Security Configuration Guide

CHAP authentication on local ports is used to authenticate in-bound connections; that

is, communications with the array splitter. CHAP credentials on remote ports are used
to authenticate out-bound traffic to array volumes, such as replicated volumes,
journals, and the repository volume. RecoverPoint does not support reverse CHAP
(mutual authentication). Only one username and secret pair is configurable for each
direction.
CHAP authentication can be configured on the storage ports using the array's
management GUI. The same interface allows you to supply the RecoverPoint CHAP
usernames and secrets. When using RecoverPoint/SE (the RecoverPoint license for
EMC midrange storage platforms), CHAP can be configured on the RecoverPoint
appliances and the storage array using the RecoverPoint installation wizards.
The local username and remote username must be different. Similarly, the local secret
and the remote secret must be different. RecoverPoint does not enforce this
restriction; the array does.

External ports
The external ports must be accessible to allow the cluster to communicate with
servers outside the RecoverPoint system.

Table 5 External ports

Port Source -> Protocol and description Effect if closed

Destination
20 RPA->FTP server l Outgoing FTP communications (TCP) (output only). l Not possible to
download ISO
l Used during installation and upgrades to download ISO
image or to upload
image, if FTP is specified as the source; not required if
logs using FTP.
the Deployment Manager server is used as the ISO source
(then HTTPs can be used). l Replication not
affected.
l Can be used to upload support logs to the specified FTP
server; not required if the support logs are manually
downloaded using HTTPS.

RPA->ESRS l Used to register on the ESRS server. l Not possible to

register on the
ESRS server.
l Replication not
affected.

21 RPA->FTP server l Outgoing FTP communications; for system info collection l Not possible to
only (TCP) (output only). download ISO
image or to upload
l Used during installation and upgrades to download ISO
logs using FTP.
image, if FTP is specified as the source; not required if
the Deployment Manager server is used as the ISO source l Replication not
(then HTTPs can be used). affected.
l Can be used to upload support logs to the specified FTP
server.

22 SSH client->RPA l SSH and communications between RPAs (TCP). l No remote

connection to CLI.
l Required for CLI access to RPAs. The source is the
Management Server, the destination is the RPA.

External ports 17
Security Configuration Guide

Table 5 External ports (continued)

Port Source -> Protocol and description Effect if closed

Destination

l Replication not
affected.

25 RPA->SMTP server l Used for sending system mail (SMTP) email alerts from l No email alerts
RPA, if configured (TCP) (output only); sent.
l Used for Call Home events, if configured. l No system reports
sent.
l Replication not
affected.

53 RPA->DNS server l DNS (TCP, UDP). l No name resolution

of remote servers,
l Used for name resolution. Only required if in the
e-mail alerts,
RecoverPoint configuration, domain names are used for
system reports.
external servers instead of IP addresses.

68 DHCP server->RPA l Used to dynamically provide IP addresses to RPAs l RPA will not be
connecting to the network (UDP). assigned an IP if
DHCP is used.

80 Browser->RPA l Redirecting browsers to HTTPS (TCP). Disabled by l Typing the

default on new installations. RecoverPoint
address in the URL
bar without
qualifying it as
https:// will
yield an error
message.
l Replication not
affected.

123 RPA->NTP server or l NTP (UDP). l No synchronization

another RPA with time server.
l RecoverPoint for VMs: TCP is no longer used on this port
RPAs may show
and may be closed.
incorrect time.
l Used for synchronizing with Network Time Protocol Event time stamps
server. may be incorrect.
l Used between RPAs in a cluster for time synchronization. l Replication not
affected, but
snapshots may
show incorrect
times. Write-order
of snapshots not
affected.

161 MIB Browser->RPA l SNMP (TCP, UDP). l There will be

SNMP notification,
l Used for SNMP notifications. Also see port 10161.
but you will not be

18 RecoverPoint 5.0 Security Configuration Guide

 Security Configuration Guide

Table 5 External ports (continued)

Port Source -> Protocol and description Effect if closed

Destination

able to view or edit

SNMP values.
l Replication not
affected.

162 RPA -> Trap receiver l SNMP (TCP) (output only). l No SNMP
notification
l RecoverPoint for VMs: TCP input is no longer used on
this port and may be closed. l Replication not
affected.
l Used for SNMP notifications.

389 RPA->LDAP server l LDAP (TCP) (output only). l No LDAP

authentication
l Used for LDAP user authentication and authorization.
(unless using SSL).
Only required if LDAP is configured. Also see port 636.

