Veritas Access Appliance Initial Configuration Guide
- Getting to know the Access Appliance
- Preparing to configure the appliance
- Configuring the appliance for the first time
- Getting started with the Veritas Access GUI
- Network connection management
- Monitoring the appliance
- Resetting the appliance to factory settings
- Appliance security
- About Access Appliance security
- About Access appliance user account privileges
- About forced password changes
- Changing the Maintenance user account password
- About the Access Appliance intrusion detection system
- About the Access Appliance intrusion prevention system
- About Access appliance operating system security
- About data security on the Access appliance
- About data integrity on the Access appliance
- Recommended IPMI settings on the Access appliance
Network and firewall requirements
In addition to the ports that are used by the Veritas Access software, the appliance also provides for both in-band and out-of-band management. The out-of-band management is through a separate network connection, the Remote Management Module (RMM), and the Intelligent Platform Management Interface (IPMI). Open these ports through the firewall as appropriate to allow access to the management services from a remote laptop or KVM (keyboard, video monitor, mouse).
Table: Inbound ports lists the ports open for inbound communication to the appliance.
Table: Inbound ports
Port | Service | Description | Open on interface ( 3340 model) | Open on interface (3350 model) |
|---|---|---|---|---|
22 | ssh | In-band management CLI | eth1, eth2, eth3, eth4, eth5 | eth1, eth4, eth5, eth6, eth7 |
443 | HTTPS | In-band management GUI | eth1, eth2, eth3, eth4, eth5 | eth1, eth2, eth3, eth4, eth5, eth6, eth7 |
623 | KVM | (optional, used if open) | eth4, eth5 | eth4, eth5, eth6, eth7 |
2049 | HTTPS | NFS++ | eth1, eth2, eth3, eth4, eth5 | eth1, eth2, eth3, eth4, eth5, eth6, eth7 |
445 | CIFS SAMBA | CIFS (for the Log/Install shares) | eth1, eth2, eth4, eth5 | eth1, eth2, eth4, eth5, eth6, eth7 |
10082 | spoold | Veritas Data Deduplication engine | eth4, eth5 | eth4, eth5, eth6, eth7 |
10102 | spad | Veritas Data Deduplication manager | eth4, eth5 | eth4, eth5, eth6, eth7 |
* Veritas Remote Management - Remote Console
++ Once the NFS service is shut down, the vulnerability scanners do not pick up these ports as threats.
Table: Outbound ports lists the ports outbound from the appliance to allow alerts and notifications to the indicated servers.
Table: Outbound ports
Port | Service | Description | Open on interface (3340 model) | Open on interface (3350 model) |
|---|---|---|---|---|
443 | HTTPS | Call Home notifications to Veritas Download SDCS certificate | eth1, eth2, eth3, eth4, eth5 | eth1, eth2, eth3, eth4, eth5, eth6, eth7 |
162** | SNMP | Traps sent by SNMP agents | eth1, eth2, eth3, eth4, eth5 | eth1, eth2, eth3, eth4, eth5, eth6, eth7 |
22 | SFTP | Log uploads to Veritas | eth1, eth2, eth3, eth4, eth5 | eth1,eth4,eth5, eth6, eth7 |
25 | SMTP | Email alerts | eth1, eth4, eth5 | eth1, eth4, eth5, eth6, eth7 |
389 | LDAP | LDAP | eth1 | eth1 |
636 | LDAPS | Secure LDAP | eth1 | eth1 |
514 | rsyslog | Log forwarding | eth1, eth2, eth4, eth5 | eth1, eth2, eth4, eth5, eth6, eth7 |
8514 | Log transfer service | Log Transfer Console for downloading logs | eth1 | eth1 |
10082 | spoold | Veritas Data Deduplication engine | eth4, eth5 | eth4, eth5, eth6, eth7 |
10102 | spad | Veritas Data Deduplication manager | eth4, eth5 | eth4, eth5, eth6, eth7 |
** This port number can be changed within the appliance configuration to match the remote server.
Table: Out of band management ports lists the out of band management ports on the appliance.
Table: Out of band management ports
Port | Service | Description | Open on interface (3340 model) | Open on interface (3350 model) |
|---|---|---|---|---|
80 | HTTP | Out-of-band management (ISM+ or RM*) | eth4, eth5 | eth4, eth5, eth6, eth7 |
443 | HTTP | Out-of-band management (ISM+ or RM*) | eth1, eth2, eth3, eth4, eth5 | eth1, eth2, eth3, eth4, eth5, eth6, eth7 |
623 | KVM | (optional, used if open) | eth4, eth5 | eth4, eth5, eth6, eth7 |
7578 | RMM | CLI access | eth1, eth2, eth3, eth4, eth5 | eth1, eth2, eth3, eth4, eth5, eth6, eth7 |
7582 | RMM | KVM | eth1, eth2, eth3, eth4, eth5 | eth1, eth2, eth3, eth4, eth5, eth6, eth7 |
2049 | HTTPS | NFS ++ | eth1, eth2, eth3, eth4, eth5 | eth1, eth2, eth3, eth4, eth5, eth6, eth7 |
445 | CIFS (for the Log/Install shares) | eth1, eth2, eth4, eth5 | eth1, eth2, eth4, eth5, eth6, eth7 |
+ NetBackup Integrated storage manager
* Veritas Remote Management - Remote Console
++ Once the NFS service is shut down, the vulnerability scanners do not pick up these ports as threats.
