What TCP/IP ports need to be opened in the firewall and used by Control-M/Enterprise Manager, Control-M/Server, and Control-M/Agent?

Knowledge Article

Article Number

000230698

Old Article Number

000031546

Article Type

FAQ/Procedural

Title

What TCP/IP ports need to be opened in the firewall and used by Control-M/Enterprise Manager, Control-M/Server, and Control-M/Agent? - INCLUDES VIDEO

Summary

What TCP/IP ports need to be opened in the firewall and used by Control-M/Enterprise Manager, Control-M/Server, and Control-M/Agent? (Video Included)

Product

Control-M/Enterprise Manager

Component

Control-M/Enterprise Manager

Applies to

All versions of Control-M/Enterprise Manager
All versions of Control-M/Server for UNIX and Microsoft Windows
All versions of Control-M/Agent for UNIX and Microsoft Windows

Question

- What TCP/IP ports are used by Control-M?
- What ports need to be opened in the firewall for Control-M communication?
- What are the ports used between Control-M/EM Server, Control-M/EM Clients, Control-M/Server and Control-M/Agent?
- What TCP/IP ports need to be opened in the firewall and used by Control-M/Enterprise Manager, Control-M/Server, and Control-M/Agent?

Answer

1a. Ports between CONTROL-M/EM clients and CONTROL-M/EM servers version 9.0.18 and higher

All communication between Control-M/EM clients and Server is through the Control-M/EM web server.
Therefore, the only port(s) that need to be opened in the firewall are the HTTP port (default 18080), and/or the HTTPS port (default 8443).

1b. Ports between CONTROL-M/EM clients and CONTROL-M/EM servers up to version 9.0.00

A. These ports are configured by the CORBA configuration utility (orbconfigure).

These ports need to be configured on the CONTROL-M/EM Server side. The EM components (GAS, GCS, GUI Server, Web Server, Self Service, Forecast, BIM) are set to use a random port # by default.

However, orbconfigure can set these components to use a range of ports that can then be opened in the firewall. We recommend a range of 24 ports (for v9). For example, 13100-13123.
These ports need to be opened for incoming traffic and allow bi-direction communication in these sessions

Parameter	Default	Need to open in Firewall	Description
CORBA Naming Service	13075	Yes	This is the Communications port used by the Control-M/EM client to communicate with the Control-M/EM CORBA server
Control-M/EM GUI Server	Random/Range	Yes	This is the Communications port used to perform all user-initiated functionality for Control-M/EM clients (GUI, Desktop, and CLI utilities)
Control-M/EM Global Alerts Server	Random/Range	Yes	This is the Communications port used to identify, maintain and distribute Control-M alerts to Control-M/EM GUIs
Control-M Configuration Server	Random/Range	Yes	This is the Communications port used by the CCM GUI to communicate with the Control-M Configuration Manager Server
Control-M/Forecast	Random/Range	Yes	This Communications port is needed for the Control-M/Desktop client to connect to Control-M/Forecast Server when performing a 'Forecast' action on a job that uses Calendars
BMC Batch Impact Manager Server	Random/Range	Yes	Control-M/EM GUI client needs this Communications port to connect to BIM when performing an 'add/edit BIM/Forecast Rules' action
Control-M Self-Service	Random/Range	Yes	Used by Self-Service client
Control-M Archived Server	Random/Range	Yes	Used by Self-Service clients and EM clients

B. The database port is used by the Reporting Facility and will need to be opened in the firewall for incoming traffic and allow bi-direction communication on the session

C. The Tomcat web server port is used by the V9 Workload Automation Client to verify the latest version of the Client, for end-user deployment, and On-line Help. The port is configured in ./etc/emweb/tomcat/conf/server.xml file

2. Ports between Control-M/EM Server, Control-M/Server and their respective databases

A. if the database is remote to Control-M/EM Server or Control-M/Server, then the port # that the database is listening on will need to be open in the firewall

This port should be open for incoming traffic to the Database and allow bi-directional communication during the session
in v9 with HA enabled using ProgreSQL the primary and the secondary machines need to be able to initiate a Database connection from one machine to the other. (See the HaWithPG diagram attached)

B. The Control-M/Server Configuration Agent port. (Default 2369)

This port should be open for incoming traffic from CMS to Control-M/Server and allow bi-directional communication on the session.

C. In HA environment Control-M/Server HA port (Default 2368)

The port should be open for incoming traffic on the secondary server and allow bi-directional communication on the session.
It is used for the communication between the two Control-M/Server CA (Configuration Agent) processes only.

D. The Gateway ports (Default 2370 and 2371)

These ports should be open for incoming traffic to Control-M/Server and allow bi-direction communication on these sessions

On version 7 and above, the Control-M/EM TCP/IP port is using a single port (Default 2370)

E. The API Gateway port (Default: 8393) For Control-M/Server 9.0.21 Only
Define environment variable BMC_INST_CTM_APIGTW_PORT to 8393 or any available port on the Control-M/Server. This port should be open for incoming traffic to Control-M/Server and allow bi-direction communication on these sessions.

3. Ports between Control-M/Server and Control-M/Agent

A. If 'persistent connection' is not used, then the following ports will have to be open in the firewall:

Process	Default	Description
Agent to Server Port	7005	Communication port from the Agent to Server. This will have to be open as incoming to Control-M/Server
Server to Agent Port	7006	Communication port from the Server to Agent. This will have to be open as incoming to Control-M/Agent

B. If 'persistent connection' is used, then only the Server to Agent Port will have to be open in the firewall

This port should be open for incoming traffic to Control-M/Agent and allow bi-direction communication during the session

Additional Information:

NOTE: Control-M HA configuration requires additional ports and configuration, please see 000105462.

Additional Information:
Customers viewing this solution may find value in the following self-help Connect with Control-M video.

The port diagram can be found on the ftp.bmc.com server for each release at
ftp.bmc.com/pub/control-m/opensystem/DB_Schemas/
use anonymous user to login to the server

Attachment(s):