all communication from BMC Helix Network Management to the cloud for publishing incidents.
- Destination heartbeat.api.netreo.com:443 - for all heartbeat messages from BMC Helix Network Management to the cloud.
- Destination *.api.netreo.com:443 - for accessing the BMC Helix Network Management cloud libraries.
For geocoding and time zone information
Used by the BMC Helix Network Management site and geographic map features. These domains must be allowed for the aforementioned features to work properly.
- api.geonames.org - time zone
- dev.virtualearth.net - geocoding
For Microsoft 365 email authentication
If you select the SMTP Authenticated Relay (Office 365) option in Mail Alerting Administration, BMC Helix Network Management will be required to have outbound access to the internet to login.microsoftonline.com on port TCP/443 for authentication.
For monitoring Amazon Web Services Resources
To monitor AWS resources, the BMC Helix Network Management appliance performing the checks (whether primary, replica, or service engine) must be able to reach the following domains.
- *.amazonaws.com
For sending email alerts
BMC Helix Network Management is generally configured to send alerts via email. Our best practice recommendation is to allow BMC Helix Network Management to communicate outbound to the Internet on port TCP/25, as this allows direct connections to smartphone gateways that you want to receive alerts.
If that access is not possible, you can relay SMTP mail through an internal server; however, this creates a single point of failure for alerts if that relay host stops responding, so we recommend this configuration only as a last resort or for testing purposes.
Internal Communication
For web user UI access
Web users access the BMC Helix Network Management user interface through a web browser on the following ports:
- Port TCP/80
- Port TCP/443
Port access can optionally be restricted to TCP/443 only. (Requires the SuperAdmin user access level.)
For high-availability cluster communication
For communication between cluster members. Only required if using a BMC Helix Network Management HA cluster.
- Port: TCP/443
- Port: TCP/4567
- Port: TCP/4568
- Port: TCP/4444
- Port: TCP/48100
For service engine communication
For communication between BMC Helix Network Management and its service engines. Required when using a service engine with a BMC Helix Network Management deployment (including high availability deployments).
- Port: TCP/443