Firewall rules - Johnson Controls - LIT-12013045 - Software Application - OpenBlue Central Utility Plant - v2023.Q4

OpenBlue Plant Optimizer Security and IT Guide

Brand
Johnson Controls
Product name
OpenBlue Central Utility Plant
Document type
Security and IT Guide
Document number
LIT-12013045
Version
v2023.Q4
Revision date
2023-12-13
Language
English
Table 1. Firewall rules for Plant Optimizer
Source Destination Port Protocol Connection details
Application VM Database VM 1433 Raw socket Standard SQL server port
End user network Application VM 443 HTTPS User interaction with web front end
CPO-NAE VM Application VM 47808 BACnet/IP over UDP Bidirectional communication for BAS data
Application VM CPO-NAE 47808 BACnet/IP over UDP Bidirectional communication for BAS data
Application VM CPO-NAE 443 HTTPS Additional user/point data pulled from web API
Application VM CPO-NAE 80 HTTP Additional user/point data pulled from web API
Application VM *.noaa.gov (internet) 443 HTTPS Weather forecast – https://graphical.weather.gov
Application VM *.accuweather (internet) 443 HTTPS Weather forecast – https://xml.efas.aes.accuweather.com/
Application VM *.logdna.com (internet) 443 HTTPS Outbound-only port for log shipping for technical support to LogDna Dashboard
Application VM *.planningtoolapi.mysmartcentralplant.com (internet) 443 HTTPS Optional outbound-only port to CUP Plant Simulator API
Application VM *.jemprod.myenterprisemanagement.com (internet) 80 HTTPS Optional outbound only port to JCI EIMS for authentication to CUP Plant Simulator
JCI VPN All CPO VMs 3389 RDP Allows remote admin for JCI
JCI VPN All CPO VMs 10933 Raw socket Allows automated deployments from Octopus
OpenBlue Bridge OpenBlue Cloud 443 HTTPS, AMPQ, MQTT OpenBlue Cloud authentication, telemetry data, command and control
OpenBlue Bridge OpenBlue Cloud 443 HTTPS OpenBlue Bridge device updates
OpenBlue Bridge OpenBlue Cloud 53 DNS Public DNS servers, if none are available on the customer network
OpenBlue Bridge OpenBlue Cloud 123 NTP Public NTP server, if none is available on the customer network
Application VM

*.jemprod.myenterprisemanagement.com/authorization/

*.jemprod.myenterprisemanagement.com/validation/

*.jemprod.myenterprisemanagement.com/security/

443 HTTPS Access to the OpenBlue Enterprise Manager EIMS API
Application VM

*.jemprod.myenterprisemanagement.com/entity/

443 HTTPS Access to the OpenBlue Enterprise Manager Entity API
Application VM

*.jemprod.myenterprisemanagement.com/timeseries/

*.jemprod.myenterprisemanagement.com/java/

443 HTTPS Access to the Time Series API
Application VM

*jemprod.myenterprisemanagement.com/license/

443 HTTPS Access to OpenBlue Enterprise License Management API
Application VM

*.jemprod-publisher.myenterprisemanagement.com/

*.jemprod-websocket.myenterprisemanagement.co

443 HTTPS Access to OpenBlue Enterprise Message Broker API
Application VM

*.jemprod.myenterprisemanagement.com/heartbeatapi/

443 HTTPS Access to OpenBlue Enterprise Heartbeat API
Application VM

*.jemp-autoconfiguration-ui.azurewebsites.net

443 HTTPS OpenBlue Auto Configurator UI (OBAC)
Application VM

*.jemp-autoconfigurationtool.azurewebsites.net

443 HTTPS OpenBlue Auto Configurator API (OBAC)
Application VM

*.jcids.jfrog.io

443 HTTPS OpenBlue Bridge installation and maintenance
Note: Apply open firewall rules to use weather services. You only need to enable one weather-forecast service destination. Use Accuweather outside North America. Fully air-gaped sites that operate based on load prediction do not need weather forecast services.
Table 2. Local/Intranet Connectivity
Direction Port number Transport protocol Protocol Required Endpoint Purpose
Bidirectional

47808

Port can be what is applicable by BMS settings

UDP BACnet/IP Yes OpenBlue Bridge and all engines IP addresses To collect BACnet data and push it to OpenBlue Cloud

Network latency requirements

The application requires manual intervention if Plant Optimizer takes more than one minute to push operational instructions back to the plant automation system.