EMC Secure Remote Services

Release 3.04

Port Requirements
Rev 02
March 23, 2015

This document contains supplemental information about the EMC

Secure Remote Services v3.04 (ESRS v3.04). ESRS v3.04 is the virtual
edition of ESRS. This document includes the following topics:

Communication between ESRS and EMC ........................................ 2

Communication between ESRS and Policy Manager ..................... 2
Communication between ESRS and devices .................................... 2
Port requirements for ESRS and Policy Manager (PM) servers..... 4
Port requirements for devices............................................................. 6

Note: Some ports used by ESRS and devices may be registered for use by other
parties, or may not be registered by EMC. EMC is addressing these registration
issues. In the meantime, be aware that all ports listed for use by the ESRS servers
and devices will be in use by the EMC applications listed.

Communication between ESRS and EMC

Communication between ESRS and EMC

To enable communication between your EMC Secure Remote
Services (ESRS) and EMC, you must configure your external network
and/or firewalls to allow traffic over the specific ports as shown in
Table 1 on page 4. These tables identify the installation site network
firewall configuration open-port requirements for ESRS. The
protocol/ports number and direction are identified relative to the
ESRS servers and storage devices. Figure 1 on page 3 shows the
communication paths.

Communication between ESRS and Policy Manager

To enable communication between ESRS and Policy Manager, you
must configure your internal firewalls to allow traffic over the
specific ports as shown in Table 1 on page 4. These tables identify the
installation site network firewall configuration open-port
requirements for ESRS. The protocol/ports number and direction are
identified relative to the ESRS servers and storage devices. Figure 1
on page 3 shows the communication paths.

Communication between ESRS and devices

There are two connection requirements between the ESRS server and
your managed devices:
The first is the communication between ESRS and your managed
devices for remote access connections. ESRS secures remote access
connections to your EMC devices by using a session-based IP
port-mapped solution.
The second communication requirement is between ESRS and your
managed devices for Connect Home messages. ESRS brokers
Connect Home file transfers from your managed devices that support
connect-home through ESRS, ensuring secure transport,
authorization, and auditing for those transfers.
To enable communication between ESRS and your devices, you must
configure your internal firewalls to allow traffic over the specific
ports as shown in Table 1 on page 4 and Table 2 on page 6. These
tables identify the installation site network firewall configuration
open-port requirements for ESRS IP. The protocol/ports number and

EMC Secure Remote Services Port Requirements

direction are identified relative to the ESRS servers and storage

devices. Figure 1 on page 3 shows the communication paths.
Note: See Primus emc169001, What IP addresses are used by the EMC
Secure Remote Services IP Solution. You can access this Primus at
support.emc.com or in Appendix D of the ESRS Release 3.04 Operations
Guide.

Figure 1

Port diagram for generic EMC managed product

EMC Secure Remote Services Port Requirements

Port requirements for ESRS and Policy Manager (PM) servers

Port requirements for ESRS and Policy Manager (PM) servers

Table 1 on page 4 lists the port requirements as follows:
Table 1

Port requirements for ESRS and Policy Manager servers

EMC
TCP port
product or Protocol Notes for port settings

Direction
open

Source -orDestination

Application
name

ESRS

HTTPS 443 See KB article 13285, What IP addresses are used

by the EMC Secure Remote Support IP Solution?.
You can access this article on support.emc.com.

Outbound

to EMC

Client service

HTTPS 443 See KB article 13285, What IP addresses are used

and 8443
by the EMC Secure Remote Support IP Solution?.
You can access this article on support.emc.com.

Outbound

to EMC Global Client service

Access Servers
(GAS)

Communication
(network traffic)
type

Performed by authorized
EMC Global Services
personnel: Support
objective (frequency)

Service notification, N/A

setup, all traffic except
remote support
Remote support

N/A

Service notification
from device

N/A

Remote support for

device

N/A

Policy query

N/A

IMPORTANT:
Port 8443 is not required for functionality, however without this port
being opened, there will be a significant decrease in remote support
performance, which will directly impact time to resolve issues on the
end devices. The following hosts/IP addresses and ports need to be
added as FTPS destinations:
curpusfep3.emc.com = 128.221.234.66 990
corpusfep4.emc.com = 168.159.209.45 990
Port 990 for Supports ConnectHome failover if the ESRS Channel Outbound
ConnectHom is unavailable
e failover (if
configured)

