Re: Cheat sheet.
All this information plus lots of other stuff can be found in:
Hardware Management Console Security Manual SC28-6987-01
Regards
Parwez Hamid
________________________________
From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> on behalf of
Edgington, Jerry <jerry.edging...@westernsouthernlife.com>
Sent: 20 March 2019 14:10
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Remote access to Z14 ZR1 Support Element via HMC question
Dana,
Here is my "cheat sheet" for HMC ports and direction. However, I don't know if
they have changed for z14 ZR1, but they work for z13s.
○ HMC inbound IP ports from internal network
§ Type Source Port Usage
ICMP 8 Establish communication with resources
managed by HMC
TCP 58787 - 58788 Automatic discovery of zServers
UDP 58788 Automatic discovery of zServers
UDP 9900 HMC to HMC auto discovery
TCP 55555 SSL communication from servers
TCP 9920 SSL HMC and zServers
TCP 443 Remote user access to HMC
TCP 9950-9959 Proxy Single Object Operations
to server
TCP 9960 Java applet-based tasks (not required
since v2.12.1)
UDP 161 SMNP automation of the HMC
TCP 161 SMNP automation of the HMC
TCP 3161 SMNP automation of the HMC
TCP 6794 SSL automation traffic, including HMC
Mobile app
TCP 61612 Web Services API message broker,
flowing STOMP
TCP 61617 Web Services API message broker,
flowing OpenWire
UDP 123 Set the time of the servers
UDP 520 Communications with routers from HMC
TCP 22 Remote access by Product Engineering
TCP 21 Inbound FTP requests
TCP 3900-3909 AMM for zBX
○ HMC outbound IP ports to network to internal network
Type Source Port Usage
ICMP 8 Establish communication with resources
managed by HMC
UDP 9900 HMC to HMC auto discovery
TCP 58787 - 58788 Automatic discovery of zServers
UDP 58788 Automatic discovery of zServers
TCP 55555 SSL communication from servers
TCP 9920 SSL HMC and zServers
TCP 443 Single Object Operations to server
console
TCP 9960 Java applet-based tasks (not required
since v2.12.1)
TCP 25345 Single Object Operations to server
console
TCP X LDAP port to authenticate Users
TCP 443 Call home requests RSF, and HMC mobile
app
TCP 3900 AAM for zBX
TCP 21 Load system software or utility programs
TCP 22 SSH
UDP 123 Connect to NTP server
TCP 25 SMTP for email
○ SE inbound IP ports from internal network
§ Type Source Port Usage
ICMP 8 Establish communication with resources
managed by HMC
TCP 58787 Automatic discovery of zServers
UDP 58787 Automatic discovery of zServers
TCP 55555 SSL communication from servers
TCP 9920 SSL HMC and zServers
TCP 443 Call home requests RSF, and HMC mobile
app
TCP 9950-9959 Manage DataPower XI50z from HMC
TCP 9960 Java applet-based tasks (not required
since v2.12.1)
UDP 161 SMNP automation of the HMC
TCP 161 SMNP automation of the HMC
TCP 3161 SMNP automation of the HMC
UDP 123 Set the time of the servers
UDP 520 Communications with routers from HMC
TCP 22 Remote access by Product Engineering
TCP 21 Inbound FTP requests
TCP 3900-3909 AMM for zBX
○ SE outbound IP ports to internal networks
§ Type Source Port Usage
ICMP 8 Establish communication with resources
managed by HMC
UDP 9900 HMC to HMC auto discovery
TCP 58787 Automatic discovery of zServers
UDP 58787 Automatic discovery of zServers
TCP 55555 SSL communication from servers
TCP 9920 SSL HMC and zServers
TCP 443 Single Object Operations to server
console
TCP 9960 Java applet-based tasks (not required
since v2.12.1)
TCP 25345 Single Object Operations to server
console
TCP X LDAP port to authenticate Users
TCP 443 Call home requests RSF, and HMC mobile
app
TCP 3900 AAM for zBX
TCP 21 Load system software or utility programs
TCP 22 SSH
UDP 520 Communications with routers from HMC
UDP 123 Set the time of the servers
-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf
Of Dana Mitchell
Sent: Wednesday, March 20, 2019 10:06 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Remote access to Z14 ZR1 Support Element via HMC question
As far as firewall rules go, we can access SOO remotely so I'm looking back at
some of my old firewall requests, and it looks like for a new HMC I requested
ports 443,9960 and 2300 to be opened. But in the current doc, port 2300 is
not referenced, so I don't recall what that was for.
Your other question about accessing the SE's, I would say that wouldn't be
neccessary very much at all once the machine is setup, perhaps for CHP problem
determination type of thing, but I can't think of normal day to day
requirements.
Dana
On Wed, 20 Mar 2019 22:02:21 +1300, Laurence Chiu <lch...@gmail.com> wrote:
>
>Any thoughts from the group on this parallel approach. I have no idea
>how often the SE needs to be accessed but this is a fairly static
>environment so I would think not that often.
>
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send email to
lists...@listserv.ua.edu with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
