- Notes, cautions, and warnings
- Preface
- Introduction
- Access Control
- Access control settings
- Security for management access
- Authentication
- Authorization
- Component access controls
- Data security settings
- Password policy
- Physical security controls
- Login banner and message of the day
- Logging
- Communication Security
- Communication security settings
- Port usage
- Ports used by Unisphere components on VNX for block
- How VNX for file works on the network
- Network encryption
- Management support for TLS communications on VNX2 systems
- SSL certificates
- Planning considerations for Public Key Infrastructure on VNX for file
- IP packet reflect on VNX for file systems
- Effect of filtering management network
- vSphere Storage API for Storage Awareness (VASA) support
- Special configurations
- Secure Remote Procedure Call
- Other security considerations
- Data Security Settings
- Data at Rest Encryption overview
- Data at Rest Encryption feature activation
- Encryption status
- Backup keystore file
- Data in place upgrade
- Hot spare operations
- Adding a disk drive to a VNX with encryption activated
- Removing a disk drive from a VNX with encryption enabled
- Replacing a chassis and SPs from a VNX with encryption enabled
- Security Maintenance
- Advanced Management Capabilities
- Secure deployment and usage settings
- TLS cipher suites
- LDAP-based directory server configuration
- VNX for file CLI role-based access
- VNX for file CLI security configuration operations
- Configuring password policy
- Configuring session timeout
- Protect session tokens
- Configuring network encryption and authentication using the SSL protocol
- Configuring PKI
- Creating the certificate provided by the persona
- Using the Control Station as the CA
- Obtaining CA certificates
- Generate a key set and certificate request
- Send the certificate request to the CA
- Import a CA-signed certificate
- List the available CA certificates
- Acquire a CA certificate
- Import a CA certificate
- Generate a new Control Station CA certificate
- Display the certificate
- Distribute the Control Station CA certificate
- Request and Install Customer-Supplied Certificates for Control Station
- Managing PKI
- Customize a login banner
- Create a MOTD
- Restrict anonymous root login
- Locking accounts after a specific number of failed logins
- VNX for block SSL certificate import
EMC® VNX® Series Security Configuration Guide for VNX
VNX for file Data Mover network ports
NOTE: Unisphere enables you to manage some network services. The Unisphere interface shows the current status of most network services (enabled or disabled) and provides a convenient means of enabling or disabling the services. Select your system then use
. For more information about enabling and disabling network services, refer to the Unisphere online help.
| Port | Protocol | Default State | Service | Comments |
|---|---|---|---|---|
| 20 | TCP | Closed | FTP | Port used for FTP data transfers. This port can be opened by enabling FTP as described in the next row. Authentication is performed on port 21 and defined by the FTP protocol. |
| 21 | TCP | Closed | FTP |
Port 21 is the control port on which the FTP service listens for incoming FTP requests. All Data Movers run the FTP service. You can enable the FTP service by using the following command: server_ftp <movername> You can disable the FTP service by using the following command: server_ftp <movername> The authentication process is defined by the FTP protocol definition (RFC 959) and cannot be changed. It is possible to authenticate by using either UNIX names or a Windows domain and username (domain\user). Using FTP, TFTP and SFTP on VNX provides details about running and managing the FTP service on a Data Mover. |
| 22 | TCP | Closed | SFTP (FTP over SSH) |
SFTP is a client/server protocol. Users can use SFTP to perform file transfers on a VNX system on the local subnet. The underlying SSH version 2 protocol provides well separated layers for secure file transfer between systems. Using FTP, TFTP and SFTP on VNX provides details about running and managing the FTP service on a Data Mover. |
| 69 | UDP | Closed | TFTP |
Initially, TFTP listens on the UDP port 69. After a request is read on port 69, a different port is randomly chosen for the TFTP data transfer. By definition (RFC 1350), TFTP does not authenticate requests. The TFTP service is not started by default; it must be manually started. You can enable the TFTP service by using the following command: server_tftp <movername> You can disable the TFTP service by using the following command: server_tftp <movername> Using FTP, TFTP and SFTP on VNX provides details about running and managing the FTP service on a Data Mover. |
| 111 | TCP
UDP |
Open | rpcbind (Network infrastructure) | This port is opened by the standard portmapper or rpcbind service and is an ancillary VNX for file network service. It cannot be stopped. By definition, if a client system has network connectivity to the port, it can query it. No authentication is performed. |
| 123 | UDP | Closed | NTP | This port is related to the NTP (Network Time Protocol). It can be opened when NTP is configured on the Data Mover. |
