take a look at this document

CLARiiON Release 29 Security Configuration Guide

https://powerlink.emc.com/nsepn/webapps/btg548664833igtcuup4826/km/live1/en_US/Offering_Technical/Technical_Documentation/300-010-805.pdf

Thanks Dynamox..

Are the rules given in this document appplied to Clariion CX-300 with FLARE 02.25.300.5 ?

Does 'management server' run on the storage processors ?

So, if I understand correctly (after looking to the tables on page 17-18), we need the following rule in firewall to provide connectivity for hosts that are in a different subnet. Let me know if I am wrong.

SAN, Host & SMTP Server are all in different subnets..

Currently I am able to access NaviManager and we are not using NavisphereExpress, InitializationUtility,SnapView, SNMP traps etc..

Do I need both TCP & SSL for port 443 to use with secure CLI ?

The firewall ports are the same for all Clariions. These are ports that the clariion uses to talk to the hosts.

The "Management Server" is the process running on the array.

You need port 6389 for Navisphere Host Agent running on the host. 6390 to 6392 are normally only used when you perform an NDU (flare upgrade).

SecureCLI uses the same ports.

glen

Glen, thanks for the information.

There is a NetScreen firewall between storage array and a host.

One more thing...are these the destination ports ? If so, what are the source ports requirements ?

These are destination ports - the array initiates the session to the hosts. One the host side, the port is random going out.

glen

Glen, does that mean I need to keep source ports to 0-0 for the host initiated sessions ?

Is there any way to change this setting ? I am looking for a limited number of ports...

Thanks for any help and direction on this !!

I believe that all you need to do is open the ports (6389-6392) on the firewall - I don't believe that you can control source ports and you probably do not need to be concerned about it.

glen

I am not sure I understood the point.  So,  allowing communication bothways only on 6389-6392 should resolve this issue ?

What will happen if host randomly chooses a port which is blocked by firewall ?

Sorry for asking very basic questions but I am still little confused.

Thanks ..

psoni wrote: I am not sure I understood the point.  So,  allowing communication bothways only on 6389-6392 should resolve this issue ? What will happen if host randomly chooses a port which is blocked by firewall ? Sorry for asking very basic questions but I am still little confused. Thanks ..

The source port is used by the source device for creating the connection to the remote device. The destination port is the port that needs to be opened on the firewall as that is the port that is attempting to be used when transitioning through the firewall.