Note:
Ports 7578, 5120, and 5123 are for the unencrypted mode. Ports 7582, 5124, and 5127 are for the encrypted mode.
Table: Default Veritas Access ports displays the default ports that Access uses to transfer information.
Table: Default Veritas Access ports
Port | Protocol or Service | Purpose | Impact if blocked | Open on interface (3340 model) | Open on interface (3350 model) |
|---|---|---|---|---|---|
22 | SSH | Secure access to the Access server | Access is not accessible. | eth1, eth2, eth3, eth4, eth5 | eth1, eth4, eth5, eth6, eth7 |
25 | SMTP | Sending SMTP messages. | The SMTP messages that are sent from Access are blocked. | eth1, eth4, eth5 | eth1, eth4, eth5, eth6, eth7 |
53 | DNS queries | Communication with the DNS server | Domain name mapping fails. | eth1, eth2, eth3, eth4, eth5 | eth1, eth2, eth3, eth4, eth5, eth6, eth7 |
111 | rpcbind | RPC portmapper services | RPC services fail. | eth1, eth2, eth3, eth4, eth5 | eth1, eth2, eth3, eth4, eth5, eth6, eth7 |
123 | NTP | Communication with the NTP server | Server clocks are not synchronized across the cluster. NTP-reliant features (such as DAR) are not available. | eth1, eth4, eth5 | eth1, eth4, eth5, eth6, eth7 |
139 | CIFS | CIFS client to server communication | CIFS clients cannot access the Access cluster | eth1, eth2, eth3, eth4, eth5 | eth1, eth2, eth3, eth4, eth5, eth6, eth7 |
161 | SNMP | Sending SNMP alerts | SNMP alerts cannot be broadcast. | eth1, eth4, eth5 | eth1, eth4, eth5, eth6, eth7 |
445 | CIFS | CIFS client to server communication | CIFS clients cannot access the Access cluster. | eth1, eth2, eth4, eth5 | eth1, eth2, eth4, eth5, eth6, eth7 |
514 | syslog | Logging program messages | Syslog messages are not recorded. | eth1, eth2, eth4, eth5 | eth1, eth2, eth4, eth5, eth6, eth7 |
756, 757, 755 | statd | NFS statd port | NFS v3 protocol cannot function correctly. | eth1, eth2, eth4, eth5 | eth1, eth2, eth4, eth5, eth6, eth7 |
2049 | NFS | NFS client to server communication | NFS clients cannot access the Access cluster. | eth1, eth2, eth3, eth4, eth5 | eth1, eth2, eth3, eth4, eth5, eth6, eth7 |
3172, 3173 | ServerView | ServerView port | ServerView cannot work. | eth1, eth4, eth5 | eth1, eth4, eth5, eth6, eth7 |
3260 | iSCSI | SCSI target and initiator communication | Initiator cannot communicate with the target. | eth1, eth2, eth3, eth4, eth5 | eth1, eth2, eth3, eth4, eth5, eth6, eth7 |
4001 | mountd | NFS mount protocol | NFS clients cannot mount file systems in the Access cluster. | eth1, eth4, eth5 | eth1,eth4,eth5, eth6, eth7 |
4045 | lockd | Processes the lock requests | File locking services are not available. | eth1, eth2, eth4, eth5 | eth1, eth2, eth4, eth5, eth6, eth7 |
5634 | HTTPS | Management Server connectivity | Web GUI may not be accessible. | eth1, eth2, eth3, eth4, eth5 | eth1, eth2, eth3, eth4, eth5, eth6, eth7 |
56987 | Replication | File synchronization, Access replication | Access replication daemon is blocked. Replication cannot work. | eth1, eth2, eth3, eth4, eth5 | eth1, eth2, eth3, eth4, eth5, eth6, eth7 |
8088 | REST server | REST client to server communication | REST client cannot access REST API of Access. | eth1, eth2, eth3, eth4, eth5 | eth1, eth2, eth3, eth4, eth5, eth6, eth7 |
8143 | S3 | Data port for Veritas Access S3 server | User will not able to use Veritas Access object server. | eth1, eth4, eth5 | eth1, eth4, eth5, eth6, eth7 |
8144 | ObjectAccess service | Administration port for Veritas Access S3 server. | User cannot create access or secret keys for using Objectaccess service. | eth1, eth4, eth5 | eth1,eth4,eth5, eth6, eth7 |
11211 | Memcached port | CLISH framework | CLISH cannot function correctly, and cluster configuration may get corrupted. | eth2 | eth2 |
14161 | HTTPS | Access Veritas Access GUI | User is unable to access Veritas Access GUI | eth1, eth2, eth3, eth4, eth5 | eth1, eth2, eth3, eth4, eth5, eth6, eth7 |
51001 | UDP | LLT over RDMA | LLT is not working. | eth2 | eth2 |
51002 | UDP | LLT over RDMA | LLT is not working. | eth2 | eth2 |
NetBackup uses TCP/IP connections to communicate between one or more TCP/IP ports. Depending on the type of operation and configuration on the environment, different ports are required to enable the connections. NetBackup has different requirements for operations such as backup, restore, and administration.
