Table 1, Table 2, and Table 3 describe the various IP protocols and how they relate to the Metasys system.
Port |
Protocol |
Uses |
Metasys Device |
Inbound (I) / Outbound (O) |
Description |
---|---|---|---|---|---|
25 |
SMTP |
TCP |
ADS/ADX/OAS |
O |
Used for alarms and events. |
NAE55/SNx/NAE85 |
O |
||||
53 |
DNS |
UDP |
Active Directory Client |
I/O |
Translates domain names into numerical IP addresses. This port allows the server to receive responses to DNS queries. |
ADS/ADX/OAS |
I/O |
||||
Computer (Web Browser) |
I/O |
||||
NAE55/SNx/NAE85 |
I/O |
||||
67 68 |
DHCP |
UDP |
Active Directory Client |
I/O |
Assigns and keeps track of dynamic IP addresses and other network configuration parameters. Alternate Method: Use static IP addresses. |
ADS/ADX |
I/O |
||||
Computer (Web Browser) |
I/O |
||||
NAE55/SNx/NAE85 |
I/O |
||||
69 |
TFTP2 |
UDP |
Metasys SCT |
I/O |
Downloads new images to NAEs. Note: This port is used only when the NAE is
provisioned and is not used during system runtime.
|
NCE25/NAE45/NAE55 |
I/O |
||||
80 |
HTTP2 |
TCP |
ADS/ADX/OAS |
I |
Provides communication between peer controllers, computers, and other systems using SOAP over HTTP. The ADS/ADX requires that only Port 80 be open to receive communication from client devices. Note: For a higher level of security, at Metasys
system Release 8.1 or later, you can close Port 80 (incoming and
outgoing). See Closing ports.
|
Computer (Web Browser) |
I |
||||
NAE55/SNx/NAE85 |
I |
||||
SCT/SCT Pro |
I |
||||
80 |
HTTP |
TCP |
NAE Update Tool |
I |
Used for file transfers between the client computer and the network engine pre Release 10.1 |
88 |
Kerberos |
TCP UDP |
ADS/ADX/OAS (Member of Domain X) |
I/O |
Used by the Metasys system for Active Directory service authentication at the Metasys system login screen, and Service Account authentication prior to LDAP queries. Kerberos is a standard network authentication protocol designed to provide strong authentication for client/server applications by using secret-key cryptography. Kerberos is the primary security protocol for authentication within an Active Directory service Domain. Kerberos authentication relies on client functionality built into the Windows operating systems supported by Metasys software. |
ADX Split Web/Application Server (Member of Domain X) |
I/O |
||||
Metasys System Client (Member of any Domain) |
I/O |
||||
SCT (Member of Domain X) |
I/O |
||||
110 |
POP3 |
TCP |
Computer (Web Browser) |
O |
Receives and holds email for downloading from your Internet server. POP3 is allowed in the Metasys system only for authentication from a SMTP server. Note: Firewall rules are not necessary to allow
access in most cases because this server should be behind
the firewall.
|
123 |
NTP |
UDP |
ADS/ADX/OAS (Member of Domain X) |
I/O |
Used for time synchronization across a network between client computers and server-class operating system host computers. |
ADX Split Web/Application Server (Member of Domain X) |
I/O |
||||
Metasys System Client (Member of any Domain) |
I/O |
||||
SCT (Member of Domain X) |
I/O |
||||
123 |
SNTP2 |
UDP |
ADS/ADX/OAS |
I/O |
Used to synchronize computer clocks over a network between a server and its clients. SNTP is not required for all systems. |
NAE55/SNx/NAE85 |
I/O |
||||
135 |
Remote Procedure Call (RPC) |
TCP |
ADS/ADX/OAS (Member of Domain X) |
I/O |
Used by IIS on the ADS/ADX, OAS, and SCT during the process of authentication during SSO (Windows Integrated Authentication). If SSO is disabled in the Metasys system, this port and protocol are not used by the Metasys system; however, if the ADS/ADX, OAS, SCT, or Metasys client, or any combination are members of an Active Directory service domain, this port and protocol are used for Active Directory service functionality. |
ADX Split Web/Application Server (Member of Domain X) |
I/O |
||||
Metasys System Client (Member of any Domain) |
I/O |
||||
SCT (Member of Domain X) |
