20
|
TCP
|
Closed
|
FTP
|
Port used for FTP data transfers. This port can be opened by enabling FTP as described in the next row. Authentication is performed on port 21 and defined by the FTP protocol.
|
21
|
TCP
|
Closed
|
FTP
|
Port 21 is the control port on which the FTP service listens for incoming FTP requests.
All Data Movers run the FTP service. You can enable the FTP service by using the following command:
server_ftp <movername> -service -start
You can disable the FTP service by using the following command:
server_ftp <movername> -service -stop
The authentication process is defined by the FTP protocol definition (RFC 959) and cannot be changed. It is possible to authenticate by using either UNIX names or a Windows domain and username (domain\user).
Using FTP, TFTP and SFTP on VNX provides details about running and managing the FTP service on a Data Mover.
|
22
|
TCP
|
Closed
|
SFTP (FTP over SSH)
|
SFTP is a client/server protocol. Users can use SFTP to perform file transfers on a VNX system on the local subnet. The underlying SSH version 2 protocol provides well separated layers for secure file transfer between systems.
Using FTP, TFTP and SFTP on VNX provides details about running and managing the FTP service on a Data Mover.
|
69
|
UDP
|
Closed
|
TFTP
|
Initially, TFTP listens on the UDP port 69. After a request is read on port 69, a different port is randomly chosen for the TFTP data transfer. By definition (RFC 1350), TFTP does not authenticate requests.
The TFTP service is not started by default; it must be manually started.
You can enable the TFTP service by using the following command:
server_tftp <movername> -service -start
You can disable the TFTP service by using the following command:
server_tftp <movername> -service -stop
Using FTP, TFTP and SFTP on VNX provides details about running and managing the FTP service on a Data Mover.
|
111
|
TCP
UDP
|
Open
|
rpcbind (Network infrastructure)
|
This port is opened by the standard portmapper or rpcbind service and is an ancillary VNX for file network service. It cannot be stopped. By definition, if a client system has network connectivity to the port, it can query it. No authentication is performed.
|
123
|
UDP
|
Closed
|
NTP
|
This port is related to the NTP (Network Time Protocol). It can be opened when NTP is configured on the Data Mover.
|
135
|
TCP
|
Open
|
DCE Remote Procedure Call (DCERPC)
|
Multiple purposes for MicroSoft client.
|
137
|
UDP
|
Closed
|
NETBIOS Name Service (CIFS)
|
This port can be opened by using the following command:
server_setup <movername> -Protocol cifs -option start
This port can be closed by stopping CIFS services. Use the following command:
server_setup <movername> -Protocol cifs -option stop
Note that this disables all CIFS-related services.
The NETBIOS Name Service is associated with the VNX for file CIFS file sharing services and is a core component of that feature. If CIFS services are enabled, then this port is open. It is specifically required for earlier versions of the Windows OS (pre-Windows 2000). Clients with legitimate access to VNX for file CIFS services must have network connectivity to the port for continued operation.
|
138
|
UDP
|
Closed
|
NETBIOS Datagram Service (CIFS)
|
This port can be opened by using the following command:
server_setup <movername> -Protocol cifs -option start
This port can be closed by stopping CIFS services. Use the following command:
server_setup <movername> -Protocol cifs -option stop
Note that this disables all CIFS-related services.
The NETBIOS Datagram Service is associated with the VNX for file CIFS file sharing services and is a core component of that feature. If CIFS services are enabled, then this port is open. It is specifically required for earlier versions of the Windows OS (pre-Windows 2000). Clients with legitimate access to VNX for file CIFS services must have network connectivity to the port for continued operation.
|
139
|
TCP
|
Closed
|
NETBIOS Session Service (CIFS)
|
This port can be opened by using the following command:
server_setup <movername> -Protocol cifs -option start
This port can be closed by stopping CIFS services. Use the following command:
server_setup <movername> -Protocol cifs -option stop
Note that this disables all CIFS-related services.