FTPS to EMC
FEP

SMTP 25 for May use the customers e-mail server to relay the
ConnectHom ConnectHome or may send directly to EMC
e failover (if
configured)

to EMC through
customers mail
server

Outbound

HTTPS 443 Use of HTTPS for service notifications inbound is

Inbound
dependent on the version of ConnectEMC used by the
managed device. Refer to product documentation. If
configured, MUST use the customer SMTP server.
Port 9443

from
Managed
device (EMC
product)

Apache httpd
listener

Customer access to ESRS GUI

HTTPS 9443 Use HTTPS 9443 for making RESTful service calls to
add/remove/update manage devices, to send
connecthomes and to send device heartbeat check to
ESRS
Passive FTP During the ESRS-IP installer execution, the value for
ports: 21,
Passive Port Range in FTP is set to 21 and 5400
54005413 through 5413. This range indicates the data channel
ports available for response to PASV commands. See
RFC 959 for passive FTP definition. These ports are
used for passive mode FTP of
connect-homeconnect-home messages as well as for
the GWExt loading and output. GWExt uses HTTPS
by default but can be configured to use FTP.

ESRS: Apache
httpdftp

SMTP 25

ESRS: postfix

IMPORTANT:
Outbound
When opening ports for devices in Table 2, also open the same ports
on the ESRS server, identified as Inbound from ESRS Virtual
Edition (VE) server

to
Managed
device

HTTP
(configurable)
Default =
8090

to
Client service
Policy Manager

Outbound

HTTPS 8443

EMC Secure Remote Services Port Requirements

Client service

EMC
TCP port
product or Protocol Notes for port settings
HTTP 8118

Policy
HTTP
Manager (configurable)
Default =
8090

To support ESRS proxy.

Communication
(network traffic)
type

Performed by authorized
EMC Global Services
personnel: Support
objective (frequency)

Direction
open

Source -orDestination

Application
name

Inbound

To
Gateway

Proxy client

Services eLicensing N/A

requests and inbound
traffic to Gateway for
MFT. Leveraged by
standalone
embedded ESRS
Device Clients.

Inbound

from ESRS IP
Clients
(and customer
browser)

Policy Manager
service

Policy query
(and policy
management by
customer)

Outbound

to Customer
email server

N/A

HTTPS 8443
SMTP 25

Action request

EMC Secure Remote Services Port Requirements

Port requirements for devices

Port requirements for devices

Table 2 on page 6 lists the port requirements for EMC devices.
Table 2

EMC
product
Atmos

Port requirements for devices

Performed by
authorized EMC
Global Services
personnel: Support
objective (frequency)

ConnectEMC

Service
notification

NA

from
ESRS

CLI (via SSH)

Remote
support

to
ESRS

ConnectEMC

Service
notification

CLI (via SSH)

Remote
support

TCP port
or Protocol Notes for port settings

Direction Source -or- Application

open
Destination name

HTTPSa

Outbound

Passive FTP
SMTP

to
ESRS
to ESRS or to
Customer
SMTP server

22

Inbound

443

Avamar

Communication
(network
traffic)
type

HTTPSa

Outbound

Passive FTP
SMTP

22

Inbound

from
ESRS

80,443, 8778,
8779, 8780,
8781, 8580,
8543, 9443,
7778, 7779,
7780, and 7781

AVInstaller

Outbound

to
ESRS

ConnectEMC

Inbound

from
ESRS

Celerra Manager Remote

(Web UI)
support

Passive FTP

Service
notification

SMTP
All of: 80, 443,
and 8000
22

EMC
Centera

SMTP

This telnet port should be enabled only

if SSH (port 22) cannot be used.
Outbound

Both 3218 and

3682
22

NA

Administration (occasional)
Troubleshooting (frequent)

Enterprise
Manager

HTTPSa

23

Administration (occasional)
Troubleshooting (frequent)

to ESRS or to
Customer
SMTP server

8543

Celerra

SecureWebUI

EMC Secure Remote Services Port Requirements

Note: NAS code 5.5.30.x and

earlier supports only FTP;
NAS code 5.5.31.x supports
both FTP and SMTP for
connect-home by using
ESRS.
Administration (occasional)

CLI (via SSH)

Troubleshooting (frequent)

Telnet

Troubleshooting (rare)
Use only if CLI cannot be
used

to Customer
SMTP server

ConnectEMC

Service
notification

N/A

from
ESRS

EMC Centera
Viewer

Remote
support

Diagnostics (frequent)

CLI (via SSH)

Troubleshooting (frequent)

EMC
product

TCP port
or Protocol Notes for port settings

CLARiiON HTTPSa
and
Passive FTPa
CLARiiON
SMTP
portion of
EDL

Service notification for CLARiiON and Outbound

EDL is supported only on centrally
managed devices via a management
server. Distributed CLARiiON devices
(including EDL) use ESRS or Customer
email server (SMTP) for service
notifications.

