Protocols and ports tables - Metasys - LIT-12011279 - General System Information - Metasys System - 13.0

Network and IT Guidance Technical Bulletin

Product
Building Automation Systems > Building Automation Systems > Metasys System
Document type
Technical Bulletin
Document number
LIT-12011279
Version
13.0
Revision date
2023-09-29
Product status
Active
Note: The Metasys system uses Bluetooth technology only as an option to commission a select number of devices. Bluetooth technology is not used for system communication in any way after initial commissioning. The Metasys system also uses the MAP Gateway for device commissioning. For details, refer to the Mobile Access Portal Gateway Network and IT Guidance Technical Bulletin (LIT-12012015).

Table 1, Table 2, and Table 3 describe the various IP protocols and how they relate to the Metasys system.

Important: Johnson Controls cannot be responsible for a customer's decision to open or close ports that we consider non-essential. Consult with your technical and security teams before opening or closing a port. Ports or services not described in this table are not used by the Metasys system and may be closed at the customer's discretion. Ports in this table that are not required at a customer site may also be closed at the customer's discretion. To close a port, see Closing ports.
Table 1. Ethernet Protocols and Ports

Port

Protocol

Uses

Metasys Device

Inbound (I) / Outbound (O)

Description

25

SMTP

TCP

ADS/ADX/OAS

O

Used for alarms and events.

NAE55/SNx/NAE85

O

53

DNS

UDP

Active Directory Client

I/O

Translates domain names into numerical IP addresses. This port allows the server to receive responses to DNS queries.

ADS/ADX/OAS

I/O

Computer (Web Browser)

I/O

NAE55/SNx/NAE85

I/O

67

68

DHCP

UDP

Active Directory Client

I/O

Assigns and keeps track of dynamic IP addresses and other network configuration parameters.

Alternate Method: Use static IP addresses.

ADS/ADX

I/O

Computer (Web Browser)

I/O

NAE55/SNx/NAE85

I/O

69

TFTP2

UDP

Metasys SCT

I/O

Downloads new images to NAEs.

Note: This port is used only when the NAE is provisioned and is not used during system runtime.

NCE25/NAE45/NAE55

I/O

80

HTTP2

TCP

ADS/ADX/OAS

I

Provides communication between peer controllers, computers, and other systems using SOAP over HTTP. The ADS/ADX requires that only Port 80 be open to receive communication from client devices.

Note: For a higher level of security, at Metasys system Release 8.1 or later, you can close Port 80 (incoming and outgoing). See Closing ports.

Computer (Web Browser)

I

NAE55/SNx/NAE85

I

SCT/SCT Pro

I

80

HTTP

TCP

NAE Update Tool

I

Used for file transfers between the client computer and the network engine pre Release 10.1

88

Kerberos

TCP

UDP

ADS/ADX/OAS (Member of Domain X)

I/O

Used by the Metasys system for Active Directory service authentication at the Metasys system login screen, and Service Account authentication prior to LDAP queries.

Kerberos is a standard network authentication protocol designed to provide strong authentication for client/server applications by using secret-key cryptography. Kerberos is the primary security protocol for authentication within an Active Directory service Domain. Kerberos authentication relies on client functionality built into the Windows operating systems supported by Metasys software.

ADX Split Web/Application Server (Member of Domain X)

I/O

Metasys System Client (Member of any Domain)

I/O

SCT (Member of Domain X)

I/O

110

POP3

TCP

Computer (Web Browser)

O

Receives and holds email for downloading from your Internet server. POP3 is allowed in the Metasys system only for authentication from a SMTP server.

Note: Firewall rules are not necessary to allow access in most cases because this server should be behind the firewall.

123

NTP

UDP

ADS/ADX/OAS (Member of Domain X)

I/O

Used for time synchronization across a network between client computers and server-class operating system host computers.

ADX Split Web/Application Server (Member of Domain X)

I/O

Metasys System Client (Member of any Domain)

I/O

SCT (Member of Domain X)

I/O

123

SNTP2

UDP

ADS/ADX/OAS

I/O

Used to synchronize computer clocks over a network between a server and its clients. SNTP is not required for all systems.

NAE55/SNx/NAE85

I/O

135

Remote Procedure Call (RPC)

TCP

ADS/ADX/OAS (Member of Domain X)

I/O

Used by IIS on the ADS/ADX, OAS, and SCT during the process of authentication during SSO (Windows Integrated Authentication). If SSO is disabled in the Metasys system, this port and protocol are not used by the Metasys system; however, if the ADS/ADX, OAS, SCT, or Metasys client, or any combination are members of an Active Directory service domain, this port and protocol are used for Active Directory service functionality.

ADX Split Web/Application Server (Member of Domain X)

I/O

Metasys System Client (Member of any Domain)

I/O

SCT (Member of Domain X)

I/O

161

SNMP2

UDP

ADS/ADX/OAS

O

Provides network monitoring and maintenance.

