Firewall and communication configuration

Before you install the server, you must ensure that servers, agents, and other systems can connect to each other through your networks and firewalls.

The following diagram shows the main default ports that are involved in communication between agents, agent relays, and the server.
A diagram of the ports that agents, agent relays, and servers use to communicate; these are the same posts in the lists above
The following diagram shows the default port numbers that HCL Launch uses for communication. Most of these ports can change depending on your choices at installation time. The following diagram is only a summary of the defaults.
A topology that shows the ports that each part of HCL Launch uses for communication
The server must have network access to the following ports:
  • The server must be able to accept connections from agents and agent relays. By default, agent relays and WebSocket agents connect on port 7919.
  • Users and agents that do not use a relay must be able to initiate connections to the server through HTTPS. The default port is 8443 for HTTPS.
  • Installing agents remotely on Linux or UNIX systems requires the server to initiate connections to the SSH port of the agent computer. The default port for SSH is 22.
  • Remote discovery of agents requires the server to initiate connections to port 22 for Linux agents and port 135 for Windows agents. See Discovering agents automatically.
  • The server might require access to other ports if you connect to external systems, such as an SMTP server for notifications or to cloud systems that use virtual system patterns.

As shown in the diagram, agents can connect to servers directly or through agent relays. You must ensure that the agent communication can get to the server through any firewalls or other limitations.

If your agents connect to the server through an agent relay, you must configure your networks and firewalls to allow the following communication. In this case, you install the agent relay on the same network and the same side of the firewall as the agents.
  • Agents must be able to open network connections on the agent relay HTTP proxy port. The default agent relay HTTP proxy port is 20080.
  • Agents must be able to open a network connection to the Agent Relay CodeStation proxy port (HTTP_proxy + 1, by default 20081).
  • Installing agents remotely on Windows systems requires the WinRS agent to initiate connections on ports 80 and 5985 on the target computer.
  • If you are using artifact caching as described in Agent security and communication, agents must be able to open network connections on the agent relay artifact caching port. The agent relay artifact caching port is 20081.
  • Agents run steps from automation plug-ins and source configuration plug-ins. Some of these steps require that agents create network connections to an external system.
  • Agent relays must be able to open network connections on the server with HTTPs port. The default HTTPS port is 8443. It is not possible to reverse the direction of this connection. Starting with V7.2.2, relays support proxying HTTPS requests only. However, the relay listens itself on HTTP protocol.
For example, if your server is on an internal network and your agents are on an external network such as a public cloud, you install the agent relay on the cloud and have the agents connect to the agent relay. Then, the agent relay connects through the firewall to the internal network.
If your agents connect directly to the server, you must configure your networks and firewalls to allow the following communication:
  • WebSocket agents must be able to open network connections on the server. The default server port is 7919.
  • Agents must be able to open network connections on the server with HTTPS port. The default HTTPS port is 8443.
  • Agents run steps from automation plug-ins and source configuration plug-ins. Some of these steps require that agents create network connections to an external system.

For more information on communication between the server, agents, and agent relays, see Agent security and communication and Agent relays.