| 135 | TCP | Open | DCE Remote Procedure Call (DCERPC) | Multiple purposes for MicroSoft client. |
| 137 | UDP | Closed | NETBIOS Name Service (CIFS) | This port can be opened by using the following command:
server_setup <movername> This port can be closed by stopping CIFS services. Use the following command: server_setup <movername> Note that this disables all CIFS-related services. The NETBIOS Name Service is associated with the VNX for file CIFS file sharing services and is a core component of that feature. If CIFS services are enabled, then this port is open. It is specifically required for earlier versions of the Windows OS (pre-Windows 2000). Clients with legitimate access to VNX for file CIFS services must have network connectivity to the port for continued operation. |
| 138 | UDP | Closed | NETBIOS Datagram Service (CIFS) | This port can be opened by using the following command:
server_setup <movername> This port can be closed by stopping CIFS services. Use the following command: server_setup <movername> Note that this disables all CIFS-related services. The NETBIOS Datagram Service is associated with the VNX for file CIFS file sharing services and is a core component of that feature. If CIFS services are enabled, then this port is open. It is specifically required for earlier versions of the Windows OS (pre-Windows 2000). Clients with legitimate access to VNX for file CIFS services must have network connectivity to the port for continued operation. |
| 139 | TCP | Closed | NETBIOS Session Service (CIFS) | This port can be opened by using the following command:
server_setup <movername> This port can be closed by stopping CIFS services. Use the following command: server_setup <movername> Note that this disables all CIFS-related services. The NETBIOS Session Service is associated with the VNX for file CIFS file sharing services and is a core component of that feature. If CIFS services are enabled, then this port is open. It is specifically required for earlier versions of the Windows OS (pre-Windows 2000). Clients with legitimate access to VNX for file CIFS services must have network connectivity to the port for continued operation. |
| 161 | TCP/UDP | Closed | SNMP |
This port is used to provide Simple Network Management Protocol (SNMP), which is a management and monitoring service used by many third-party management tools. The SNMP daemon (SNMPD), which runs on the Data Mover, supports SNMPv1, SNMPv2c, and SNMPv3. SNMPv3 supports IPv4, IPv6, and enhanced security over SNMPv1 and SNMPv2c. Authentication of SNMPv1 and v2c is based on a client system using the correct community string. The community string is "public" by default and should be changed by using the following command: server_snmpd <movername> -modify SNMPv3 uses authentication and privacy passwords which can be configured using the following command: server_snmpd <movername> -user SNMP is used for some communication between the Control Station and the Data Mover. If it is disabled, the server_netstat command will cease to function properly. The SNMP service on a Data Mover can be disabled using the following command: server_snmpd <movername> See Using SNMPv3 on VNX for more details on SNMP. |
| 445 | TCP | Open | CIFS | This port is the new default CIFS connectivity port for Windows 2000 and later clients. The port is opened by enabling CIFS services. Use the following command:
server_setup
<movername> -Protocol cifs -option start
This port is closed by stopping CIFS services. Use the following command: server_setup <movername> -Protocol cifs -option stopNote that this disables all CIFS-related services. Clients with legitimate access to the VNX for file CIFS services must have network connectivity to the port for continued operation. Authentication is addressed on this port in accordance with Microsoft practices. |
| 500 | UDP | Closed | Iked | This port is for the Internet Key Exchange Daemon. |
| 520 | UDP | Open | Routing Information Protocol (RIP) (Network infrastructure) | This port can be closed by using the following command:
server_setup <movername> This port can be opened by using the following command: server_setup <movername> -Protocol rip -option startRouting Information Protocol (RIP) is a routing protocol optimized for creating routes within one organization (interior gateway protocol). RIP is a distance-vector protocol that uses hop count (max 15) as the metric. RIP-1 does not send the mask in updates. RIP-2 sends the mask in updates. Configuring and Managing Networking on VNX explains the purpose and configuration of RIP services on the Data Mover. Instructions for disabling the service are also included. |
| 989 | TCP | Closed | FTPS | FTPS data transfer port. Connections are initially established on port 990 and data connections are on this port. See RFC 4217: Securing FTP with TLS. |
| 990 | TCP | Closed | FTPS | FTPS control port where FTPS sessions are initially established. The authentication process is defined by RFC 4217:
Securing FTP with TLS. It is possible to authenticate using either UNIX names or a Windows domain and username (domain\user).
