Edit: I would imagine some ports have changed in the last 6 years.
Originally posted August 12, 2014 on AIXchange
You’ve been asked to connect your HMC to IBM Support. The network team wants to know about the different connectivity options. They need to know which IP addresses must be opened across the firewall.
What do you do? First, read this:
“This document describes data that is exchanged between the Hardware Management Console (HMC) and the IBM Service Delivery Center (SDC) and the methods and protocols for this exchange. This includes the configuration of Call Home (Electronic Service Agent) on the HMC for automatic hardware error reporting. All the functionality that is described herein refers to Power Systems HMC version V6.1.0 and later as well as the HMC used for the IBM Storage System DS8000.
“Outbound configurations are used to configure the HMC to connect back to IBM. The HMC uses the IBM Electronic Service Agent tool to connect to IBM for various situations including reporting problems, reporting inventory, transmitting error data, and retrieving system fixes. The types of data the HMC sends to IBM are covered in more detail in Section 4.”
Included are diagrams that show different scenarios for sending data to IBM, including with/without a proxy server, using a VPN, or even using a modem (though IBM does recommend Internet connectivity). Specific options including pass through server connectivity, multi-hop VPN, and remote modem. IBM states that there are no inbound communications; all communications are outbound only.
Further, IBM explains why your machine may need to “call home”:
* To report to IBM a problem with the HMC or one of the systems it’s managing.
* To download fixes for systems managed by the HMC.
* To report to IBM inventory and system configuration information.
* To send extended error data for analysis by IBM.
* To close an open problem.
* To report heartbeat and status of monitored systems.
* To send performance and utilization data for system I/O, network, memory, and processors.
There’s also a list of the files that are sent to IBM, and the authors point out that no client data that is sent to IBM.
On that note, here’s IBM’s statement on data retention:
“When Electronic Service Agent on the HMC opens up a problem report for itself, or one the systems that it manages, that report will be called home to IBM. All the information in that report will be stored for up to 60 days after the problem has been closed. Problem data that is associated with that problem report will also be called home and stored. That information and any other associated packages will be stored for up to three days and then deleted automatically. Support Engineers that are actively working on a problem may offload the data for debugging purposes and then delete it when finished. Hardware inventory reports and other various performance and utilization data may be stored for many years.
“When the HMC sends data to IBM for a problem, the HMC will receive back a problem management hardware number. This number will be associated with the serviceable event that was opened. The HMC may also receive a filter table that is used to prevent duplicate problems from being reported over and over again.”
Finally, there’s this list of the IP addresses that need to be allowed across any firewalls. All connections use port 443 TCP:
Americas
• 129.42.160.48
• 129.42.160.49
• 207.25.252.200
• 207.25.252.204
Non-Americas
• 129.42.160.48
• 129.42.160.50
• 207.25.252.200
• 207.25.252.205
IBM adds that when an inbound remote service connection to the HMC is active, only these ports are allowed through the firewall for TCP and UDP:
* 22, 23, 2125, 2300 — These ports are used for access to the HMC.
* 9090, 9735, 9940, 30000-30009 — These ports are used for Web-based System Manager (POWER5).
* 443, 8443 — These ports are used for Web-based user interface (POWER6).
* 80 — This port is used for code downloads.
Take a few moments to read this document. Or, even better, send it to your network team so they can read it for themselves.