TCP/UDP Ports used by DRAC

BY R A J E E V ON M A R C H 3 , 2 0 1 2 1 C O M M E N T IN A D M I N

Some scenarios where DRAC to be accessed over Firewall, NW team would need
the exact TCP/UDP port details to be allowed. Below list would help,
22 Secure Shell, SSH
23 Telnet
80 http
443 https
161 SNMP
3668 Virtual Media Server
5900 Console Redirection
5901 Console Redirection

DRAC Console Redirection

Over a SSH Tunnel
AUG 20TH, 2008 | COMMENTS

The Dell Remote Access Controller or DRAC is an interface card

by Dell which provides out-of-band management. The controller has
its own processor, memory, battery, network connection, and access
to the system bus. Key features include power management, virtual
media access and remote console, all available through a supported
web browser. This gives system administrators the ability to
configure a machine as if they were sitting at the local console
(terminal).
Since the DRAC card has its own IP separated from the one of the
host server it is very common to assign for it a private IP; or even if
it has a public IP it might be protected by a corporate firewall,
making it very simple to connect from the corporate office, but not

from outside. In such cases when you need to connect to the DRAC
console from outside a solution is to tunnel over SSHyour DRAC
traffic.
In order for this to work you need to tunnel ports 443 (SSL) and and
5900,5901 (VNC). This can be achieved with openssh with a
command like this:
1ssh -L 443:dracip:443 -L 5900:dracip:5900 -L 5901:dracip:5901 -l user -N ssh_host

or similar from other ssh clients by mapping the respective ports.

If you would forward just 443, this will allow you to use the web
interface of the DRAC card (and all its features, like power
management, etc), but not the remote console
redirection (5900,5901 are needed for the console to work).
After connecting the ssh tunnel you can just open in your local
browser https://localhost/ and get the DRAC interface. The console
redirection and it will work as expected.
Note: this solution has the limitation that it will work for only one
DRAC console. You can tunnel over ssh multiple drac ips on port 443,
like for ex: - localhost:443 -> dracip1:443 - localhost:444 ->
dracip2:443, etc. but the remote console will require the ports 5900,
59001 and thus only one can work at the same time.
If you are running the DRAC console over a public IP, and you want
to reach it from outside directly you will need to open in your firewall
connections to the same ports TCP 443, 5900 and 5901.
==

Allow Access to a Dell Remote Access Controller (DRAC or

iDRAC) through a firewall
Posted on January 28, 2011 by SeanLaBrie

Its Friday, 4:59pm and youre itching to get home, thats when you get a call saying that
the server in the remote office is locked up. All the employees of the branch office have
left for the day and shutdown all of their PCs. Theres no way to get into that local
network and remote control the server or reboot it without fighting through rush hour
traffic, trying to remember the security code to the front door, and then playing the see
which key fits game on 3 sets of locked doors. This could be avoided if you had just
opened access to your DRAC to your IP ranges at your main office. Heres how:
First Identify what ports your version of the Dell Remote Access Controller uses, heres a
short list:
DRAC 4
5900TCP
3668TCP
2068TCP
8192TCP
443TCP (I recommend changing this from within the DRACs UI)
DRAC 5
3668TCP
3669TCP
5900TCP
5901TCP
443TCP (I recommend changing this from within the DRACs UI)
iDRAC 6 & iDRAC 7
443TCP (I recommend changing this from within the DRACs UI)
5900TCP
623TCP
For this example Im going to be using a SonicWall TZ 210 Router, and were going to be
Setting up access to a iDRAC 6 thats IP address is 192.168.1.12.
Im also going to be adding all of these services into a Service Group, that way I only
have to make 1 set of firewall and NAT rules instead of 3. If your firewall does not
support this, just make 3(or 5) individual rules, one for each service.

The first thing Im going to do is change the DRACs internal web server to use port 4433
instead of port 443, because Im already running services over port 443 for something
else, and more than likely you are too.
You change this by logging into the DRAC, under the Network/Security section there
will be tab for Services Change the HTTPS port number to 4433.
Next lets create the services, On the Sonicwall. Log into the Sonicwall and on left hand

Figure 1.

pane, expand Firewall, and click Services. Click Add to Create a new service, enter
a name, I typically use DRAC Service 1 or something similar. Change the Protocol
to TCP, and Enter your Port range, for the first service wed enter 623and 623 again in
the second box See Figure 1.

Figure 2.

Once youve created all 3 Services you can create a new Service Group, I called
mine DRAC Services, and I add all 3of the services that we just created to this group.
See Figure 2.
Next weve got to create some address objects. Expand theNetwork on the Sonicwalls
left hand pane and click Address Objects. Click Add to create a new Address
Object. Were going to need to create two address objects. One for the DRAC which will
be 192.168.1.12 and located on the LAN, and the other will be for Our (Your) main
offices public IP(s) and will be located on the WAN. Youre Address Object for the
DRAC should look like figure 3.

Figure 3.

Next well create our Firewall rule, expand Firewall on the Sonicwalls left hand pane

Figure 4.

and click on Access Rules. Were going to be creating a new rule from the WAN to the
LAN. When you create the rule it should look like Figure 4, only with slight changes to
the names of the Address Objects you created.
Action: Allow
From Zone: WAN
To Zone: LAN
Service: DRAC Services( or whatever you named your service group)

Source: This will be whatever you named your Main Offices Public IP address Address
Object
Destination: WAN Primary IP (this is because youll be accessing the DRAC from the
Public IP of the remote office and not from its Internal IP address)
Were almost done now, we just need to create our NAT rule, and then well be ready to
test.
Expand Network on the Sonicwalls left hand pane, and click on NAT Policies. Click

Figure 5.

Add to create a new NAT rule. Youre NAT rule should look similar to Figure 5.
Original Source: This will be whatever you named your Main Offices Public IP address
Address Object
Translated Source: Original

Original Destination: WAN Primary IP (this is because youll be accessing the DRAC
from the Public IP of the remote office and not from its Internal IP address)
Translated Destination: This will be whatever you named your DRACs Address Object.
Original Service: DRAC Services( or whatever you named your service group)
Translated Service: Original
Inbound Interface: Any
Outbound Interface: Any
Thats it! You should now be able to go to https://YourBranchoOfficesPublicIP:4433
and log into your DRAC. Note: Ive had some issues with the iDRAC6 Active X control
not working remotely, change it over to Java and it works fine. Im not sure if this is an
issue with just my PC or with something within the Active X control. Let me know if the
Active X control works for you after youve followed these instructions.
==

TCP ports opened on firewall for Dell

Remote Access Card DRAC.
April 28, 2009
By Andrew Lin

The Dell Remote Access Card (DRAC) communicates via the following ports:
22 Secure Shell, SSH
23 Telnet
80 http
443 https
161 SNMP
3668 Virtual Media Server
5900 Console Redirection
5901 Console Redirection
If you have a firewall in between you and the server, ensure that you have the above ports opened.