The NETBIOS Session Service is associated with the VNX for file CIFS file sharing services and is a core component of that feature. If CIFS services are enabled, then this port is open. It is specifically required for earlier versions of the Windows OS (pre-Windows 2000). Clients with legitimate access to VNX for file CIFS services must have network connectivity to the port for continued operation.
|
161
|
TCP/UDP
|
Closed
|
SNMP
|
This port is used to provide Simple Network Management Protocol (SNMP), which is a management and monitoring service used by many third-party management tools. The SNMP daemon (SNMPD), which runs on the Data Mover, supports SNMPv1, SNMPv2c, and SNMPv3. SNMPv3 supports IPv4, IPv6, and enhanced security over SNMPv1 and SNMPv2c.
Authentication of SNMPv1 and v2c is based on a client system using the correct community string. The community string is "public" by default and should be changed by using the following command:
server_snmpd <movername> -modify -community <community>
SNMPv3 uses authentication and privacy passwords which can be configured using the following command:
server_snmpd <movername> -user -create <user> -authpw -privpw
SNMP is used for some communication between the Control Station and the Data Mover. If it is disabled, the
server_netstat command will cease to function properly.
The SNMP service on a Data Mover can be disabled using the following command:
server_snmpd <movername> -service -stop
See
Using SNMPv3 on VNX for more details on SNMP.
|
445
|
TCP
|
Open
|
CIFS
|
This port is the new default CIFS connectivity port for Windows 2000 and later clients. The port is opened by enabling CIFS services. Use the following command:
server_setup
<movername> -Protocol cifs -option start
This port is closed by stopping CIFS services. Use the following command:
server_setup
<movername> -Protocol cifs -option stop
Note that this disables all CIFS-related services.
Clients with legitimate access to the VNX for file CIFS services must have network connectivity to the port for continued operation. Authentication is addressed on this port in accordance with Microsoft practices.
|
500
|
UDP
|
Closed
|
Iked
|
This port is for the Internet Key Exchange Daemon.
|
520
|
UDP
|
Open
|
Routing Information Protocol (RIP) (Network infrastructure)
|
This port can be closed by using the following command:
server_setup <movername> -Protocol rip -option stop
This port can be opened by using the following command:
server_setup
<movername>
-Protocol rip -option start
Routing Information Protocol (RIP) is a routing protocol optimized for creating routes within one organization (interior gateway protocol). RIP is a distance-vector protocol that uses hop count (max 15) as the metric. RIP-1 does not send the mask in updates. RIP-2 sends the mask in updates.
Configuring and Managing Networking on VNX explains the purpose and configuration of RIP services on the Data Mover. Instructions for disabling the service are also included.
|
989
|
TCP
|
Closed
|
FTPS
|
FTPS data transfer port. Connections are initially established on port 990 and data connections are on this port. See RFC 4217:
Securing FTP with TLS.
|
990
|
TCP
|
Closed
|
FTPS
|
FTPS control port where FTPS sessions are initially established. The authentication process is defined by RFC 4217:
Securing FTP with TLS. It is possible to authenticate using either UNIX names or a Windows domain and username (domain\user).
Using FTP, TFTP and SFTP on VNX provides information about FTPS and TLS/SSL operations.
|
1020
|
TCP (defaults to a port number greater than 1024)
UDP
|
Closed
|
CDMS nfs FileMover for NFS
|
This port can be used for the CDMS nfs migration or FileMover for NFS services. Clients of both services must have network connectivity to the port for continued operation.
VNX File System MigrationVersion 2.0 for NFS and CIFS provides more information about file system migration operations.
Using VNX FileMover provides more information about FileMover operations.
|
1021
|
TCP (defaults to a port number greater than 1024)
UDP
|
Closed
|
CDMS nfs FileMover for NFS
|
This port can be used for the CDMS nfs migration or FileMover for NFS services. Clients of both services must have network connectivity to the port for continued operation.
VNX File System MigrationVersion 2.0 for NFS and CIFS provides more information about file system migration operations.
Using VNX FileMover provides more information about FileMover operations.
|
1234
|
TCP
UDP
|
Open
|
mountd (NFS)
|
This port is used for the mount service, which is a core component of the NFS service (versions 2 and 3), and is an important component of the Control Station to Data Mover interaction, even if there are no NFS exports externally visible from the Data Mover.
Configuring NFS on VNX explains several methods of controlling access to NFS exports. Authentication of users is AUTH_SYS by default. If stronger authentication is desired, Secure NFS is generally available. Secure NFS provides Kerberos authentication for end users
|
2049
|
TCP
UDP
|
Open
|
NFS
|
This port is used to provide NFS services and is an important component of the Control Station to Data Mover interaction, even if there are no NFS exports externally visible from the Data Mover.
