Protocols and ports tables - Metasys - LIT-12011279 - General System Information - Metasys System - 10.1

Network and IT Guidance Technical Bulletin

Brand
Metasys
Product name
Metasys System
Document type
Technical Bulletin
Document number
LIT-12011279
Version
10.1
Revision date
2019-12-20
Language
English
Note: The Metasys system uses Bluetooth technology only as an option to commission a select number of devices. Bluetooth technology is not used for system communication in any way after initial commissioning. The Metasys system also uses the MAP Gateway for device commissioning. For details, refer to the Mobile Access Portal Gateway Network and IT Guidance Technical Bulletin (LIT-12012015).

Table 1 and Table 2 describe the various IP protocols and how they relate to the Metasys system.

Important: Johnson Controls cannot be responsible for a customer's decision to open or close ports that we consider non-essential. Consult with your technical and security teams before opening or closing a port. Ports or services not described in this table are not used by the Metasys system and may be closed at the customer's discretion. Ports in this table that are not required at a customer site may also be closed at the customer's discretion. To close a port, see Closing ports.
Table 1. Ethernet Protocols and Ports

Port

Protocol

Uses

Metasys Device

Description

22

SSH

TCP

Network Engine (Linux OS only)

Used to remotely access a network engine from a laptop. This function is only available for use by authorized personnel on Johnson Controls laptops.

23

Telnet

TCP

Network Engine

Telnet is no longer available for network engines at Release 10.0 or later.

25

SMTP

TCP

NAE35/NAE35/NCE25

Provides remote access to device using the internet or local area network.

25

SMTP

TCP

ADS/ADX/OAS/ODS

Used for alarms and events.

Network Engine

53

DNS

UDP

Active Directory Client

Translates domain names into numerical IP addresses. This port allows the server to receive responses to DNS queries.

ADS/ADX/OAS/ODS
Computer (Web Browser)
Network Engine

67

68

DHCP

UDP

Active Directory Client

Assigns and keeps track of dynamic IP addresses and other network configuration parameters.

Alternate Method: Use static IP addresses.

ADS/ADX/OAS/ODS
Computer (Web Browser)
Network Engine

69

TFTP2

UDP

Metasys SCT

Downloads new images to NAEs.

Note: This port is used only when the NAE is provisioned and is not used during system runtime.

Network Engine

80

HTTP2

TCP

ADS/ADX/OAS/ODS

Provides communication between peer controllers, computers, and other Internet systems using SOAP over HTTP. The ADS/ADX/ODS requires that only Port 80 be open to receive communication from client devices. Port 80 is the primary port used by the World Wide Web.

Note: For a higher level of security, at Metasys system Release 8.1 or later, you can close Port 80 (incoming and outgoing). See Closing ports.

Computer (Web Browser)

Network Engine

SCT

80

HTTP

TCP

NAE Update Tool

Used for file transfers between the client computer and the network engine.

88

Kerberos

TCP

UDP

ADS/ADX/OAS/ODS (Member of Domain X)

Used by the Metasys system for Active Directory service authentication at the Metasys system login screen, and Service Account authentication prior to LDAP queries.

Kerberos is a standard network authentication protocol designed to provide strong authentication for client/server applications by using secret-key cryptography. Kerberos is the primary security protocol for authentication within an Active Directory service Domain. Kerberos authentication relies on client functionality built into the Windows operating systems supported by Metasys software.

ADX Split Web/Application Server (Member of Domain X)

Metasys System Client (Member of any Domain)

SCT (Member of Domain X)

110

POP3

TCP

Computer (Web Browser)

Receives and holds email for downloading from your Internet server. POP3 is allowed in the Metasys system only for authentication from a SMTP server.

Note: Firewall rules are not necessary to allow access in most cases because this server should be behind the firewall.

123

NTP

UDP

ADS/ADX/OAS/ODS (Member of Domain X)

Used for time synchronization across a network between client computers and server-class operating system host computers.

ADX Split Web/Application Server (Member of Domain X)

Metasys System Client (Member of any Domain)

SCT (Member of Domain X)

123

SNTP2

UDP

ADS/ADX/OAS/ODS

Used to synchronize computer clocks over a network between a server and its clients. SNTP is not required for all systems.

