Making HP SUM network ports available

HP SUM requires that certain network ports are available. If you lock down network ports, make sure that the ports listed in the network port tables are open so that HP SUM works correctly when connecting to remote node servers and hosts. If you are unable to unlock these network ports, you must run HP SUM locally and update network-based hosts through their web interfaces (for example, the OA, iLO, and VC modules).


[NOTE: ]

NOTE: Use the open_firewall parameter for HP SUM to automatically open the required firewall ports on the local host and any remote servers.


Updates for most node types require network traffic in both directions between the server running HP SUM and the node. The server running HP SUM creates a local HTTP server, which is used to serve firmware binaries to the node and to communicate node status. The remote node issues HTTP requests and posts status updates to the server running HP SUM during the update process. If there is a routing problem or firewall blocking traffic back from the remote node to the system running HP SUM, firmware updates might be blocked, status updates blocked or delayed, or both.

System running HP SUM

Target node type

Inventory phase

Deployment phase

   

To target

From target (HP SUM 7.2.1 and earlier)

From target (HP SUM 7.3.0 and later)

To target

From target (HP SUM 7.2.1 and earlier)

From target (HP SUM 7.3.0 and later)

Windows

Windows

445, 135, 137, 138, 139

63001, 63002

None

445, 135, 137, 138, 139

63001, 63002

None

Windows or Linux

Linux

22

63001, 63002

None

22

63001, 63002

None

Windows or Linux

HP-UX

22

63001, 63002

63001, 63002

22

63001, 63002

63001, 63002

Windows or Linux

VMware

443, 5989

63001

63001

443, 5989

63001

63001

Windows or Linux

OA

22, (80), 443

None

None

22, (80), 443

None

None

Windows or Linux

iLO, VC, FC switch, SAS switch, Moonshot, Superdome 2/X

22, (80), 443

None

None

22, (80), 443

63001

63001

HP SUM uses port 63002 to communicate between the hpsum_binary and hpsum_service applications on both Windows and Linux systems.


[NOTE: ]

NOTE: Windows to Windows traffic uses WMI, a standard DCOM-In port 135 and Async-in and WMI-in.


Issue the commands /port and /ssl_port to change from ports 63001 and 63002 if there are firewall conflicts. Use --open_firewall to open the HTTP and HTTPS ports used by HP SUM for external access. Open these ports for remote node functionality and for remote browser access. For example:

hpsum /port 80 /ssl_port 443

You can issue the command /ftp_port to assign which port to use for FTP service. By default the FTP port is disabled. Use the command to enable the service.

Changing the port address in the hpsum.ini file

You can change the network ports HP SUM uses by editing the hpsum.ini file or using the /port or /ssl_port CLI parameters. For more information on editing the hpsum.ini file, see Changing the hpsum.ini file.

The following commonly used alternate network ports are:

  • port=63001 edit to port=80

  • ssl_port=63002 edit to ssl_port=443

Enabling HP SUM ports for VMware nodes

By default, outgoing connections are blocked in VMware servers, except ports 80, 443, and 5989. Use the following steps to enable the default ports of 63001 and 63002. You need to enable these outgoing ports on the VMware server.

  1. Create an HTTP HP SUM firewall rule that enables outgoing connection via port 63001.

  2. Create the file httpSUM.xml in the /etc/vmware/firewall directory. Type the following into the file:

    /etc/vmware/firewall # cat httpHPSUM.xml

    <!-- Firewall configuration information for FDM -->

    <ConfigRoot>

    <service id='0000'>

    <id>httpHPSUM</id>

    <rule id='0000'>

    <direction>outbound</direction>

    <protocol>tcp</protocol>

    <porttype>dst</porttype>

    <port>63001</port>

    </rule>

    <enabled>true</enabled>

    <required>false</required>

    </service>

    </ConfigRoot>

  3. Refresh by using the command, esxcli network firewall refresh.

  4. Repeat the steps for port 63002.

Special network configuration note for Integrity servers

Integrity servers have management network and production interfaces. These are typically kept on separate subnets in an installation. To perform full remote administration of the server, access is required for both networks. If you keep both networks isolated, you need to perform management and operating systems tasks separately.