443 Browser ->RPA l HTTPS for management (TCP). No RecoverPoint GUI

RPA->VNX (unless port 80 using
l Used to download RPA logs, System Report alerts, EMC HTTP is available).
RPA->vCenter Secure Remote Support, and communication with third-
RPA->VPLEX party hardware (such as ESXs and VMs, VNX, and l RP/SE unable to
VPLEX). configure array;
RPA->EMC Secure RP/SE installation
Remote Support server will fail.
RPA->XtremIO XMS l No log collection
from array.
l No vCenter Server
information (ESXs
and VMs) displayed
in RecoverPoint
l RecoverPoint will
not be able to
display information
about VPLEX
volumes and will
not be able to
prevent errors in
configuring VPLEX
volumes for
replication; if
configured
manually without
errors, replication
is not affected.
l New XtremIO
replication volumes
cannot be
configured
(existing

External ports 19
Security Configuration Guide

Table 5 External ports (continued)

Port Source -> Protocol and description Effect if closed

Destination

replication volumes
are not affected)

514 RPA->Syslog server l Syslog (TCP, UDP) (output only). l System logs not
available.
l Used to send Syslog information to an external server.
Only required if Syslog is enabled and an external server is l Replication not
specified. affected.

623 Management client -> IPMI over WAN (UDP). Used by iDRAC/BMC for monitoring No remote hardware
RPA and managing remote RPA operation. management.

636 RPA->LDAP server l LDAP over SSL (TCP) (output only). l No LDAP over SSL
authentication.
l Used for LDAP over SSL user authentication and
authorization. Required only if LDAP using SSL is
configured.

989 RPA->FTPS server l FTPS (output only). l No FTPS transfers.

l Used for System Reports alerts and reporting via FTPS. l If system reports
Only required if FTPS alerts or reports are configured. (SyR) is configured
to transfer by
FTPS, reports will
not be transferred
to EMC System
Reports database.

990 RPA->FTPS server l FTPS (output only). l No FTPS transfers.

l Used for System Reports alerts and reporting via FTPS. l If system reports
Only required if FTPS alerts or reports are configured. (SyR) is configured
to transfer by
FTPS, reports will
not be transferred
to EMC System
Reports database.

3260 RPA <--> VNX l iSCSI (TCP) l RecoverPoint: No

iSCSI support.
l RecoverPoint for
VMs: No
replication.

7115 SRM server->RPA l RecoverPoint: For VMware Site Recovery Manager l No vCenter Server
communication (TCP). information or
commands
l RecoverPoint: Used by the RecoverPoint Storage
available.
Replication Adapter to query and manage the RPA. Only
required if Storage Replication Adapter up to version l Replication not
2.2.0.0 is used. affected.

20 RecoverPoint 5.0 Security Configuration Guide

 Security Configuration Guide

Table 5 External ports (continued)

Port Source -> Protocol and description Effect if closed

Destination
7225 Replication Manager -> l HTTPS protocol for communicating with the functional l No functional API.
RPA API (TCP, UDP).
VPLEX->RPA l Used by the Management server running the
UEM GUI -> RPA RecoverPoint GUI to communicate with RPAs.

KVSS -> RPA l Used by third-party devices and services to communicate

with the RPA.
Replication Enabler for
Exchange-> RPA

8082 Deployment Manager - l HTTPS protocol for communication with the l No deployment
> RPA RecoverPoint Installation Server (TCP). tools.
l Used by the Deployment Manager during installation and l No installations or
upgrades. Deployment Manager needs to communicate upgrades.
with all RPAs in all clusters. Management ports preferred, l Replication not
WAN ports are used as fallback.
affected.
l Used for log collection. l No log collection.

10161 MIB Browser->RPA l SNMP over TLS (TCP); SNMP over DTLS (UDP). l No encrypted
SNMP.
l Used for SNMP reporting. Only required if SNMP is
configured.

11111 RPA->XtremIO SYM l Used by RecoverPoint to manage replication on XtremIO l RecoverPoint

(IPv4) array . cannot use IPv4 to
manage XtremIO
snapshots
l Disrupts replication
using IPv4 to and
from XtremIO
arrays

11112 RPA->XtremIO SYM l Used by RecoverPoint to manage replication on XtremIO l RecoverPoint

(IPv6) array. cannot use IPv6
manage XtremIO
snapshots
l Disrupts replication
using IPv6 to and
from XtremIO
arrays

External ports 21
Security Configuration Guide

Intra-cluster ports
The following ports must be accessible to all RPAs in the same cluster, to allow intra-
cluster communication. These ports need not be accessible to any server outside the
cluster.