Using FTP, TFTP and SFTP on VNX provides information about FTPS and TLS/SSL operations. |
| 1020 | TCP (defaults to a port number greater than 1024)
UDP |
Closed | CDMS nfs FileMover for NFS | This port can be used for the CDMS nfs migration or FileMover for NFS services. Clients of both services must have network connectivity to the port for continued operation.
VNX File System MigrationVersion 2.0 for NFS and CIFS provides more information about file system migration operations. Using VNX FileMover provides more information about FileMover operations. |
| 1021 | TCP (defaults to a port number greater than 1024)
UDP |
Closed | CDMS nfs FileMover for NFS | This port can be used for the CDMS nfs migration or FileMover for NFS services. Clients of both services must have network connectivity to the port for continued operation.
VNX File System MigrationVersion 2.0 for NFS and CIFS provides more information about file system migration operations. Using VNX FileMover provides more information about FileMover operations. |
| 1234 | TCP
UDP |
Open | mountd (NFS) | This port is used for the mount service, which is a core component of the NFS service (versions 2 and 3), and is an important component of the Control Station to Data Mover interaction, even if there are no NFS exports externally visible from the Data Mover.
Configuring NFS on VNX explains several methods of controlling access to NFS exports. Authentication of users is AUTH_SYS by default. If stronger authentication is desired, Secure NFS is generally available. Secure NFS provides Kerberos authentication for end users |
| 2049 | TCP
UDP |
Open | NFS | This port is used to provide NFS services and is an important component of the Control Station to Data Mover interaction, even if there are no NFS exports externally visible from the Data Mover.
Configuring NFS on VNX explains several methods of controlling access to NFS exports. Authentication of users is AUTH_SYS by default. If stronger authentication is desired, Secure NFS is generally available. Secure NFS provides Kerberos authentication for end users. If AUTH_SYS authentication is used, only port 2049 need be open between VNX for file and NFSV4 clients. |
| 2400 | TCP
UDP |
Closed | FMP/Notify |
This port is is used to provide FMP/notify service. This service is used by the VNX for file NFS Cluster product. To determine if any NFS Clusters are configured, use the nas_server -l command. The cluster has the type "group." To remove any NFS clusters, use the following command: nas_server <cluster_name> -delete |
| 4647 | UDP | Open | lockd forward (Infrastructure for NFS Cluster) | This is not a public service. It is used only on the VNX for file interconnection network. External clients will not need to reach this service. It can be blocked by a firewall. This service is used by the VNX for file NFS Cluster product.
To determine if any NFS Clusters are configured, use the nas_server -l command. The cluster has the type "group." To remove any NFS clusters, use the following command: nas_server <cluster_name> -delete |
| 4656 | TCP
UDP |
Closed | FMP | (Applicable only to systems running VNX OE for file earlier than version 8.x.) This port is associated with the Multi-Path File Services (MPFS) feature. It can be opened by using the following command:
server_setup <movername> -Protocol mpfs -option start For the MPFS service to work, clients must be able to contact VNX for file on the FMP port and VNX for file must be able to contact the clients on their FMP port (Port 6907 for UNIX clients and port 625 for Windows clients). |
| 4658 | TCP | Open | Portable Archive Interchange (PAX) - (Backup Services) | PAX is a VNX for file archive protocol that works with standard UNIX tape formats. The protocol is used only between the Control Station and Data Mover. It is only used on the private network.
This service may be disabled if local tape backup is not used. Details on how to disable this service are in Primus under ID emc49339. Background information on PAX is contained in the relevant EMC documentation on backups and NDMP. There are several technical modules on this topic to deal with a variety of backup tools. |
| 5033 | TCP | Open | Network Block Service (NBS) | An EMC proprietary protocol similar to (and a precursor of) iSCSI. The NBS service that opens this port is a core VNX for file service and cannot be stopped.
Externally, NBS is used for snapshot and replication control functions. When used for Control Station to Data Mover communication, the private VNX for file interconnection network is used. |
| 5080 | TCP | Closed | HTTP (FileMover support and internal infrastructure) | HTTP is used as a transport medium for FileMover and for some Control Station to Data Mover information exchanges. FileMover traffic is for ILM-related policy engines to send commands to the Data Mover. The policy engines are authenticated by using the HTTP digest authentication method. This is described in the FileMover documentation.
Using VNX FileMover explains the configuration and monitoring commands.
