Ports to open in firewalls
Work with your firewall administrator ahead of time to open ports in the firewall when connecting servers and clients. After you have completed the installation and configuration tasks, open the IBM® WebSphere® Integrated Solutions Console to determine the exact ports that are being used. Then specifically open those ports in firewalls as needed.
This topics covers firewall ports for all IBM Sametime® servers except for Sametime Gateway (which is addressed in Opening firewall ports for Sametime Gateway Server).
Open specific ports in internal and external firewalls to allow messages to flow to and from the servers in the DMZ to the local Sametime community. In addition, verify that the external firewall allows inbound and outbound connections to and from specific IP addresses. Make sure any kind of SIP fixup or SIP inspection is disabled in your firewall settings. Clients always initiate connections to servers, but the connection must remain open during a particular session, for example, during a video call.
There are many times when deploying a node outside a firewall is a preferable and valid solution, but it requires several ports be open in the firewall. Installing nodes across a firewall requires that ports be opened so that the nodes can communicate with each other. At installation, WebSphere Application Server assigns many ports dynamically. Expected port numbers may change when you install more than one server on a computer. Use the Sametime System Console to verify the ports that need to be opened.
Keep in mind that sometimes port values change during the installation, configuration, and clustering processes, so it is difficult to predict which ports you will need to open. After installation, close down the firewall by checking which ports the WebSphere Application Server is using and monitor the firewall.
| From | To | Ports | Function |
|---|---|---|---|
| WebSphere SIP proxy servers | Application Servers | 8879, 8880, 7273, 9356, 2811, 5003 | |
| Sametime Community Server | Sametime System Console | 9080 | Policy service |
| Sametime System Console | Sametime Meeting Server | 8880 80 9080 9443 8501 8503 | To get and save the configuration information and to connect the nodeagent and dmgr for WebSphere Application Server clustering services. The 8880 can be 8881 if there are two WebSphere Application Server components installed on one computer. |
| Sametime System Console | Sametime Media Manager | 8880 80 9080 9443 8801 8803 | To get and save the configuration information and to connect the nodeagent and dmgr for WebSphere Application Server clustering services. The 8880 can be 8881 if there are two WebSphere Application Server components installed on one computer. |
| Sametime System Console | Sametime Proxy Server | 8880 80 9080 9443 8601 8603. | To get and save the configuration information and to connect the nodeagent and dmgr for WebSphere Application Server clustering services. The 8880 can be 8881 if there are two WebSphere Application Server components installed on one computer. |
| WebSphere Application Server nodes | Sametime System Console | 9080 | Registration, installation, deployment plan access |
Sametime System Console |
LDAP |
389/636 |
Standard LDAP Protocol (AD uses port 3268) |
WebSphere Application Server nodes |
LDAP/LDAPS |
389/636 |
Authentication and policy assignment |
Sametime System Console |
DB2 |
50000/50001 |
DB2 connection: Windows™ uses 50.000; Linux™ uses 50.001 |
WebSphere Application Server nodes |
DB2 |
50000/50001 |
Sametime Meeting data, Sametime Advanced data, Sametime Proxy iOS messaging, Sametime System Console plans and policies. |
Sametime Community Server |
LDAP |
389 or 636 |
Standard LDAP Protocol (Active Directory uses port 3268) |
Sametime Community Server |
Sametime System Console |
80 9443 |
To retrieve policy information from the Sametime System Console |
Sametime Meeting Server |
Sametime System Console |
8880 80 9443 |
To connect the node agent and deployment manager for WebSphere Application Server clustering services |
Sametime Meeting Server |
LDAP |
389/636 |
Standard LDAP Protocol (AD uses Port 3268) |
Sametime Media Manager |
Sametime System Console |
8880 80 9443 |
To connect the nodeagent and dmgr for WebSphere Application Server clustering services |
Sametime Media Manager |
Sametime Community Server |
1516 |
Sametime Community Server connectivity |
Sametime Media Manager |
LDAP |
389/636 |
Standard LDAP Protocol (AD uses Port 3268) |
| Sametime Media Manager | Client | 5080, 5081, 5060, 5061 | Audio/Video SIP connectivity (can be 5062 and 5063 when the Sametime Media
Manager is installed on the same computer as another WebSphere-based component; for example, the
Sametime Proxy Server). Connect Client, Embedded Client, Mobile Client, and Browser Client connectivity Note: If Check Point firewalls are used between clients the Media Manager, verify
that the SIP redirects are not dropped by the firewall. For more information, search on "SIP packet