13456
22 (to run pling)
Both 80 and
443, or
optionally
(depending on
configuration),
both 2162 and
2163

Direction Source -or- Application

open
Destination name

Inbound

to
ESRS

from
ESRS

For more information, refer to CLARiiON

documentation.

KTCONS

Service
notification

N/A

Remote
support

Troubleshooting (occasional)

Navisphere
Manager;
also allows
Navisphere
SecureCLI

Administration (frequent)
Troubleshooting (frequent)

RemotelyAnywhe
re

5414

EMCRemote

All of: 6389,

6390, 6391, and
6392

Navisphere CLI

60020

Remote
Diagnostic Agent

HTTPSa

Outbound

Passive FTPa

to
ESRS

SMTP

Connectrix HTTPSa
switch family Passive FTPa

Performed by
authorized EMC
Global Services
personnel: Support
objective (frequency)

ConnectEMC,
Navisphere SP
Agent

9519

Navisphere
Management
Station

ConnectEMC

Communication
(network
traffic)
type

ConnectEMC

Diagnostics (occasional)
Service
notification

N/A

ConnectEMC,
Navisphere SP
Agent
When using Connectrix Manager

Outbound

to
ESRS

ConnectEMC or Service
DialEMC
notification

N/A

5414

Inbound

from
ESRS

EMCRemote

Remote
support

Troubleshooting (frequent)

5414
Customer
Manage9519
ment Station

Inbound

From
ESRS

EMCRemote

Remote
support

Troubleshooting (frequent)

SMTP

3389

RemoteDesktop

80, 443, 8443

WebHTTPHTTP

22

Data Domain HTTPS

CLI (via SSH)

Inbound

from
ESRS

Enterprise
Manager

Remote
support

Administration (occasional)
Troubleshooting (frequent)

22

Inbound

from
ESRS

CLI (via SSH)

Remote
support

Administration (occasional)
Troubleshooting (frequent)

SMTP

Outbound

to Customer
SMTP server

CentOS

Service
notification

N/A

22

Inbound

Remote
support

Troubleshooting (frequent)

Inbound

from
ESRS

CLI (via SSH)

443

HTTP

DL3D
Engine

RemotelyAnywhere

Secure Web UI

EMC Secure Remote Services Port Requirements

Port requirements for devices

EMC
product
DLm

Communication
(network
traffic)
type

Performed by
authorized EMC
Global Services
personnel: Support
objective (frequency)

TCP port
or Protocol Notes for port settings

Direction Source -or- Application

open
Destination name

HTTPSa

Outbound

to
ESRS

ConnectEMC

Service
notification

N/A

Inbound

from
ESRS

CLI (via SSH)

Remote
support

Troubleshooting (frequent)

ConnectEMC

Service
notification

N/A

CLI (via SSH)

Remote
support

Troubleshooting (frequent)

ConnectEMC

Service
notification

N/A

CLI (via SSH)

Remote
support

Troubleshooting (frequent)

Passive FTPa
SMTP
22
80, 443, 8000
80,443

DLmConsole

3389

Remote Desktop

HTTPSa

DPA

Celerra Manager

Outbound

to ESRS

Inbound

from ESRS

Passive FTPa
SMTP
22
9002,9003,
9004

DPA GUI

3389

ElasticCloud HTTPSa
Storage
Passive FTPa
(ECS)

Remote Desktop
Outbound

to ESRS

Inbound

from ESRS

SMTP
22

80, 443, 4443

EDL
Engine
(except
DL3D)

HTTPSa
Passive FTPa
SMTP
22

ECS UI
Service notification for EDL is supported Outbound
only on centrally managed devices via a
management server. Distributed
CLARiiON devices (including EDL) use
ESRS or Customer email server (SMTP)
for service notifications.