Network Engine

135

Remote Procedure Call (RPC)

TCP

ADS/ADX/OAS/ODS (Member of Domain X)

Used by IIS on the ADS/ADX, OAS/ODS, and SCT during the process of authentication during SSO (Windows Integrated Authentication). If SSO is disabled in the Metasys system, this port and protocol are not used by the Metasys system; however, if the ADS/ADX, OAS/ODS, SCT, or Metasys client, or any combination are members of an Active Directory service domain, this port and protocol are used for Active Directory service functionality.

ADX Split Web/Application Server (Member of Domain X)

Metasys System Client (Member of any Domain)

SCT (Member of Domain X)

161

SNMP2

UDP

ADS/ADX/OAS/ODS

Provides network monitoring and maintenance.

Typically notifies IT department personnel of alarms that are of interest to them, such as data center environmental conditions. The site must use a network management system capable of receiving SNMP Traps.

Alternate Method: If the system allows, use email destinations for remote alarm notification instead of SNMP.

Metasys UI

Network Engine

SCT

389

LDAP

TCP

ADS/ADX/OAS/ODS (Member of Domain X)

Used by the Metasys system to access user objects and attributes within Active Directory service.

LDAP is a standard communication protocol for directories located on TCP/IP networks. LDAP defines how a directory client can access a directory server and how the client can perform directory operations and share directory data.

ADX Split Web/Application Server (Member of Domain X)

Metasys System Client (Member of any Domain)

SCT (Member of Domain X)

443

Secure Sockets Layer (SSL)

Transport Layer Security (TLS)

HTTPS

TCP

ADS/ADX/OAS/ODS (Member of Domain X)

Required if you use SSL with your reporting ADX.

Metasys Advanced Reporting ADX

Network Engine

Required if you use TLS with the Metasys UI and the Metasys UI Offline for site security.

Port 443 is used for secure web browser communication. Data transferred across such connections is highly resistant to eavesdropping and interception. Moreover, the identity of the remotely connected server can be verified with significant confidence. Web servers offering to accept and establish secure connections listen on this port for connections from web browsers desiring strong communication security.

SCT (Member of Domain X)

Metasys UI

and

Metasys UI Offline

Computer (web browser)

445

NT LAN Manager Version 2 (NTLMv2)

TCP

ADS/ADX/OAS/ODS (Member of Domain X)

Used during Metasys system SSO authentication.

NTLMv2 is a network authentication protocol developed by Microsoft and the secondary security protocol for authentication within an Active Directory service domain. If a domain client or domain server cannot use Kerberos authentication, then NTLM authentication is used.

ADX Split Web/Application Server (Member of Domain X)

Metasys System Client (Member of any Domain)

SCT (Member of Domain X)

465

SMTP

TCP

ADS/ADX/OAS/ODS Used for alarms and events.
Network Engine

514

Syslog

UDP

ADS/ADX/OAS/ODS

Provides capability of sending its configured audit log entries and alarm notifications to the central repository of an external, industry-standard, Syslog server, conforming to Internet published RFC 3164.

Network Engine

SCT

587

SMTP

TCP

ADS/ADX/OAS/ODS Used for alarms and events.
Network Engine

995

POP3

TCP

Computer (Web Browser)

Receives and holds email for downloading from your Internet server. POP3 is allowed in the Metasys system only for authentication from a SMTP server. The mail server uses port 995 for SSL connections for POP3 access.

Note: Firewall rules are not necessary to allow access in most cases because this server should be behind the firewall.

1025

Remote Procedure Call (RPC)

TCP

ADS/ADX/OAS/ODS (Member of Domain X)

Used by IIS on the ADS/ADX/OAS/ODS/SCT during the process of authentication during SSO (Windows Integrated Authentication). If SSO is disabled in the Metasys system, this port and protocol are not used by the Metasys system; however, if the ADS/ADX/OAS/ODS/SCT, or Metasys client, or any combination, is a member of an Active Directory service domain, this port and protocol are used for Active Directory service functionality.

