Forum Discussion

Jomy's avatar
Jomy
Level 5
11 years ago

Firewall port requirement for VVR and GCO

Here I  have the list of firewall port requirement for GCO

https://sort.symantec.com/public/documents/sfha/6.0.1/aix/productguides/html/vcs_install/apas01.htm

we are using 4 IP's at one site and each of the will be from same subnet .

physical IP- 192.168.1.xxx.
Cluster IP-192.168.1.xxx.
App IP-192.168.1.xxx.
VVR IP.-192.168.1.xxx.

This is for primary site and DR site will different subnet and IP.

my question is what are the ports to be open on firewall against physical IP,Cluster IP,APP IP etc.

since our last project we faced some issues and we enabled all required ports against all IP's.

 

Thank you

J0my

 

  • Hi Jomy,

    Windows TCP/IP stack can be a little strange how it tags outbound packets when mulitple IPs are concerned.  If you are working with a system with a single IP then all outbound packets are tagged as coming from that 1 IP.  However, when you are working with a system with multiple IPs, all outbound packets are still only tagged as coming from a single IP.  In a cluster situation where IPs are added and removed the outbound packets can be tagged with a different IP depending on what virtual IPs on online/offline on the node.  Because of this changing of the outbound packet source IP, firewalls for Windows servers typically need to have all ports open for all available IPs (phyical and virtual) that can run in the cluster. 

    I know that it is a little messy.  You can actually do calulations on the IP to determine how Windows will respond to the IP being added/removed from the system but it is much easier to just add them all to the firewall.

    -Wally

  • default is 14155.

    refer:

     

    http://www.symantec.com/business/support/index?page=content&id=HOWTO66089&profileURL=https%3A%2F%2Fsymaccount-profile.symantec.com%2FSSO%2Findex.jsp%3FssoID%3D1398045642541ec7K3IdUjiNUx1C49pN0PQR9p310hZ9tFEBX2

     

    Table: VCS services and ports

    Port Number

    Protocol

    Description

    Process

    14150

    TCP

    Veritas Command Server

    CmdServer.exe

    14141

    TCP

    Veritas High Availability Engine

    Veritas Cluster Manager (Java console) (ClusterManager.exe)

    VCS Agent driver (VCSAgDriver.exe)

    had.exe

    7419

    TCP

    Symantec Plugin Host Service

    Solutions Configuration Center (SFWConfigPanel.exe)

    CCF Engine (CEngineDriver.exe)

    pluginHost.exe

    14149

    TCP/UDP

    VCS Authentication Service

    vcsauthserver.exe

    8199

    TCP

    Volume Replicator Administrative Service

    vras.dll

    4145

    UDP

    VCS Cluster Heartbeats

    vxio.sys

    4888

    TCP

    Veritas Scheduler Service

    Use to launch the configured schedule.

    VxSchedService.exe

    49152-65535

    TCP/UDP

    Volume Replicator Packets

    User configurable ports created at kernel level by vxio .sys file

    14144

    TCP/UDP

    VCS Notification

    Notifier.exe

    14153, 15550 - 15558

    TCP/UDP

    VCS Cluster Simulator

    hasim.exe

    14155

    TCP/UDP

    VCS Global Cluster Option (GCO)

    wac.exe

  • Hi Jomy,

    Windows TCP/IP stack can be a little strange how it tags outbound packets when mulitple IPs are concerned.  If you are working with a system with a single IP then all outbound packets are tagged as coming from that 1 IP.  However, when you are working with a system with multiple IPs, all outbound packets are still only tagged as coming from a single IP.  In a cluster situation where IPs are added and removed the outbound packets can be tagged with a different IP depending on what virtual IPs on online/offline on the node.  Because of this changing of the outbound packet source IP, firewalls for Windows servers typically need to have all ports open for all available IPs (phyical and virtual) that can run in the cluster. 

    I know that it is a little messy.  You can actually do calulations on the IP to determine how Windows will respond to the IP being added/removed from the system but it is much easier to just add them all to the firewall.

    -Wally