to
ESRS

ConnectEMC

Service
notification

N/A

from
ESRS

CLI (via SSH)

Remote
support

Troubleshooting (frequent)

Outbound

to Customer
SMTP server

ConnectEMC

Service
notification

NA

Inbound

from
ESRS

CLI (via SSH)

Remote
support

Outbound

to
ESRS

ConnectEMC

Service
notification

N/A

Inbound

from
ESRS

EMCRemote

Remote
support

Troubleshooting (frequent)

Inbound

11576

Greenplum
Data
Computing
Appliance
(DCA)
Invista
Element
Manager
Invista
CPCs

HTTPSa
Passive FTP
SMTP
22
HTTPSa
Passive FTPa

Administration (occasional)
Troubleshooting (frequent)

SMTP
5414
All of: 80, 443,
2162, and 2163
5201

EDL Mgt Console

EMC Secure Remote Services Port Requirements

Invista Element
Manager and
InvistaSecCLI
ClassicCLI

EMC
product
Isilon

TCP port
or Protocol Notes for port settings
HTTPSa
Passive FTP

Communication
(network
traffic)
type

Performed by
authorized EMC
Global Services
personnel: Support
objective (frequency)

ConnectEMC

Service
notification

NA

ISI-Gather Log
Process

Configuration
information

CLI (via SSH)

Remote
support

Direction Source -or- Application

open
Destination name

ESRS team highly recommends using Outbound

CEC- HTTPS transport protocol as FTP
and SMTP are plain text protocols.

to
ESRS

SMTP
Managed File Within Isilon OneFS 7.1, the
Transfer (MFT) isi_gather_info script will send the Isilon
8118
log file back to EMC via MFT using port
8118 on the ESRS. All other Connect
Homes will use ConnectEMC to send
files to ESRS using HTTPS, Passive
FTP, or SMTP.
22

Inbound

from
ESRS

8080

RecoverPoint

SMTP

Outbound

to
ESRS

22

Inbound

from
ESRS

80, 443, and

7225

Switch
Brocade-B

Switch
Cisco

22
23
Note: If
managed by
Connectrix
Manager, use
port 5414

Inbound

SMTP
22

SSH must be enabled and configured.

23

This telnet port should be enabled only if

SSH (port 22) cannot be used.

Symmetrix HTTPSa

from
ESRS

This telnet port should be enabled only if

SSH (port 22) cannot be used.

Outbound

to Customer
SMTP server

Inbound

from
ESRS

WEBUI

CLI (via SSH)

RecoverPoint
Management GUI
CLI (via SSH)
Telnet

Administration (occasional)
Troubleshooting (frequent)

Service
notification

N/A

Remote
support

Troubleshooting (frequent)

Remote
support

Troubleshooting (frequent)
Troubleshooting (rare)
Use only if CLI cannot be
used

N/A
CLI (via SSH)
Telnet

Remote
support

Troubleshooting (frequent)
Troubleshooting (rare)
Use only if CLI cannot be
used

Outbound

to
ESRS

ConnectEMC or Service
DialEMC
notification

N/A

Inbound

from
ESRS

RemotelyAnywhe Remote
re
support

Troubleshooting (frequent)

Passive FTPa
SMTP
22
9519

ViPR

5414

EMCRemote

All of: 1300,

1400, 4444,
5555, 7000,
23003, 23004,
and 23005

SGBD/Swuch/
Chat Server/
Remote Browser/
InlineCS

HTTPSa

Outbound

to
ESRS

Inbound

from
ESRS

Passive FTPa

Advanced troubleshooting (by

EMC Symmetrix Engineering)
(rare)

ConnectEMC

Service
notification

N/A

CLI (via SSH)

Remote
support

Troubleshooting (frequent)

SMTP
22
443, 4443, 80

ViPR
Management GUI
(ViPRUI)

EMC Secure Remote Services Port Requirements

Port requirements for devices

EMC
product
ViPRSRM

Communication
(network
traffic)
type

Performed by
authorized EMC
Global Services
personnel: Support
objective (frequency)

TCP port
or Protocol Notes for port settings

Direction Source -or- Application

open
Destination name

HTTPSa

Outbound

to
ESRS

ConnectEMC

Service
notification

N/A

22

Inbound

from
ESRS

CLI (via SSH)

