In order to allow remote support and management, 
VMWare integration and snapshot replication, SynetoOS uses a set of TCP ports.


Inbound Ports

SynetoOS does not need any ports opened from the internet towards the appliance to have a functioning support tunnel when enabled and access to software updates. 

You need to setup port forwarding only when configuring snapshot replication between two Syneto appliances in different locations and you are not using VPN between the two sites.


Outbound Ports 

To provide the basic range of features, SynetoOS should be allowed to connect to the ports and destinations listed below



PortDestinationDescription
50052 TCP34.154.23.138 / central.backend.syneto.eu

For grpc protocol that connects to the following destination url(s):

  1. licensing service:

/licensing.Service/Activate
/licensing.Service/GetLicensingDetails

2. monitoring service:

/monitoring.Service/Configure
/monitoring.Service/Destroy
/monitoring.Service/Setup

3. sync service:

/sync.Service/GetAccountDetails

4. user event service:

/user_event.Service/Receive
443 TCP18.196.54.108 / pkg.syneto.euRequired for SynetoOS software updates
443 TCP35.204.93.231 / sync.cloud.syneto.euLicensing & synchronization service
443 TCP34.154.23.138 / central.api.syneto.eu

for the Syneto support tunnels
50052 TCP
34.154.214.5 / central.iam-auth.syneto.eufor authentication of the Central user
443 TCP
34.141.128.6 / harbor.syneto.eu
for pulling the latest cluster container images
443 TCP
35.219.226.134 / yum.syneto.eu
for downloading rpm packages
22 TCP34.154.73.58 / stc-0.syneto.eu
34.154.56.8 / stc-1.syneto.eu
34.154.68.141 / stc-2.syneto.eu
34.154.200.206 / stc-3.syneto.eu
34.154.117.67 / stc-4.syneto.eu
34.154.5.241 / stc-5.syneto.eu
34.154.112.18 / stc-6.syneto.eu
34.154.127.119 / stc-7.syneto.eu

Required for:
  • Syneto Remote Support 
  • Support file upload
  • Authorization and Serenity
443 TCP34.154.214.5 / proxy.t.syneto.euSyneto Remote Support



IPMI Ports
TCP Ports: 80, 443, 5901, 5900, 5120, 5123
UDP Ports: 623



ESXi Ports

"The vSphere Client and the VMware Host Client allow you to open and close firewall ports for each service or to allow traffic from selected IP addresses.

ESXi includes a firewall that is enabled by default. At installation time, the ESXi firewall is configured to block incoming and outgoing traffic, except traffic for services that are enabled in the host's security profile. For the list of supported ports and protocols in the ESXi firewall, see the VMware Ports and Protocols Tool™ at https://ports.vmware.com/. ..."

See more details on the official documentation: https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-171B99EA-15B3-4CC5-8B9A-577D8336FAA0.html



For full range of features also include the bellow list of outgoing ports and destinations 


PortDestination/ ServicesDescription
25 TCPEmail serverAllows SynetoOS to send email alerts to administrators. Required if the email server supports this port
465 TCPEmail serverAllows SynetoOS to send email alerts to administrators. Required if the email server supports this port
587 TCPEmail serverAllows SynetoOS to send email alerts to administrators. Required if the email server supports this port
53 UDPDNS serverAllows hostname resolution
123 UDPNTP serverAllows access to network time protocol (NTP) servers for time synchronization
902 TCPVMware ESXi hostsAllows network block device (NBD) data transfers from an external VMware ESXi host and a Syneto appliance (for VM migrations or Chronos)
3260 TCPiSCSI targetsAllows for iSCSI data transfers
111, 968, 2049, 4045 TCPNFSUsed for sharing datastores to ESXi hosts.
137,138 TCPSMBUsed for SMB sharing.
548 TCPAFPUsed for AFP sharing.
2003, 2004, 7002carbon_cacheUsed for Analytics.
5353 UDPmdnsdDNS resolver. Used to resolve host names.
11211memcachedUsed by the Web Management Interface to cache various data in the memory.
9000-9099 TCPmbufferOne port opened temporarily for each non-encrypted snapshot replication.
Port is closed after a snapshot is received. These ports cannot be NATed, or you have to NAT all of them one-to-one on your gateway.