I just posted about using the EMC-provided Python script to install and configure ScaleIO on Windows. Using this script makes these steps much easier, especially in very large environments (you can find that post here). One of the next logical questions is concerning firewall requirements and this process. To achieve this automation, the script is going all over the place connecting to servers, copying files, starting services and issuing configuration commands. Therefore it is hitting a variety of network ports on the target hosts. So let’s talk about what exactly those ports are.
ScaleIO operates across all of your nodes over a standard TCP/IP network and therefore has certain port requirements for normal operation. MDMs need 9011 and 6611 open, the TB needs 9011 and SDSs need 7072 (all TCP). The Python script goes above and beyond these port requirements during install in order to do what it needs to do.
A target server needs the following TCP ports opened on itself to the originating IP of the server initiating the Python script. If the target host will leverage multiple different ScaleIO functions (like act as an MDM and a SDS and a SDC) obviously you will need to aggregate the relevant port requirements and open those on the target host. Below is the list for each function. Note that I list one port as “WMI” and not as a port number–I will explain that shortly.
Ports Required (all TCP):
If the target is either a MDM/Callhome it needs: 135, 445, 6611, 9011 and WMI.
If the target is a TB it needs: 135, 445, 9011 and WMI.
If the target is a SDS it needs: 135, 445, 7072 and WMI.
If the target is a SDC it needs: 135, 445 and WMI.
So first what do I mean by WMI? Well the Python script (when installing on Windows of course) uses Windows Management Instrumentation to connect and manage certain remote Windows properties. The default behavior of WMI connections uses the standard Remote Procedure Call port 135 to initiate a WMI connection with a remote client. Once the connection is established it negotiates a random port above 1024 (usually far higher) for the remainder of the communication session. While this allows for flexibility it makes it tough when configuring firewalls. But we can configure the target host to make sure that it always negotiates the same “random” port. This is a WMI behavior I learned about when using the VSI Symmetrix SRA Utilities actually. This can be achieved by following the instructions here
http://msdn.microsoft.com/en-us/library/bb219447(v=vs.85).aspx
To save you a click though just run the following commands on the target server:
winmgmt -standalonehost net stop "Windows Management Instrumentation" net start "Windows Management Instrumentation" netsh advfirewall firewall add rule name="WMIFixedPort" dir=in action=allow protocol=TCP localport=24158
If you click on the Microsoft link you will see the fourth command is a bit different here–this is because the one listed there is deprecated (though it still works) and the format I have listed is the updated version of that CLI command. You can of course also use the GUI to create the rule as well.
This will force the WMI connection to always use port 24158. You can pick any sufficiently high port though–I just chose this one because it is the one Microsoft uses in their example. Note that you do not need to have the Windows Firewall turned on for this to work–if you are using a separate firewall (hardware or software) that is fine, but this step is still required as WMI needs the rule to be in place to know which port to negotiate.
To review what all of these ports are for:
135: RPC endpoint port to establish the initial WMI connection. Only needed during install not normal ScaleIO operation.
445: Allows for the script to use the Server Message Block (SMB) protocol to copy the ScaleIO installations files to a remote host for installation. Only needed during install not normal ScaleIO operation.
6611: Required for MDM communication. Technically not needed for installation but must be opened for normal operation.
7072: Required for SDS communication–needed during install and after.
9011: Required for MDM and TB communication–needed during install and after.
WMI: Random TCP port required for WMI interactions. Only needed during install not normal ScaleIO operation.
I tested all of this on Windows Server 2008 R2 and Windows Server 2012 R2 and the behavior was the same on both.