Table 6 Intra-cluster ports

Port Source -> Protocol and description Effect if closed

Destination
123 RPA-> RPA l Used between RPAs in a cluster for time synchronization. l RPAs may show
incorrect time.
Event time stamps
may be incorrect.
l Replication not
affected, but
snapshots may
show incorrect
times. Write-order
of snapshots not
affected.

5021 RPA -> RPA l Used for storage process (TCP, UDP). l Replication not
affected.

5045 RPA->RPA l RecoverPoint (TCP, UDP). l RPA failure will

cause a full sweep
l Used between RPAs in the cluster for Symmetrix splitter
of volumes
functionality.
attached to the
Symmetrix splitter
in some disaster
scenarios. The
splitter itself will
continue to
function.

5050 RPA->RPA l RecoverPoint (TCP, UDP). l No Symmetrix

splitter <--> RPA splitter.
l Used between RPAs in the cluster for Symmetrix splitter
functionality.

6015 RPA -> RPA l For cluster leader arbitration (UDP). l Exposes system to
single point of
l Required for cluster arbitration. Used for redundant
failure (namely, the
communication between RPAs.
repository volume)
l RecoverPoint: WAN ports and Fibre Channel ports are for leader
also used for this purpose. arbitration when
l RecoverPoint for VMs: WAN ports are also used for this there is no
purpose. communication
with other RPAs.

22 RecoverPoint 5.0 Security Configuration Guide

 Security Configuration Guide

Table 6 Intra-cluster ports (continued)

Port Source -> Protocol and description Effect if closed

Destination
8082 RPA ->RPA l Supports log collection: connecting new RPAs to cluster. l Cannot collect
support logs from
multiple RPAs.

Inter-cluster ports
The following ports must be accessible to clusters in this RecoverPoint system, to
allow inter-cluster communication. These ports need not be accessible to any server
outside the RecoverPoint system.

Table 7 Inter-cluster ports

Port Source -> Protocol and description Effect if closed

Destination
22 SSH client->RPA l SSH and communications between RPAs (TCP). l Diagnostic tools fail
l WAN ports preferred, Management ports as fallback. l Replication not
affected.

5001 RPA -> RPA l iperf; performance measuring between RPAs (TCP). l No performance
measurement.
l Used for collecting diagnostic and performance
information between clusters. Best practice is to make l Replication not
this port available, but it is not required. affected.

5010 RPA -> RPA l RecoverPoint (TCP, UDP). l No RecoverPoint

system.
l Required between RPAs in different clusters for
replication. l No replication.

5020 RPA -> RPA l RecoverPoint (TCP, UDP). l No RecoverPoint.

l Required between RPAs in different clusters for l No replication.
replication.

5040 RPA -> RPA l RecoverPoint (TCP, UDP). l No RecoverPoint

system.
l Required between RPAs in different clusters for
replication. l No replication.

5060 RPA -> RPA l mpi_perf (TCP, UDP). l No performance

measurement.
l Used for collecting diagnostic and performance
information between clusters. Best practice is to make l Replication not
this port available, but it is not required. affected.

5080 RPA -> RPA l Connectivity diagnostics tool (TCP, UDP). l No connectivity
diagnostics.
l Used for collecting diagnostic and performance
information between clusters. Best practice is to make l No performance
this port available, but it is not required. measurement.

Inter-cluster ports 23
Security Configuration Guide

Table 7 Inter-cluster ports (continued)

Port Source -> Protocol and description Effect if closed

Destination

l Replication not
affected.

5081 RPA -> RPA l Connectivity diagnostics tool (UDP). l No connectivity

diagnostics.
l Used for collecting diagnostic and performance
information between clusters. Best practice is to make l No performance
this port available, but it is not required. measurement.
l Replication not
affected.

5100 RPA -> RPA l Cluster connector (TCP, UDP), for connecting additional l Cannot add an
clusters. additional cluster
to the
RecoverPoint
system.

8082 RPA -> RPA l Supports log collection: connecting new RPAs to cluster. l Diagnostic tools fail
l Replication not
affected.
l Diagnostic tools fail
l Replication not
affected.
l Cannot collect
support logs from
multiple RPAs.

8084 RPA -> RPA l Used to communicate with configuration database on l No communication
each RPA (TCP) with configuration
database

9999 RPA -> RPA l udponger; connectivity diagnostics tool (UDP). l No connectivity
diagnostics. If tool
l Used for diagnosing UDP connectivity between clusters.
is run, returns
Best practice is to make this port available, but it is not
error.
required.
l Replication not
affected.

Secure administration
This topic provides recommendations about encrypting both communications within
the RecoverPoint system and over the network.
Only encrypted (HTTPS) mode can be used to administer RecoverPoint through the
Management Application GUI.

24 RecoverPoint 5.0 Security Configuration Guide