Technical Blog Post
Abstract
List of firewall ports in WebSphere Application Server V7, V8, and V8.5
Body
List of firewall ports that must be open for communication between the deployment manager, nodeagent, and Application Server
It's important to know the ports that should be opened in the firewall for proper communication between deployment manager, nodeagent, and application servers. Follow the below steps to achieve this task.
Find the port numbers in the serverindex.xml file or from the ISC (Integrated Solution Console)
The serverindex.xml file can be found under the profile-root/config/cells/cellName/nodes/nodeName folder.
From Integrated Solution Console:
Application Server ports
Click servers -> server Name -> Expand ports under communication
Nodeagent ports
Click System administration -> node agents -> nodeagent -> Expand ports under Additional Properties
Deployment Manager ports
Click System administration -> Deployment manager -> Expand ports under Additional Properties
Note: The example endpoints are derived from version 8.5 configuration, please ignore the endpoints/ports if you don't find it in your configuration.
DMGR Ports to be opened with security enabled and disabled
Port/Endpoint Name |
Security Engaged |
Security Disengaged |
Reason/Comment |
CELL_DISCOVERY_ADDRESS |
Yes |
Yes |
Discovery between nodeagent and DMgr will not work |
BOOTSTRAP_ADDRESS |
Yes |
Yes |
Naming service or RMI service between DMgr and node might not work |
SOAP_CONNECTOR_ADDRESS |
Yes |
Yes |
Synchronization will not work |
ORB_LISTENER_ADDRESS |
Yes |
Yes |
Port value can't be zero. Should have a static value. More information |
WC_adminhost |
Yes |
Yes |
File transfer application will not work |
DCS_UNICAST_ADDRESS |
Yes |
Yes |
HA Manager won't work properly (i.e., WLM, DRS, Transaction log recovery) |
IPC_CONNECTOR_ADDRESS |
Yes |
Yes |
Internal communication might fail |
WC_adminhost_secure |
No |
Yes |
File Transfer won't work |
SAS_SSL_SERVERAUTH_LISTENER_ADDRESS |
No |
No |
This port is used for communication with version 6.0.x servers federated in a 6.1 or later cell. Should open if you have V6.0 mixed node. |
CSIV2_SSL_MUTUALAUTH_LISTENER_ADDRESS |
No |
Yes |
Required when security enabled |
CSIV2_SSL_SERVERAUTH_LISTENER_ADDRESS |
No |
Yes |
Required when security enabled |
DataPowerMgr_inbound_secure |
Yes |
Yes |
Required only when you use DataPower |
OVERLAY_UDP_LISTENER_ADDRESS |
Yes |
Yes |
Enabled on 8.5 or higher or if Virtual Enterprise is installed on V7 and V8 |
OVERLAY_TCP_LISTENER_ADDRESS |
Yes |
Yes |
Enabled on 8.5 or higher or if Virtual Enterprise is installed on V7 and V8 |
XDAGENT_PORT |
Yes |
Yes |
Enabled on 8.5 or higher or if Virtual Enterprise is installed on V7 and V8 |
Nodeagent Ports to be opened with security enabled and disabled
Port Name/Endpoint Name |
Security Engaged |
Security Disengaged |
Reason/Comment |
BOOTSTRAP_ADDRESS |
Yes |
Yes |
Naming service or RMI service between dmgr and node might not work |
ORB_LISTENER_ADDRESS |
Yes |
Yes |
Port value can't be zero. Should have a static value. More information |
DCS_UNICAST_ADDRESS |
Yes |
Yes |
HA Manager won't work(WLM, DRS, Transaction log recovery etc) |
NODE_DISCOVERY_ADDRESS |
Yes |
Yes |
Discovery between nodeagent and dmgr will not work |
NODE_IPV6_MULTICAST_DISCOVERY_ADDRESS |
Yes (if NO to ipv4) |
Yes (if NO to ipv4) |
Multicast discovery for application servers (during startup) to discover nodeagent. The endpoint can be removed, if you prefer to use IPV4. |
NODE_MULTICAST_DISCOVERY_ADDRESS (ipV4) |
Yes (if NO to ipv6) |
Yes (if NO to ipv6) |
Multicast discovery for application servers (during startup) to discover nodeagent. The endpoint can be removed, if you prefer to use IPV6 |
SOAP_CONNECTOR_ADDRESS |
Yes |
Yes |
Synchronization will not work |
IPC_CONNECTOR_ADDRESS |
Yes |
Yes |
Internal WebSphere communication might fail |
SAS_SSL_SERVERAUTH_LISTENER_ADDRESS |
No |
No |
This port is used for communication with version 6.0.x servers federated in a 6.1 or later cell. Should open if you have V6.0 mixed node. |
CSIV2_SSL_MUTUALAUTH_LISTENER_ADDRESS |
No |
Yes |
Required when security enabled |
CSIV2_SSL_SERVERAUTH_LISTENER_ADDRESS |
No |
Yes |
Required when security enabled |
OVERLAY_UDP_LISTENER_ADDRESS |
Yes |
Yes |
Enabled on 8.5 or higher or if Virtual Enterprise is installed on V7 and V8 |
OVERLAY_TCP_LISTENER_ADDRESS |
Yes |
Yes |
Enabled on 8.5 or higher or if Virtual Enterprise is installed on V7 and V8 |
XDAGENT_PORT |
Yes |
Yes |
Enabled on 8.5 or higher or if Virtual Enterprise is installed on V7 and V8 |
Application Server ports to be opened
Port Name/Endpoint Name |
Security Engaged |
Security Disengaged |
Reason/Comment |
DCS_UNICAST_ADDRESS |
Yes |
Yes |
HA Manager won't work(WLM, DRS, Transaction log recovery etc). All application server DCS ports should be opened. |
OVERLAY_UDP_LISTENER_ADDRESS |
Yes |
Yes |
Enabled on 8.5 or higher or if Virtual Enterprise is installed on V7 and V8 |
OVERLAY_TCP_LISTENER_ADDRESS |
Yes |
Yes |
Enabled on 8.5 or higher or if Virtual Enterprise is installed on V7 and V8 |
Additional firewall considerations
You might choose to separate the WebSphere application servers from your database and LDAP servers with a firewall. If so, you might have to open the following ports. The following ports are default ports, please consult with your admin to find out the right port numbers:
- DB2: 50000 and 50001
- Oracle: 1521
- SQL Server: 1433
- LDAP: 389
The same scenario is applicable for other backend resources like IBM MQ, TAM etc.
Title image (modified) credit: (cc) Some rights reserved by OpenClips
UID
ibm11081053