Typically notifies IT department personnel of alarms that are of interest to them, such as data center environmental conditions. The site must use a network management system capable of receiving SNMP Traps.

Alternate Method: If the system allows, use email destinations for remote alarm notification instead of SNMP.

Metasys UI

O

NAE55/SNx/NAE85

O

SCT

I

162

SNMP Trap

UDP

SCT Pro/NCT Tool

I

Used by Metasys devices at start up, this port announces discovery-related information.

389

LDAP

TCP

ADS/ADX/OAS (Member of Domain X)

I/O

Used by the Metasys system to access user objects and attributes within Active Directory service.

LDAP is a standard communication protocol for directories located on TCP/IP networks. LDAP defines how a directory client can access a directory server and how the client can perform directory operations and share directory data.

ADX Split Web/Application Server (Member of Domain X)

I/O

Metasys System Client (Member of any Domain)

I/O

SCT (Member of Domain X)

I/O

443

Secure Sockets Layer (SSL)

Transport Layer Security (TLS)

HTTPS

TCP

ADS/ADX/OAS (Member of Domain X)

I/O

Metasys at 8.1 and higher uses HTTPS for communication between engines and the ADS/ADX/OAS and also between clients (SMP/MUI) and the ADS/ADX/OAS.

Metasys Advanced Reporting ADX

I

Required if you use SSL with your reporting ADX.

NAE55/SNx/NAE85

I/O

Required if you use TLS with the Metasys UI and the Johnson Controls System Configuration Tool (JCT) for site security.

Port 443 is used for secure web browser communication. Data transferred across such connections is highly resistant to eavesdropping and interception. Moreover, the identity of the remotely connected server can be verified with significant confidence. Web servers offering to accept and establish secure connections listen on this port for connections from web browsers desiring strong communication security.

SCT (Member of Domain X)

I

Metasys UI

and

Johnson Controls System Configuration Tool (JCT)

I

Computer (web browser)

O

Background File Transfer (BFT) in SCT

I

With BFT, file transfers occur between the device and SCT where the device is the HTTPS client and SCT is the HTTPS server. 

445

NT LAN Manager Version 2 (NTLMv2)

TCP

ADS/ADX/OAS (Member of Domain X)

I/O

Used during Metasys system SSO authentication.

NTLMv2 is a network authentication protocol developed by Microsoft and the secondary security protocol for authentication within an Active Directory service domain. If a domain client or domain server cannot use Kerberos authentication, then NTLM authentication is used.

ADX Split Web/Application Server (Member of Domain X)

I/O

Metasys System Client (Member of any Domain)

I/O

SCT (Member of Domain X)

I/O

465

SMTP

TCP

ADS/ADX/OAS

O

Used for alarms and events.
NAE55/SNx/NAE85

O

502 MODbus TCP NAE55/SNx/NAE85 O Used for receiving Modbus messages from a vendor device.

514

Syslog

UDP

ADS/ADX/OAS

O

Provides capability of sending its configured audit log entries and alarm notifications to the central repository of an external, industry-standard, Syslog server, conforming to Internet published RFC 3164.

NAE55/SNx/NAE85

O

SCT

O

587

SMTP

TCP

ADS/ADX/OAS/

O

Used for alarms and events.
NAE55/SNx/NAE85

O

995

POP3

TCP

Computer (Web Browser)

O

Receives and holds email for downloading from your Internet server. POP3 is allowed in the Metasys system only for authentication from a SMTP server. The mail server uses port 995 for SSL connections for POP3 access.

Note: Firewall rules are not necessary to allow access in most cases because this server should be behind the firewall.

1025

Remote Procedure Call (RPC)

TCP

ADS/ADX/OAS (Member of Domain X)

I/O

Used by IIS on the ADS/ADX/OAS/SCT during the process of authentication during SSO (Windows Integrated Authentication). If SSO is disabled in the Metasys system, this port and protocol are not used by the Metasys system; however, if the ADS/ADX/OAS/SCT, or Metasys client, or any combination, is a member of an Active Directory service domain, this port and protocol are used for Active Directory service functionality.

ADX Split Web/Application Server (Member of Domain X)

I/O

Metasys System Client (Member of any Domain)

I/O

SCT (Member of Domain X)

I/O

1433

Microsoft SQL Server Database

TCP

ADX

I/O

Used between the web/application server and database server computers when the ADX is split across two devices.

Metasys ADX Split Database Server (Member of Domain X)

I/O

1833 MQTT TCP NAE55/SNx/NAE85 O Used for communicating with vendor devices that use MQTT messaging over a non-secure connection.
8883 MQTT TCP NAE55/SNx/NAE85 O Used for communicating with vendor devices that use MQTT messaging over a secure connection (TLS).

9004

Johnson Controls Licensing Service

TCP

Software Manager

I/O

For Computer only; it may be closed.