dropped by illegal redirect" at the Check Point Support Center, which is located at
checkpoint.com |
Sametime Proxy Server |
Sametime Community Server |
1516 |
Sametime Community Server connectivity Sametime Mobile Client and Browser Client connectivity |
Sametime TURN Server |
Sametime Video MCU |
|
|
Sametime Client |
Client |
20830-20930 UDP |
Audio and Video Port Range (UDP) Sametime Connect Client, Sametime Embedded Client, Mobile Client, and Browser Client connectivity |
Sametime Video MCU |
Sametime TURN Server |
49152 to 65535 UDP |
|
Client |
Sametime Community Server |
1533 80 1352 for Notes® SSO |
Sametime Connect or Embedded Client connectivity |
Client |
Sametime Meeting Server |
80 9080 9443 443 |
Meeting client connectivity Sametime Connect Client, Embedded Client, Mobile Client, and Browser Client connectivity |
Client |
Sametime Media Manager |
5080 5081 5060 5061 |
Audio/Video SIP connectivity (can be 5062 and 5063 when the Sametime Media Manager is installed on the same computer as another WebSphere-based component, for example, the Sametime Proxy Server) Connect Client, Embedded Client, Mobile Client, and Browser Client connectivity Note: If Check Point firewalls are used between clients the Media Manager, verify that the SIP
redirects are not dropped by the firewall. For more information, search on "SIP packet dropped by
illegal redirect" at the Check Point Support Center, which is located at checkpoint.com |
Client |
Sametime Proxy Server |
80 |
Browser Client and REST API connectivity Sametime Mobile Client and Browser Client connectivity |
Admin Client (Browser) |
Sametime System Console |
8700/8701 |
Administer Sametime System Console if the console is installed in a Cell Deployment. |
Admin Client (Browser) |
Sametime Proxy Server |
8600/8601 |
Administer the Sametime Proxy Server if the server is installed in a Cell Deployment. |
Admin Client (Browser) |
Sametime Meeting Server |
8500 8501 8503 |
Administer Meeting Server if the Meeting Server is installed in a Cell Deployment. |
Admin Client (Browser) |
Sametime Media Manager |
8800 8801 8803 |
Administer Media Manager if the server is installed in a Cell Deployment. |
Client |
Sametime Video MCU | UDP outbound and inbound can both use ports
in these ranges:
|
Audio and Video Port Range (UDP) when the Sametime Video MCU is operating in the default multiple ports mode. Best practices indicate that you use the default values for these ports. These port numbers must not be subject to third-party load balancing, packet rewriting (NAT/PAT), or other network-layer manipulation. Sametime Connect Client, Embedded Client, Mobile Client, and Browser Client connectivity |
Client |
Client |
20830 - 20930 |
UDP for Audio Calls (UDP) 1 : 1 (peer-to-peer) Sametime Connect Client, Embedded Client, Mobile Client, and Browser Client connectivity |
Client |
Client |
20832 - 20932 |
UDP for Video Calls (UDP) 1 : 1 (peer-to-peer) Sametime Connect Client, Embedded Client, Mobile Client, and Browser Client connectivity |
Client |
Sametime TURN Server |
3478 UDP or TCP |
TURN, STUN, and ICE protocols if NAT is in place. This UDP port should be reachable by internal and external clients. The TCP port can be disabled by default and should be opened only if UDP traffic is forbidden due to company policy. Sametime Connect Client, Embedded Client, Mobile Client, and Browser Client connectivity |
Table 2 lists the WebSphere communication ports that are used between servers.
| Port | Description |
|---|---|
| BOOTSTRAP_ADDRESS | Used to tie members of the cell together. |
| SOAP_CONNECTOR_ ADDRESS | Used for administration of remote nodes and synchronization. |
| DCS_UNICAST_ADDRESS | High Availability Manager Communication Port, handles inbound Distribution and Consistency Services (DCS) messages. |
| IPC_CONNECTOR_ADDRESS | Inter-Process Communication Protocol, JMX Communications and commands, for example, start/stop server |
| NODE_DISCOVERY_ADDRESS | Used by the deployment manager and other nodes to 'discover' each other. |
| CELL_ DISCOVERY_ ADDRESS | Used by the nodeagents and servers to discover the deployment manager |
| XDAAgent | Used to enable communication between the deployment manager, the node agents, and the middleware agents. The ODR uses this port to collect information from other servers, including nodeagents. |
| OVERLAY_UDP_LISTENER_ADDRESS and OVERLAY_TCP_LISTENER_ADDRESS | Used for peer-to-peer (P2P) communication. The ODC (On Demand Configuration) and asynchronous PMI components use P2P as their transport. This port is required by every WebSphere Extended Deployment process. |
| WebContainer and SIP Ports | Used to channel end-user requests. These ports communicate end user requests with backend servers. If there is no WebSphere Application Server Proxy, you communicate directly with the nodes on these ports (for end-user requests). Used when a cluster of servers is fronted by a load balancer or WebSphere Application Server Proxy. |