Table: Default NetBackup TCP and UDP ports shows some of the most-common TCP and UDP ports that NetBackup uses to transfer information. For more information, see the Veritas NetBackup Security and Encryption Guide.
Table: Default NetBackup TCP and UDP ports
Port Range | Protocol | Open on interface (3340 model) | Open on interface (3350 model) |
|---|---|---|---|
1556 | TCP, UDP | eth1, eth2, eth3, eth4, eth5 | eth1, eth2, eth3, eth4, eth5, eth6, eth7 |
13701-13702, 13705-13706 | TCP | eth1, eth2, eth3, eth4, eth5 | eth1, eth2, eth3, eth4, eth5, eth6, eth7 |
13711, 13713, 13715-13717, 13719 | TCP | eth1, eth2, eth3, eth4, eth5 | eth1, eth2, eth3, eth4, eth5, eth6, eth7 |
13720-13722 | TCP, UDP | eth1, eth2, eth3, eth4, eth5 | eth1, eth2, eth3, eth4, eth5, eth6, eth7 |
13723 | TCP | eth1, eth2, eth3, eth4, eth5 | eth1, eth2, eth3, eth4, eth5, eth6, eth7 |
13724 | TCP, UDP | eth1, eth2, eth3, eth4, eth5 | eth1, eth2, eth3, eth4, eth5, eth6, eth7 |
13782-13783 | TCP, UDP | eth1, eth2, eth3, eth4, eth5 | eth1, eth2, eth3, eth4, eth5, eth6, eth7 |
13785 | TCP | eth1, eth2, eth3, eth4, eth5 | eth1, eth2, eth3, eth4, eth5, eth6, eth7 |
For the CIFS service to work properly in an Active Directory (AD) domain environment, the following protocols and firewall ports need be allowed or opened to enable the CIFS server to communicate smoothly with Active Directory Domain Controllers and Windows/CIFS clients.
Internet Control Message Protocol (ICMP) protocol must be allowed through the firewall from the CIFS server to the domain controllers. Enable "Allow incoming echo request" is required for running the CIFS service.
Table: Additional CIFS ports and protocols lists additional CIFS ports and protocols.
Table: Additional CIFS ports and protocols
Port | Protocol | Purpose | Open on interface (3340 model) | Open on interface (3350 model) |
|---|---|---|---|---|
53 | TCP, UDP | DNS | eth1, eth2, eth3, eth4, eth5 | eth1, eth2, eth3, eth4, eth5, eth6, eth7 |
88 | TCP, UDP | Kerberos | eth4, eth5 | eth4, eth5, eth6, eth7 |
139 | TCP | DFSN, NetBIOS Session Service, NetLog | eth1, eth2, eth3, eth4, eth5 | eth1, eth2, eth3, eth4, eth5, eth6, eth7 |
445 | TCP, UDP | SMB, CIFS, SMB2, DFSN, LSARPC, NbtSS, NetLogonR, SamR, SrvSvc | eth1, eth2, eth4, eth5 | eth1, eth2, eth4, eth5, eth6, eth7 |
464 | TCP, UDP | Kerberos change or set a password | eth1, eth2, eth3, eth4, eth5 | eth1, eth2, eth3, eth4, eth5, eth6, eth7 |
3268 | TCP | LDAP GC | eth4, eth5 | eth4, eth5, eth6, eth7 |
4379 | TCP | CTDB in CIFS | eth1,eth2, eth4, eth5 | eth1, eth2, eth4, eth5, eth6, eth7 |
Table: LDAP with SSL ports lists the ports that are required for LDAP with SSL.
Table: LDAP with SSL ports
Port | Protocol | Purpose | Open on interface (3340 model) | Open on interface (3350 model) |
|---|---|---|---|---|
636 | TCP | LDAP SSL | eth1 | eth1 |
3269 | TCP | LDAP GC SSL | eth4, eth5 | eth4, eth5, eth6, eth7 |