9910

Microsoft Discovery Protocol2

TCP and UDP

NAE55/SNx/NAE85

I

Used by NCT to get diagnostic information from devices on the same network.

SCT

I

NCT and NAE Update Tool

I

9911

Metasys Private Message2

UDP

SCT

O

Used by SCT to broadcast a message to the local network segment when a user selects the device discovery menu item. Any Metasys node that receives this broadcast message will respond on UDP port 9911 with device configuration information to be displayed in the device discovery window.

10050

Turbo Boot

HTTP/TCP/PXE

NAE Update Tool

I/O

Used during NAE Update Tool operations such as updating an image to a network engine. Not used with SNC and SNE engines pre Release 10.1

11001

N1 Protocol

UDP

NCM

I/O

Provides N1 message transmission (proprietary packet encoded in UDP) for devices at Release 9.0 or earlier. If you are connecting to multiple N1 networks, the port is unique for each N1 network. Network Control Modules automatically configure themselves to use Port 11001. Start numbering other networks in the Multi-network configuration with 11003 and continue sequentially. Do not use a UDP Port Address (UDPPA) of 11002. The value 11002 is used by the Metasys Ethernet Router and should be avoided even if Metasys Ethernet Routers are not in the system. The recommended addressing for five N1s is 11001, 11003, 11004, 11005, 11006.

NIE5x

I/O

12000

UberDebug Service

TCP

Metasys System

I/O

Used by Metasys software for debugging and logging.

47808

BACnet/IP Protocol

UDP

NAE/NCE/IP Field controllers 5/SNx/NAE85/ OAS/SCT

I/O

Refer to the BACnet Controller Integration with NAE/NCE Technical Bulletin (LIT-1201531). If you are connecting to multiple BACnet networks, the port is unique for each BACnet network. The default port number is 47808. Choose additional UDP ports that do not conflict with a port that is in use.

The ports listed in Table 7 are Internal-Only ports. These ports do not have to be closed by the ADX server OS Firewall because the ports are open on the local device only.

Table 2. Internal-Only Ports

Port Number

Protocol

Uses

Metasys Device

Inbound (I) / Outbound (O)

Description

3003

TCP

PhantomJS

ADS

N/A

Involved in generating PDF files in Metasys UI Reports.

4369

TCP

Rabbit MQ

ADS/ADX

N/A

Erlang Port Mapping Daemon.

5291

TCP

Action Queue

ADS/ADX

N/A

Action Queue communication, processing events/audits.

5672

TCP

Rabbit MQ/Erlang

ADS/ADX

N/A

Listening port for Message Bus, communication between micro-services.

5960

TCP

Device Manager

ADS/ADX

N/A

Metasys Device Manager inter-process communication.

9003

TCP

Johnson Controls Product Update

ADS/ADX

N/A

Port to query for Johnson Controls Product Updates.

9505

TCP

Johnson Controls Rate Limit Website

ADS/ADX

N/A

Website binding to process rate limiting for requests.

9506

TCP

Johnson Controls Rewrite Website

ADS/ADX

N/A

Website binding to route API requests to appropriate micro-services.

9507

TCP

Johnson Controls Website

ADS/ADX

N/A

Main internal website binding hosting APIs.

10000

TCP

PhantomJS

ADS

N/A

Involved in generating PDF files in Metasys UI Reports.

25672

AMQP

Rabbit MQ/Erlang

ADS/ADX

N/A

Inter-node and CLI tool communication.

Table 3. Wireless Ports and Protocols

Port Number

Protocol

Uses

Wireless Protocol

Metasys Device

Inbound (I) / Outbound (O)

Description

80

HTTP

TCP

802.11b/802.11g

Computer (Web Browser)

I

Used to synchronize computer clocks over a network between a server and its clients. SNTP is not required for all systems.

4050 6

Wireless Many-to-One Sensing

UDP

802.15.4

WRS-RTN

I/O

Used for wireless supervisor integration; recommended UDP port number.

47808

Wireless ZigBee

UDP

802.15.4

Wireless Network Coordinator (WNC) / Wireless Router Gateway (WRG)

I/O

Used for wireless supervisor integration; recommended UDP port number.

1 Generally recorded by the IANA.
2 Required for proper functionality of SCT features (for example, Device Discovery and Device Debug); this port is usually closed and is only open during operation of certain SCT features.
3 LDAP is used by the Metasys system client only if Windows Active Directory service search tool is used (for example, Start->Search->ForPeople).
4 This port number is registered to Johnson Controls.
5 In this document, IP controllers (IP) refers in general terms to the following controllers: M4-CGE09090-0, M4-CGE04060-0, M4-CVE03050-0P, MS-FAC4911-0, MS-VMA1930-0
6 If this port is in use, it can be reconfigured to another port.
7 Johnson Controls proprietary protocol.