ADX Split Web/Application Server (Member of Domain X)

Metasys System Client (Member of any Domain)

SCT (Member of Domain X)

1433

Microsoft SQL Server Database

TCP

ADX

Used between the web/application server and database server computers when the ADX is split across two devices.

Metasys ADX Split Database Server (Member of Domain X)

1812

RADIUS

UDP

Network Engine

Provides a secured server and network engines to authenticate non-local user access through a Remote Authentication Dial-In User Service (RADIUS) server. RADIUS is used by the server and network engines to authenticate the identity of authorized non-local users of the system.

ADS/ADX/OAS/ODS

SCT

3389

Remote Desktop Protocol (RDP)

TCP

NAE55/NIE (Windows Embedded OS only)

Used to log in to the operating system of a device from a remote computer.

The Remote Desktop Protocol (RDP) Service is usually disabled unless enabled by the NxE Information and Configuration Tool (NCT) operation.

4096

4097

N2 Protocol

UDP

NAE55 (Windows Embedded OS only)

Used for N2 tunneling over Ethernet on trunk 1. The N2 technology option provides a serial data port, allowing variable speed drives (VSDs) to link and form a network.

NAE55 (Windows Embedded OS only)

Used for N2 tunneling over Ethernet on trunk 2. The N2 technology option provides a serial data port, allowing variable speed drives (VSDs) to link and form a network on the SA Bus.

9910

Microsoft Discovery Protocol2

TCP and UDP

Network Engine

Used by NCT to get diagnostic information from devices on the same network.

SCT

NCT and NAE Update Tool

9911

Metasys Private Message2

UDP

SCT

Used by SCT to broadcast a message to the local network segment when a user selects the device discovery menu item. Any Metasys node that receives this broadcast message will respond on UDP port 9911 with device configuration information to be displayed in the device discovery window.

10050  

TCP

NAE Update Tool

Used during NAE Update Tool operations such as updating an image to a network engine. Not used with SNC and SNE engines.

11001

N1 Protocol

UDP

NCM

Provides N1 message transmission (proprietary packet encoded in UDP) for devices at Release 9.0 or earlier. If you are connecting to multiple N1 networks, the port is unique for each N1 network. Network Control Modules automatically configure themselves to use Port 11001. Start numbering other networks in the Multi-network configuration with 11003 and continue sequentially. Do not use a UDP Port Address (UDPPA) of 11002. The value 11002 is used by the Metasys Ethernet Router and should be avoided even if Metasys Ethernet Routers are not in the system. The recommended addressing for five N1s is 11001, 11003, 11004, 11005, 11006.

NIE5x

12000

UberDebug Service

TCP

Metasys System

Used by Metasys software for debugging and logging.

47808

BACnet/IP Protocol

UDP

NAE/NCE

Refer to the BACnet Controller Integration with NAE/NCE Technical Bulletin (LIT-1201531). If you are connecting to multiple BACnet networks, the port is unique for each BACnet network. The default port number is 47808. Choose additional UDP ports that do not conflict with a port that is in use.

Table 2. Wireless Ports and Protocols

Port Number

Protocol

Uses

Wireless Protocol

Metasys Device

Description

80

HTTP

TCP

802.11b/802.11g

Computer (Web Browser)

Used to synchronize computer clocks over a network between a server and its clients. SNTP is not required for all systems.

4050 5

Wireless Many-to-One Sensing

UDP

802.15.4

WRS-RTN

Used for wireless supervisor integration; recommended UDP port number.

47808

Wireless ZigBee

UDP

802.15.4

Wireless Network Coordinator (WNC)

Used for wireless supervisor integration; recommended UDP port number.

1 Generally recorded by the IANA.
2 Required for proper functionality of SCT features (for example, Device Discovery and Device Debug); this port is usually closed and is only open during operation of certain SCT features.
3 LDAP is used by the Metasys system client only if an Windows Active Directory service search tool is used (for example, Start->Search->ForPeople).
4 This port number is registered to Johnson Controls.
5 If this port is in use, it can be reconfigured to another port.
6 Johnson Controls proprietary protocol.