Fix This Page
Navigation
You were redirected from a different version of the documentation. Click here to go back.

Firewall Configuration

Ops Manager connects with a number of services. This page explains the ports that must be opened to deploy the various components used with an Ops Manager deployment.

The specific ports that must be open on any intermediate firewalls depend upon what capabilities are enabled, such as encryption, authentication, and monitoring.

Diagram showing the connections between Ops Manager's components.

Tip

All ports listed in the following sections are either the port specified in the documentation for MongoDB installations or the known ports for the specific service assigned by the IANA. If the port number can be changed, it is noted after the table in each section.

To run Ops Manager without an Internet connection, see Configure Local Mode for Ops Manager Servers without Internet Access to ensure you have all of the necessary binaries to run Ops Manager without an Internet connection.

Open Ports to Access Ops Manager

Ops Manager requires the following minimum network port requirements:

  • Both Ops Manager users and Ops Manager agents must be able to connect to the Ops Manager application over HTTP or HTTPS.
  • Ops Manager must be able to connect to the mongod running the Ops Manager application MongoDB databases.
  • For each Ops Manager group, Ops Manager agents must be able to connect to all client MongoDB processes (mongod or mongos).
  • The Ops Manager application must also be able to send email to Ops Manager users.

To use Ops Manager, open the following ports to the specified servers.

Service Default Port Transport Direction Purpose Uses SSL?
HTTP 8080 TCP Inbound Provides a web connection to Ops Manager from users and Ops Manager agents. No
HTTPS 8443 TCP Inbound Provides a secure web connection to Ops Manager from users and Ops Manager agents. Yes
HTTP or HTTPS 8090 TCP Inbound

Provides a health-check endpoint for monitoring Ops Manager through a monitoring service like Zabbix or Nagios. This is disabled by default.

To enable it, see Enable the Health Check Endpoint. When enabled, you can access the endpoint at:

http://<opsmanagerhost>:8090/health

The API endpoint provides the ability to check connections from the HTTP Service to the Ops Manager Application Database and the Backup Snapshot Storage.

A successful response returns the following:

{
  "mms_db": "OK",
  "backup_db": "OK"
}
Optional
MongoDB 27017 TCP Outbound Connects to MongoDB application, backup and client databases. Optional
SMTP 587 TCP Outbound Sends emails from Ops Manager to an SMTP server or to AWS SES. Optional

Note

Open Ports to Access Ops Manager and MongoDB Hosts

Most Ops Manager administration can be performed through the user interface. Some procedures require access to the operating system. To permit your administrators to access your Ops Manager as well as MongoDB hosts, open the following ports to those hosts.

Service Default Port Transport Direction Purpose Uses SSL?
ssh 22 TCP Inbound Linux System administration. Yes
RDP 3389 TCP Inbound Windows System administration. No

Open Ports to Back Up and Restore MongoDB Instances using Ops Manager

Ops Manager can back up MongoDB databases to one or more storage systems: a MongoDB database (blockstore), an S3 bucket (S3 blockstore) or a file system (file system store). To back up MongoDB servers, open the following ports to the preferred backup hosts (blockstore, S3 snapshot store and/or file system snapshot store):

Service Default Port Transport Direction Purpose Uses SSL?
MongoDB 27017 TCP Outbound Back up snapshots of entire database to Blockstore or snapshot metadata to S3 Blockstore metadata database. Optional
HTTPS 443 TCP Outbound Back up database snapshot data to S3 bucket. Yes
NFS 2049 TCP Outbound Back up database snapshots to UNIX-/Linux-based file system. No
CIFS 3020 TCP Outbound Back up database snapshots to Windows-based file system. No
scp 22 TCP Outbound Restore snapshot to a server. Yes

Snapshots can also be restored using the link displayed in the Ops Manager application. The same ports needed to use Ops Manager would need to be open for the user to download the snapshot.

To find the download link, click Backup, then the Restore History tab, then click the download link next to the snapshot.

Note

Open Ports to Integrate Ops Manager with SNMP

Open the following ports between Ops Manager and your SNMP Manager to send and receive SNMP trap notifications from your MongoDB deployments to Ops Manager.

Service Default Port Transport Direction Purpose Uses SSL?
SNMP 162 UDP Outbound Send Traps to SNMP Manager. No
SNMP 11611 UDP Inbound Receive requests from SNMP Manager. No

Note

To configure Ops Manager to use SNMP on non-standard ports, see SNMP Heartbeat Settings.

Open Ports to Provide Additional Monitoring for Ops Manager

Important

As of Automation Agent 2.7.0, using Munin to monitor hardware has been deprecated in favor of the native cross-platform hardware monitoring available to managed deployments through the Automation Agent.

Beyond Ops Manager‘s built-in monitoring capability, it can use the Munin Graphing Framework to provide additional monitoring on UNIX/Linux-based MongoDB instances and hosts.

Service Default Port Transport Direction Purpose Uses SSL?
munin-node 4949 TCP Inbound Provides CPU and disk throughput and latency metrics. No

To configure the munin-node package, see Configure Hardware Monitoring with munin-node.

Open Ports to Authenticate Ops Manager Users using LDAP

MongoDB Enterprise users can use Lightweight Directory Access Protocol (LDAP) to authenticate Ops Manager users. To authenticate using LDAP, open the following ports on Ops Manager and your LDAP server.

Service Default Port Transport Direction Purpose Uses SSL?
LDAP 389 UDP Both Authenticate and/or authorize Ops Manager users against LDAP server. No
LDAPS 636 UDP Both Authenticate and/or authorize Ops Manager users against LDAP server. Yes

To configure the Ops Manager LDAP URI strings, including configuring a non-standard port, see Authentication through LDAP.

Open Ports to Authenticate with MongoDB

MongoDB Enterprise users can use Kerberos or LDAP to authenticate MongoDB users. To authenticate using LDAP or Kerberos, open the following ports between the MongoDB client databases, Ops Manager, and the Kerberos or LDAP server(s).

Service Default Port Transport Direction Purpose Uses SSL?
Kerberos 88 TCP / UDP Outbound Request authentication for MongoDB users against Kerberos server. No
Kerberos 88 UDP Inbound Receive authentication for MongoDB users against Kerberos server. No
LDAP 389 UDP Both Authenticate and/or authorize MongoDB users against LDAP server. No
LDAPS 636 UDP Both Authenticate and/or authorize MongoDB users against LDAP server. Yes

To configure Kerberos for authentication to the Ops Manager application database, see Kerberos Authentication to the Application Database.

Open Ports to Manage Encryption Keys using KMIP

MongoDB databases using the WiredTiger storage engine can be encrypted on disk. The encryption method requires another server to manage the encryption keys. To manage encryption keys using Key Management Interoperability Protocol (KMIP), open the following port between the hosts running the Backup Daemons and the KMIP server(s).

Service Default Port Transport Direction Purpose Uses SSL?
KMIP 5696 TCP Outbound Send messages between MongoDB databases and KMIP server. No

Note

If you change the port for the KMIP server, see Encrypted Backup Snapshots to configure Ops Manager to use that new port.