Configuring NFS on VNX explains several methods of controlling access to NFS exports. Authentication of users is AUTH_SYS by default. If stronger authentication is desired, Secure NFS is generally available. Secure NFS provides Kerberos authentication for end users. If AUTH_SYS authentication is used, only port 2049 need be open between VNX for file and NFSV4 clients.
|
2400
|
TCP
UDP
|
Closed
|
FMP/Notify
|
This port is is used to provide FMP/notify service. This service is used by the VNX for file NFS Cluster product.
To determine if any NFS Clusters are configured, use the
nas_server -l command. The cluster has the type "group." To remove any NFS clusters, use the following command:
nas_server
<cluster_name>
-delete
|
4647
|
UDP
|
Open
|
lockd forward (Infrastructure for NFS Cluster)
|
This is not a public service. It is used only on the VNX for file interconnection network. External clients will not need to reach this service. It can be blocked by a firewall. This service is used by the VNX for file NFS Cluster product.
To determine if any NFS Clusters are configured, use the
nas_server -l command. The cluster has the type "group." To remove any NFS clusters, use the following command:
nas_server
<cluster_name>
-delete
|
4656
|
TCP
UDP
|
Closed
|
FMP
|
(Applicable only to systems running VNX OE for file earlier than version 8.x.) This port is associated with the Multi-Path File Services (MPFS) feature. It can be opened by using the following command:
server_setup <movername> -Protocol mpfs -option start
For the MPFS service to work, clients must be able to contact VNX for file on the FMP port and VNX for file must be able to contact the clients on their FMP port (Port 6907 for UNIX clients and port 625 for Windows clients).
|
4658
|
TCP
|
Open
|
Portable Archive Interchange (PAX) - (Backup Services)
|
PAX is a VNX for file archive protocol that works with standard UNIX tape formats. The protocol is used only between the Control Station and Data Mover. It is only used on the private network.
This service may be disabled if local tape backup is not used. Details on how to disable this service are in Primus under ID emc49339.
Background information on PAX is contained in the relevant EMC documentation on backups and NDMP. There are several technical modules on this topic to deal with a variety of backup tools.
|
5033
|
TCP
|
Open
|
Network Block Service (NBS)
|
An EMC proprietary protocol similar to (and a precursor of) iSCSI. The NBS service that opens this port is a core VNX for file service and cannot be stopped.
Externally, NBS is used for snapshot and replication control functions.
When used for Control Station to Data Mover communication, the private VNX for file interconnection network is used.
|
5080
|
TCP
|
Closed
|
HTTP (FileMover support and internal infrastructure)
|
HTTP is used as a transport medium for FileMover and for some Control Station to Data Mover information exchanges. FileMover traffic is for ILM-related policy engines to send commands to the Data Mover. The policy engines are authenticated by using the HTTP digest authentication method. This is described in the FileMover documentation.
Using VNX FileMover explains the configuration and monitoring commands.
HTTPS (HTTP over SSL) is also available on the Data Mover.
Because the HTTP transport is also used for Control Station to Data Mover interactions, the service may not be disabled. However, this only requires that the Data Mover accept the HTTP requests from the Control Station over the private network within the VNX cabinet. Access to the HTTP service by external agents is disabled by default
|
5081
|
TCP
|
Open
|
Replication services
|
Data Mover-to-Data Mover replication commands.
|
5083
|
TCP
|
Open
|
Replication services
|
This port is associated with replication services.
|
5084
|
TCP
|
Open
|
Replication services
|
This port is associated with replication services.
|
5085
|
TCP
|
Open
|
Replication services
|
This port is associated with replication services.
|
7777
|
TCP
|
Open
|
Statistics monitoring service
|
This is the default port for the statistics monitoring service. It may be closed by running the following command:
server_stats
<movername> -service -stop
Managing Statistics for VNX provides information about configuring this service.
|
8887
|
TCP
|
Closed
|
Replication services
|
This port is used for replication (on the primary side). It is opened by the replicator when a Data Recovery (DR) is requested. It is closed when the DR is completed. Clients (other VNX for file systems) that use the replication service must be able to communicate with this port.
|
8888
|
Replication services
|
Open
|
RCP (Replication services)
|
This port is used by the replicator (on the secondary side). It is left open by the replicator as soon as some data has to be replicated. After it is started, there is no way to stop the service.