Remote
support

Troubleshooting (frequent)

HTTPSa

Outbound

to
ESRS

ConnectEMC

Service
notification

NA

Inbound

from
ESRS

CLI (via SSH)

Remote
support

Troubleshooting (frequent)

ConnectEMC

Service
notification

NA

CLI (via SSH)

Remote
support

Troubleshooting (frequent)

Passive FTPa
SMTP

VMAX3

Passive FTPa
SMTP
22
5414

EMCRemote

4444, 5555,
7000

InlineCS

7000

RemoteBrowser

9519

RemotelyAnywhe
re

5555, 23004,
23003, 1300

SGDB

5555, 23004
HTTPSa
VMAX
Cloud Edition Passive FTPa
(CE)

SWUCH
Outbound

to
ESRS

Inbound

from
ESRS

SMTP
22

443, 8443, 22,

80, 903, 8080,
10080, 10443,
902

VNX

VClient

443

WebHostLogAcc
ess (Primary)

443

WebHostAccess

9443, 443, 80

WebVClient

5480

vAppAccess
(Primary)

HTTPSa

Administration (frequent)

Outbound

to
ESRS

ConnectEMC

Service
notification

N/A

Inbound

from
ESRS

KTCONS

Remote
support

Troubleshooting (occasional)

Passive FTPa
SMTP
13456
13456, 13457

RemoteKTrace

Administration (frequent)
Troubleshooting (frequent)

9519

10

RemotelyAnywhere

22

CLI (via SSH)

80, 443, 2162,

2163, 8000

Unisphere/USM/
Navisphere
SecureCLI

6391,6392,
60020

Remote
Diagnostic Agent

EMC Secure Remote Services Port Requirements

Diagnostics (occasional)

EMC
product
VNXe

Communication
(network
traffic)
type

Performed by
authorized EMC
Global Services
personnel: Support
objective (frequency)
N/A

TCP port
or Protocol Notes for port settings

Direction Source -or- Application

open
Destination name

HTTPSa

Outbound

to Customer
SMTP server

ConnectEMC

Service
notification

Inbound

from
ESRS

CLI (via SSH)

Remote
support

to
ESRS

ConnectEMC

from ESRS

Invista Element
Manager

Passive FTP
SMTP
22
80 and 443

VPLEX

SMTP
443

Outbound
Inbound

22

VSPEX
BLUE

HTTPSa

Unisphere
CLI (via SSH)

Service
notification

N/A

Remote
support

Troubleshooting (frequent)

CLI (via SSH)

Outbound to

Advanced troubleshooting (by

EMC Symmetrix Engineering)
(rare)

ConnectEMC

Service
notification

N/A

CLI (via SSH)

Remote
support

Troubleshooting (frequent)

ESRS

Passive FTP

Administration (occasional)
Troubleshooting (frequent)

SMTP
22

Inbound

from ESRS

Outbound

to
ESRS

ConnectEMC

Service
notification

N/A

Inbound

from
ESRS

CLI (via SSH)

Remote
support

Troubleshooting (frequent)

5900, 5901
XtremIO

HTTPSa

VNC

Passive FTPa
SMTP
22, 80, 443
80, 443, 42502

XTREMIOGUI

a. Use of HTTPS for service notifications is dependent on the version of ConnectEMC used by the managed device. Refer to product
documentation. The default port for HTTPS is 443. The value for Passive Port Range in FTP is set to 21 and 5400 through 5413. This
range indicates the data channel ports available for response to PASV commands. These ports are used for passive mode FTP of
connect-home messages as well as for the GWExt loading and output.

EMC Secure Remote Services Port Requirements

11

Port requirements for devices

Copyright 2015 EMC Corporation. All rights reserved.

EMC believes the information in this publication is accurate as of its publication date. The information is
subject to change without notice.
THE INFORMATION IN THIS PUBLICATION IS PROVIDED AS IS. EMC CORPORATION MAKES NO
REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN
THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Use, copying, and distribution of any EMC software described in this publication requires an applicable
software license.
For the most up-to-date regulatory document for your product line, go to Technical Documentation and
Advisories section on the EMC Online Support Site (support.emc.com).
For the most up-to-date listing of EMC product names, see EMC Corporation Trademarks on EMC.com.
All other trademarks used herein are the property of their respective owners.

12

EMC Secure Remote Services Port Requirements