HTTPS (HTTP over SSL) is also available on the Data Mover. Because the HTTP transport is also used for Control Station to Data Mover interactions, the service may not be disabled. However, this only requires that the Data Mover accept the HTTP requests from the Control Station over the private network within the VNX cabinet. Access to the HTTP service by external agents is disabled by default |
| 5081 | TCP | Open | Replication services | Data Mover-to-Data Mover replication commands. |
| 5083 | TCP | Open | Replication services | This port is associated with replication services. |
| 5084 | TCP | Open | Replication services | This port is associated with replication services. |
| 5085 | TCP | Open | Replication services | This port is associated with replication services. |
| 7777 | TCP | Open | Statistics monitoring service | This is the default port for the statistics monitoring service. It may be closed by running the following command:
server_stats
<movername> -service -stop
Managing Statistics for VNX provides information about configuring this service. |
| 8887 | TCP | Closed | Replication services | This port is used for replication (on the primary side). It is opened by the replicator when a Data Recovery (DR) is requested. It is closed when the DR is completed. Clients (other VNX for file systems) that use the replication service must be able to communicate with this port. |
| 8888 | Replication services | Open | RCP (Replication services) | This port is used by the replicator (on the secondary side). It is left open by the replicator as soon as some data has to be replicated. After it is started, there is no way to stop the service.
Clients (other VNX for file servers) that use the replication service must be behind the same firewall for continued operation. |
| 10000 | TCP | Open | NDMP (Backup services) | The Network Data Management Protocol (NDMP) enables you to control the backup and recovery of an NDMP server through a network backup application, without installing third-party software on the server. In VNX for file, the Data Mover functions as the NDMP server.
The NDMP service can be disabled if NDMP tape backup is not used. The NDMP service is authenticated with a username/password pair. The username is configurable. The NDMP documentation describes how to configure the password for a variety of environments. |
| 10001 through 10004 | TCP | Closed | NDMP | For a single three-way backup/restore only, TCP connections between Data Movers use port 10001. If there are multiple three-way backup/restore sessions, Date Mover uses ports 10001 to 10004. |
| 12345 | TCP
UDP |
Open | usermapper (CIFS) | The usermapper service opens this port. It is a core service associated with VNX for file CIFS services and should not be stopped in specific environments.
This is the method by which Windows credentials (which are SID-based) are mapped to UNIX-based UID and GID values. It is possible to close this port. The command to do this is: server_usermapper <movername> Configuring VNX User Mapping provides more information about configuring this service in Windows-only and multiprotocol environments. |
| 31491 | UDP | Open | Remote File Access (RFA)
NFS functionality |
The service that opens this port is RFA and is a core VNX for file service associated with NFS. It cannot be stopped. |
| 38914 | UDP | Closed | nfs forward (Infrastructure for NFS Cluster) | This is not a public service. It is used only on the VNX for file interconnection network. External clients do not need to reach this service. It can be blocked by a firewall. This service is used by the VNX for file Cluster product.
To determine if any NFS Clusters are configured, use the nas_server -l command. The cluster has the type "group." To remove any NFS clusters, use the following command: nas_server <cluster_name> -delete |
| 49152 through 65535 | TCP
UDP |
Open | statd
NFS support |
statd is the NFS file-locking status monitor and works in conjunction with lockd to provide crash and recovery functions for NFS (which is inherently a stateless protocol).
statd is a core VNX for file service, but it can be stopped. To stop this service:
|
| 49152 through 65535 | TCP
UDP |
Open | rquotad
Quota support |
The rquotad daemon provides quota information to NFS clients that have mounted a file system. An NFS user who has mounted a VNX for file file system can access quota information for the file system by using the quota command. This command runs on the client side and interrogates the rquotad daemon on the Data Mover through RPC. To use this functionality, the client must have already mounted the file system. Authentication is AUTH_SYS, similar to that used for the NFS protocol. You must have root access to the file system to get the quota information for different users. rquotad can be stopped:
|
| 49152 through 65535 | TCP
UDP |
Open | lockd
NFS support |
lockd is the NFS file-locking daemon. It processes lock requests from NFS clients and works in conjunction with the
statd daemon.
lockd is a core VNX for file service, but it can be stopped. To stop this service:
|
| 49152 through 65535 | TCP
UDP |
Open | MAC | MAC is a proprietary management protocol between the Control Station and Data Mover. It is used only on the private network between the two.
This is a core service and cannot be stopped. |
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\