Clients (other VNX for file servers) that use the replication service must be behind the same firewall for continued operation.
|
10000
|
TCP
|
Open
|
NDMP (Backup services)
|
The Network Data Management Protocol (NDMP) enables you to control the backup and recovery of an NDMP server through a network backup application, without installing third-party software on the server. In VNX for file, the Data Mover functions as the NDMP server.
The NDMP service can be disabled if NDMP tape backup is not used.
The NDMP service is authenticated with a username/password pair. The username is configurable. The NDMP documentation describes how to configure the password for a variety of environments.
|
10001 through 10004
|
TCP
|
Closed
|
NDMP
|
For a single three-way backup/restore only, TCP connections between Data Movers use port 10001. If there are multiple three-way backup/restore sessions, Date Mover uses ports 10001 to 10004.
|
12345
|
TCP
UDP
|
Open
|
usermapper (CIFS)
|
The usermapper service opens this port. It is a core service associated with VNX for file CIFS services and should not be stopped in specific environments.
This is the method by which Windows credentials (which are SID-based) are mapped to UNIX-based UID and GID values.
It is possible to close this port. The command to do this is:
server_usermapper <movername> -disable
Configuring VNX User Mapping provides more information about configuring this service in Windows-only and multiprotocol environments.
|
31491
|
UDP
|
Open
|
Remote File Access (RFA)
NFS functionality
|
The service that opens this port is RFA and is a core VNX for file service associated with NFS. It cannot be stopped.
|
38914
|
UDP
|
Closed
|
nfs forward (Infrastructure for NFS Cluster)
|
This is not a public service. It is used only on the VNX for file interconnection network. External clients do not need to reach this service. It can be blocked by a firewall. This service is used by the VNX for file Cluster product.
To determine if any NFS Clusters are configured, use the
nas_server -l command. The cluster has the type "group." To remove any NFS clusters, use the following command:
nas_server
<cluster_name> -delete
|
49152 through 65535
|
TCP
UDP
|
Open
|
statd
NFS support
|
statd is the NFS file-locking status monitor and works in conjunction with lockd to provide crash and recovery functions for NFS (which is inherently a stateless protocol).
statd is a core VNX for file service, but it can be stopped. To stop this service:
- Use vi to edit the following file:
/nas/server/<server_name>/netd
- Comment out the statd line. statd becomes #statd.
- Restart the Data Mover.
This may be reset automatically during an upgrade. Be sure to recheck. Clients with legitimate access to the VNX for file NFS services need to have network connectivity to this port.
|
49152 through 65535
|
TCP
UDP
|
Open
|
rquotad
Quota support
|
The rquotad daemon provides quota information to NFS clients that have mounted a file system. An NFS user who has mounted a VNX for file file system can access quota information for the file system by using the quota command. This command runs on the client side and interrogates the rquotad daemon on the Data Mover through RPC.
To use this functionality, the client must have already mounted the file system. Authentication is AUTH_SYS, similar to that used for the NFS protocol. You must have root access to the file system to get the quota information for different users. rquotad can be stopped:
- Use vi to edit the following file:
/nas/server/<server_name>/netd
- Comment out the rquotad line. rquotad becomes #rquotad.
- Restart the Data Mover.
This may be reset automatically during an upgrade. Be sure to recheck. Clients with legitimate access to the VNX for file NFS services need to have network connectivity to this port.
|
49152 through 65535
|
TCP
UDP
|
Open
|
lockd
NFS support
|
lockd is the NFS file-locking daemon. It processes lock requests from NFS clients and works in conjunction with the
statd daemon.
lockd is a core VNX for file service, but it can be stopped. To stop this service:
- Use vi to edit the following file:
/nas/server/<server_name>/netd
- Comment out the lockd line. lockd becomes #lockd.
- Restart the Data Mover.
This may be reset automatically during an upgrade. Be sure to recheck.
|
49152 through 65535
|
TCP
UDP
|
Open
|
MAC
|
MAC is a proprietary management protocol between the Control Station and Data Mover. It is used only on the private network between the two.
This is a core service and cannot be stopped.
|