jude wrote this up it should be in the kb - seart for 'ports' or something like that. off the top of my head i think it's
PXE - 4011/udp
TFTPD - 69/udp
mtftpd - 1759 (i don't think we use this)
DHCP - 69
Appserver - 9831/tcp
UDP 1759 is the TFTP Multicast port. The Provisioning manager configurations tab has settings for MTFTP that allows configuration.
When you PXE boot a server you will see it uses Multicast and MTFTP to download the initial boot image.
mtftp? i think it always fails and goes back to regular tftp
of those ports listed... none of them.
I just validated. Blade.img is loaded with MTFTP. Then, once blade.img has booted it uses TFTP to download additional files from the TFTP root.
mtftp isnt ever used, so disregard the reference to 1758 1nd 1759
Then why when I boot a server do I see the Multicast address and the word "MTFTP" followed by the stream of "............" that we normally see?
Thanks everyone. That was pretty helpful. Just to sum up, all those ports are used by MTFTP, but MTFTP can fall back to TFTP, so none of those ports are truly necessary.
When I do a tcpdump on the app server, I'm seeing ports being opened in the range of 29000 - 33000. The worst part is that they port number seems random; I've seen a few dozen ports used during the provisioning process.
So how can the client create a proper ACL? They're not keen on opening up four thousand ports for BladeLogic.
i saw this too at buffalo. i don't think we need it...
Is the link above still the latest concise listing of all the ports that need to be open? Excluding the new 7.4.1 ports. That's the only post I could find that Jude put up relating to the list of ports.
Is there also a similar list that specifies between what specific servers these ports have to be open for?(vs the fact that the port should just be opened on that particular bladelogic server)
i don't think so. jude had a doc for this at some point...
this might be incomplete but:
target -> 9831/tcp -> appserver
target -> pxe/tftp/dhcp -> pxe/tftp/dhcp server(s)
tartget -> http/cifs -> pxestore (http for linux, cifs for windows)
pxe/tftp -> 1433/1521 -> bl database
appserver -> 1433/1521 -> bl database
It would be great to reference Jude's document but I can't seem to locate it in the new BMC knowledge base. Any hints??
ports being opened in the range of 29000 - 33000.
These ports are the counterpart of the mtftp-port. Every tcp-connection comes from a port and goes to port (that's my understanding). Many ports are set for some special service (21 ftp, 22 ssh, and so on).
If you establish a connection from your workstation to e.g. an ftp-server you have two ports in use:
Some - normally unused - port like 29876 - on your workstation and 21 on the ftp-server. The outgoing tcp-packet from your workstation has the 29876 included so the data coming back from the ftp-servers knows where to go.
This 29876 port can be any number currently available on your system. So on the firewall you just say: outbound connection to port 21 is allowed (no matter what port it comes from) AND inbound connection FROM port 21 is allowed in case it is an answer to your outbound connection (this is recognized via some flags in the tcp-header).
(That's what I configured some years ago with iptables on Linux - and it still works ;) )
So you won't have to worry about these "high ports".