DNS/DHCP Server firewall requirements - BlueCat Integrity - 9.4.0

Address Manager Administration Guide

Locale
English
Product name
BlueCat Integrity
Version
9.4.0

Ports used by DNS/DHCP Server when it's operating under Address Manager control.

Note: The ports must be opened on the firewall for access to the DNS/DHCP Server services listed. If the service isn't required or in use, it can be blocked.
DNS/DHCP Server listener ports:
Port Number Protocol Use
22 TCP SSH/SCP connectivity to servers, iDRAC connectivity and SSH2 (secure shell
53 TCP/UDP DNS, Discovery
67 UDP DHCP server
69 UDP TFTP service for file transfer
88 TCP/UDP Kerberos/Active Directory Authentication
123 UDP Network Time Protocol (NTP)
161 UDP SNMP polling
179** TCP BGP protocol (Anycast)
520** UDP RIP protocol (Anycast)
547 UDP DHCPv6 server
647 TCP/UDP DHCP failover
694 UDP xHA (heartbeat)
847 TCP/UDP DHCP failover
7788 TCP xHA disk partition data replication
7789 TCP xHA disk partition data replication
10042 TCP Secure management and connectivity to DNS/DHCP Servers and Address Manager Management port
30865 TCP xHA configuration replication (csync2)
DNS/DHCP Server ports used as a client:
Port Number Protocol Use
53 TCP/UDP DNS resolution, DDNS and zone transfer.
68 UDP DHCP server
88 TCP/UDP Kerberos/Active Directory Authentication
123 UDP Network Time Protocol (NTP)
162* UDP SNMP traps
179** TCP BGP protocol (Anycast)
514 UDP syslog (system log) redirection from Address Manager / IBM QRadar and HP ArcSight***
520** UDP RIP protocol (Anycast)
546 UDP DHCPv6 server
647 TCP DHCP failover
694 UDP xHA (heartbeat)
847 TCP/UDP DHCP failover
7788 TCP xHA disk partition data replication
7789 TCP xHA disk partition data replication
10045/10046 TCP/UDP Address Manager and DNS/DHCP Server notification
30865 TCP xHA configuration replication (csync2)
Note: Port notices

* These are the standard ports used for the specified protocol and use however, you can specify different ports.

** OSPF protocol can also be used for Anycast service. When using OSPF (OSPFIGP/Protocol number 89), UDP protocol must also be enabled and 224.0.0.5/6 will be used to communicate.

*** You cannot configure BDDS to redirect syslog to a remote syslog server and an IBM QRadar / HP ArcSight server at the same server IP address and port.

When dedicated management is enabled on a BDDS, management, notification, SNMP polling, and SSH traffic is limited to the management interface (eth2). If dedicated management is enabled, ensure the following traffic is allowed:
  • Traffic from BAM's IP to port 10042 on the BDDS's eth2 IP (management)
  • Traffic from the BDDS's eth2 IP to port 10045/10046 on BAM's IP (notifications).
  • Traffic towards port 22 on the BDDS's eth2 IP (SSH).
  • Traffic towards port 161 on BDDS's eth2 IP (SNMP polling) †

† Enabling dedicated management isolates SNMP polling traffic to eth2 IP, but does not isolate SNMP trap traffic to a particular interface. The BDDS IP that SNMP trap messages are sent from is determined by the default gateway and static routes configured on the BDDS.

Additional ports might need to be opened for iDRAC usage. For more information, refer to the Dell iDRAC User Guide.