I/O |
||||
161 |
SNMP2 |
UDP |
ADS/ADX/OAS |
O |
Provides network monitoring and maintenance. Typically notifies IT department personnel of alarms that are of interest to them, such as data center environmental conditions. The site must use a network management system capable of receiving SNMP Traps. Alternate Method: If the system allows, use email destinations for remote alarm notification instead of SNMP. |
Metasys UI |
O |
||||
NAE55/SNx/NAE85 |
O |
||||
SCT |
I |
||||
162 |
SNMP Trap |
UDP |
SCT Pro/NCT Tool |
I |
Used by Metasys devices at start up, this port announces discovery-related information. |
389 |
LDAP |
TCP |
ADS/ADX/OAS (Member of Domain X) |
I/O |
Used by the Metasys system to access user objects and attributes within Active Directory service. LDAP is a standard communication protocol for directories located on TCP/IP networks. LDAP defines how a directory client can access a directory server and how the client can perform directory operations and share directory data. |
ADX Split Web/Application Server (Member of Domain X) |
I/O |
||||
Metasys System Client (Member of any Domain) |
I/O |
||||
SCT (Member of Domain X) |
I/O |
||||
443 |
Secure Sockets Layer (SSL) Transport Layer Security (TLS) HTTPS |
TCP |
ADS/ADX/OAS (Member of Domain X) |
I/O |
Metasys at 8.1 and higher uses HTTPS for communication between engines and the ADS/ADX/OAS and also between clients (SMP/MUI) and the ADS/ADX/OAS. |
Metasys Advanced Reporting ADX |
I |
Required if you use SSL with your reporting ADX. |
|||
NAE55/SNx/NAE85 |
I/O |
Required if you use TLS with the Metasys UI and the Johnson Controls System Configuration Tool (JCT) for site security. Port 443 is used for secure web browser communication. Data transferred across such connections is highly resistant to eavesdropping and interception. Moreover, the identity of the remotely connected server can be verified with significant confidence. Web servers offering to accept and establish secure connections listen on this port for connections from web browsers desiring strong communication security. |
|||
SCT (Member of Domain X) |
I |
||||
Metasys UI and Johnson Controls System Configuration Tool (JCT) |
I |
||||
Computer (web browser) |
O |
||||
Background File Transfer (BFT) in SCT |
I |
With BFT, file transfers occur between the device and SCT where the device is the HTTPS client and SCT is the HTTPS server. |
|||
445 |
NT LAN Manager Version 2 (NTLMv2) |
TCP |
ADS/ADX/OAS (Member of Domain X) |
I/O |
Used during Metasys system SSO authentication. NTLMv2 is a network authentication protocol developed by Microsoft and the secondary security protocol for authentication within an Active Directory service domain. If a domain client or domain server cannot use Kerberos authentication, then NTLM authentication is used. |
ADX Split Web/Application Server (Member of Domain X) |
I/O |
||||
Metasys System Client (Member of any Domain) |
I/O |
||||
SCT (Member of Domain X) |
I/O |
||||
465 |
SMTP |
TCP |
ADS/ADX/OAS |
O |
Used for alarms and events. |
NAE55/SNx/NAE85 |
O |
||||
502 | MODbus | TCP | NAE55/SNx/NAE85 | O | Used for receiving Modbus messages from a vendor device. |
514 |
Syslog |
UDP |
ADS/ADX/OAS |
O |
Provides capability of sending its configured audit log entries and alarm notifications to the central repository of an external, industry-standard, Syslog server, conforming to Internet published RFC 3164. |
NAE55/SNx/NAE85 |
O |
||||
SCT |
O |
||||
587 |
SMTP |
TCP |
ADS/ADX/OAS/ |
O |
Used for alarms and events. |
NAE55/SNx/NAE85 |
O |
||||
995 |
POP3 |
TCP |
Computer (Web Browser) |
O |
Receives and holds email for downloading from your Internet server. POP3 is allowed in the Metasys system only for authentication from a SMTP server. The mail server uses port 995 for SSL connections for POP3 access. Note: Firewall rules are not necessary to allow
access in most cases because this server should be behind
the firewall.
