Edit: Still good information.
Originally posted February 17, 2015 on AIXchange
In this August 2014 post I discussed how to connect your HMC to IBM Support.
That post includes a link to a .pdf document that outlines the different connectivity options. However, this IBM technote seems easier to work with:
“The following is a list of ports used by the HMC. The “Inbound application” column identifies ports where the HMC acts as a server that remote client applications connect to. Examples of remote client applications include the browser based remote access and remote 5250 console. Ports used by remote clients need to be enabled in the HMC firewall. They must also be enabled in any firewall that is between a remote client and HMC.
The “Outbound application” column identifies ports where the HMC acts as a client, initiating communications to the port on a remote server. Functions are further classified as Intranet or Internet. Intranet functions are typically limited to communications between the HMC and another HMC, partition or server inside the network. Internet functions require access to the Internet, directly or, in some cases, via a proxy. Because UDP is a directionless protocol, the HMC firewall must be enabled for UDP ports even though the communications may be initiated from the HMC. “Outbound” application ports must be enabled in external firewalls for the function to work. …”
The document then provides a lengthy list of commonly used ports. It also lists some typical configurations:
- Firewall between the HMC and remote users: 443, 9960, 12443, 2300, 2301, 22
- Firewall between HMC and other HMCs/partitions: Bi-directional 657 tcp/udp, 9900 udp, 9920
- Firewall between the HMC and the Internet: Internet VPN 500/4500 udp, outbound 80, 443; outbound FTP
- Firewall between the HMC and the Managed Server: TCP 443, 30000, 30001
If you’re looking for more information on setting up your HMC to call home, here’s another good how-to document that discusses setting up AIX or Linux to use a management console to connect to IBM service and support:
“This procedure contains the complete list of steps that are needed to set up connectivity to service and support. Some of these steps might already have been completed during the initial server setup. If so, you can use this procedure to verify that the steps were completed correctly.
In this information, an Internet connection is defined as access to the Internet from a logical partition, server, or a management console by direct or indirect access. Indirect means that you are behind a network address translation (NAT) firewall. Direct means that you have a globally routable address without an intervening firewall, which would block the ports that are needed for communication to service and support.”
On an unrelated note, if you have an issue with VIO server tasks on the HMC, this document may be helpful:
Error “3003c 2610-366” after apply of Service Pack 1
Technote (troubleshooting)
Problem(Abstract)
The apply of V8R8.1.0 Service Pack 1 or V7R9.1.0 Service Pack 1 may cause some VIOS related tasks to fail. Impacted HMC tasks include Manage PowerVM and Manage partitions task in the new V8R8 “enhanced GUI” as well as the Performance and Capacity Monitor (PCM). External applications using the HMC REST API such as IBM PowerVC are also impacted. The error text will typically include the error message “3003c 2610-366 The action array contains an undefined action name at index 0: VioService.”
Contact IBM support for the circumvention until a fix is available.