|
1025 |
Remote Procedure Call (RPC) |
TCP |
ADS/ADX/OAS (Member of Domain X) |
I/O |
Used by IIS on the ADS/ADX/OAS/SCT during the process of authentication during SSO (Windows Integrated Authentication). If SSO is disabled in the Metasys system, this port and protocol are not used by the Metasys system; however, if the ADS/ADX/OAS/SCT, or Metasys client, or any combination, is a member of an Active Directory service domain, this port and protocol are used for Active Directory service functionality. |
ADX Split Web/Application Server (Member of Domain X) |
I/O |
||||
Metasys System Client (Member of any Domain) |
I/O |
||||
SCT (Member of Domain X) |
I/O |
||||
1433 |
Microsoft SQL Server Database |
TCP |
ADX |
I/O |
Used between the web/application server and database server computers when the ADX is split across two devices. |
Metasys ADX Split Database Server (Member of Domain X) |
I/O |
||||
1833 | MQTT | TCP | NAE55/SNx/NAE85 | O | Used for communicating with vendor devices that use MQTT messaging over a non-secure connection. |
8883 | MQTT | TCP | NAE55/SNx/NAE85 | O | Used for communicating with vendor devices that use MQTT messaging over a secure connection (TLS). |
9004 |
Johnson Controls Licensing Service |
TCP |
Software Manager |
I/O |
For Computer only; it may be closed. |
9910 |
Microsoft Discovery Protocol2 |
TCP and UDP |
NAE55/SNx/NAE85 |
I |
Used by NCT to get diagnostic information from devices on the same network. |
SCT |
I |
||||
NCT and NAE Update Tool |
I |
||||
9911 |
Metasys Private Message2 |
UDP |
SCT |
O |
Used by SCT to broadcast a message to the local network segment when a user selects the device discovery menu item. Any Metasys node that receives this broadcast message will respond on UDP port 9911 with device configuration information to be displayed in the device discovery window. |
10050 |
Turbo Boot |
HTTP/TCP/PXE |
NAE Update Tool |
I/O |
Used during NAE Update Tool operations such as updating an image to a network engine. Not used with SNC and SNE engines pre Release 10.1 |
11001 |
N1 Protocol |
UDP |
NCM |
I/O |
Provides N1 message transmission (proprietary packet encoded in UDP) for devices at Release 9.0 or earlier. If you are connecting to multiple N1 networks, the port is unique for each N1 network. Network Control Modules automatically configure themselves to use Port 11001. Start numbering other networks in the Multi-network configuration with 11003 and continue sequentially. Do not use a UDP Port Address (UDPPA) of 11002. The value 11002 is used by the Metasys Ethernet Router and should be avoided even if Metasys Ethernet Routers are not in the system. The recommended addressing for five N1s is 11001, 11003, 11004, 11005, 11006. |
NIE5x |
I/O |
||||
12000 |
UberDebug Service |
TCP |
Metasys System |
I/O |
Used by Metasys software for debugging and logging. |
47808 |
BACnet/IP Protocol |
UDP |
NAE/NCE/IP Field controllers 5/SNx/NAE85/ OAS/SCT |
I/O |
Refer to the BACnet Controller Integration with NAE/NCE Technical Bulletin (LIT-1201531). If you are connecting to multiple BACnet networks, the port is unique for each BACnet network. The default port number is 47808. Choose additional UDP ports that do not conflict with a port that is in use. |
The ports listed in Table 7 are Internal-Only ports. These ports do not have to be closed by the ADX server OS Firewall because the ports are open on the local device only.
Port Number |
Protocol |
Uses |
Metasys Device |
Inbound (I) / Outbound (O) |
Description |
---|---|---|---|---|---|
3003 |
TCP |
PhantomJS |
ADS |
N/A |
Involved in generating PDF files in Metasys UI Reports. |
4369 |
TCP |
Rabbit MQ |
ADS/ADX |
N/A |
Erlang Port Mapping Daemon. |
5291 |
TCP |
Action Queue |
ADS/ADX |
N/A |
Action Queue communication, processing events/audits. |
5672 |
TCP |
Rabbit MQ/Erlang |
ADS/ADX |
N/A |
Listening port for Message Bus, communication between micro-services. |
5960 |
TCP |
Device Manager |
ADS/ADX |
N/A |
Metasys Device Manager inter-process communication. |
9003 |
TCP |
Johnson Controls Product Update |
ADS/ADX |
N/A |
Port to query for Johnson Controls Product Updates. |
9505 |
TCP |
Johnson Controls Rate Limit Website |
ADS/ADX |
N/A |
Website binding to process rate limiting for requests. |
9506 |
TCP |
Johnson Controls Rewrite Website |
ADS/ADX |
N/A |
Website binding to route API requests to appropriate micro-services. |
9507 |
TCP |
Johnson Controls Website |
ADS/ADX |
N/A |
Main internal website binding hosting APIs. |
10000 |
TCP |
PhantomJS |
ADS |
N/A |
Involved in generating PDF files in Metasys UI Reports. |
25672 |
AMQP |
Rabbit MQ/Erlang |
ADS/ADX |
N/A |
Inter-node and CLI tool communication. |
Port Number |
Protocol |
Uses |
Wireless Protocol |
Metasys Device |
Inbound (I) / Outbound (O) |
Description |
---|---|---|---|---|---|---|
80 |
HTTP |
TCP |
802.11b/802.11g |
Computer (Web Browser) |
I |
Used to synchronize computer clocks over a network between a server and its clients. SNTP is not required for all systems. |
4050 6 |
Wireless Many-to-One Sensing |
UDP |
802.15.4 |
WRS-RTN |
I/O |
Used for wireless supervisor integration; recommended UDP port number. |
47808 |
Wireless ZigBee |
UDP |
802.15.4 |
Wireless Network Coordinator (WNC) / Wireless Router Gateway (WRG) |
I/O |
Used for wireless supervisor integration; recommended UDP port number. |