• Article for your preferred language does not exist. Below is international version of the article.

Article ID: 115202, created on Nov 26, 2012, last review on Nov 21, 2015

  • Applies to:
  • Operations Automation 5.3
  • Plesk Automation 11.1
  • Plesk Automation 11.5

Information

When a new Service Node is registered in Plesk Automation (PA), PA automatically modifies firewall rules and opens the necessary ports. Modification is carried out on the PA Management Node and the Service Node. However, firewall rules can be manually modified or changed by other third-party software. This modification can break the connection with Service Node(s).

This article describes how each port is assigned and its related purpose. In the event of any communication problems, check that the required ports are open.

For detailed information about the ports on each type of node, refer to the PA deployment guides.

PA Management Node

  • Web Interface (Administration and Hosting Panel)

    • 8880: HTTP access to PA Administration Panel
    • 8443: HTTPS access to PA Administration Panel
  • Public API

    • 8440: Public API Manager
  • Communication with Service Nodes

    • 80: Connection to PA package repository from service nodes
    • 8352-8364: PA internal ports for accepting requests from Service Node(s)
    • 8412: PA internal port for accepting requests from Service Node(s)
    • 8490: PA internal port for accepting requests from Service Node(s)
    • 8532: PA internal port for accepting requests from Service Node(s)
    • 8400: PA internal port for accepting requests from Service Node(s)
  • Test (used by utility PA.sn_test)
    • 51618: For testing bi-directional communication with a service node

If the PA Management Node is not only used as the Administration Panel, but also for hosting, it is necessary to open the ports for the desired hosting services.

Service Node(s)

The ports below are required to be opened on all of the service nodes:

  • 8352-8364: PA internal ports for accepting requests from Management Node
  • 8412: PA internal port for accepting requests from Management Node
  • 8490: PA internal port for accepting requests from Management Node
  • 8532: PA internal port for accepting requests from Management Node
  • 8443: PA internal port for accepting requests from Management Node
  • 51619: For testing bi-directional communication with a management node

Ports for hosting services on the Service Node also must be open:

IIS Service Node:

Before adding a service node running Windows 2012 R2, it is required to log into the node and issue the following commands in the console:

Configure WinRM service:

sc config winrm start= auto
sc start winrm


%windir%\system32\timeout /t 5
cmd /c winrm put winrm/config/service @{AllowUnencrypted = "true"}

%windir%\system32\timeout /t 2
cmd /c winrm put winrm/config/service/Auth @{Basic = "true"}

%windir%\system32\timeout /t 2
cmd /c winrm create winrm/config/Listener?Address=*+Transport=http @{Port="5985"}

netsh advfirewall firewall add rule name="WinRM in" dir=in profile=any protocol=TCP localport=5985 remoteip=203.0.113.2 localip=any action=allow

Enable other necessary ports:

# HTTP & HTTPS
netsh advfirewall firewall add rule name="HTTP 80 port" dir=in profile=any protocol=TCP localport=80 remoteip=any localip=any action=allow

netsh advfirewall firewall add rule name="HTTPS 443 port" dir=in profile=any protocol=TCP localport=443 remoteip=any localip=any action=allow

# FTP
netsh advfirewall firewall add rule name=”FTP Passive Connections” dir=in action=allow service=ftpsvc protocol=TCP

netsh advfirewall set global StatefulFTP disable

# PA service ports
netsh advfirewall firewall add rule name="POA in" dir=in profile=any protocol=TCP localport=8352 remoteip=203.0.113.2 localip=any action=allow

netsh advfirewall firewall add rule name="POA in 2" dir=in profile=any protocol=TCP localport=8354 remoteip=203.0.113.2 localip=any action=allow

where 203.0.113.2 is IP address of the Management Node.

SmarterMail Service Node:

Add the rules below to allow mail services and communication with the Management Node:

Configure WinRM service:

sc config winrm start= auto
sc start winrm


%windir%\system32\timeout /t 5
cmd /c winrm put winrm/config/service @{AllowUnencrypted = "true"}

%windir%\system32\timeout /t 2
cmd /c winrm put winrm/config/service/Auth @{Basic = "true"}

%windir%\system32\timeout /t 2
cmd /c winrm create winrm/config/Listener?Address=*+Transport=http @{Port="5985"}

netsh advfirewall firewall add rule name="WinRM in" dir=in profile=any protocol=TCP localport=5985 remoteip=203.0.113.2 localip=any action=allow

Enable other necessary ports:

# Mail services
netsh advfirewall firewall add rule name="SMTP" dir=in profile=any protocol=TCP localport=25 remoteip=any localip=any action=allow

netsh advfirewall firewall add rule name="SMTPS" dir=in profile=any protocol=TCP localport=465 remoteip=any localip=any action=allow

netsh advfirewall firewall add rule name="587 mail submission" dir=in profile=any protocol=TCP localport=587 remoteip=any localip=any action=allow

netsh advfirewall firewall add rule name="POP3" dir=in profile=any protocol=TCP localport=110 remoteip=any localip=any action=allow

netsh advfirewall firewall add rule name="POP3S" dir=in profile=any protocol=TCP localport=995 remoteip=any localip=any action=allow

netsh advfirewall firewall add rule name="IMAP" dir=in profile=any protocol=TCP localport=143 remoteip=any localip=any action=allow

netsh advfirewall firewall add rule name="IMAPS" dir=in profile=any protocol=TCP localport=993 remoteip=any localip=any action=allow

# SmarterMail communication port
netsh advfirewall firewall add rule name="SmarterMail admin port" dir=in profile=any protocol=TCP localport=9998 remoteip=203.0.113.2 localip=any action=allow

where 203.0.113.2 is the IP address of the Management Node.

Apache Service Node:

  • 80: HTTP
  • 443: HTTPS
  • 21: FTP
  • Port range 60000:65000 for FTP passive mode. Additionally add the line 'PassivePorts 60000 65000' into the '/etc/proftpd.conf' file.

Postfix Service Node:

  • 587: Mail submission TCP port
  • 143: Imap TCP port
  • 995: Secure POP TCP port
  • 465: Secure SMTP TCP port
  • 993: Secure IMAP TCP port
  • 25: SMTP port

Webmail Service Node:

  • 80: HTTP post

Database Service Node:

  • 3306: MySQL TCP port
  • 5432: Postgresql TCP port
  • 1433: MSSQL TCP port

DNS Service Node:

  • 53: DNS UDP port

Backup Service Node:

  • 21: FTP
  • Port range 60000:65000 for FTP passive mode. Additionally add the line 'PassivePorts 60000 65000' into the '/etc/proftpd.conf' file.

Additional Information

Below, you can find an example of the iptables rules on the PA Management Node. Requests on ports 8354 and 8352 are accepted only from Service Node IP addresses.

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
PA-SN-Rules-INPUT  tcp  --  anywhere             anywhere            tcp dpt:8354
PA-SN-Rules-INPUT  tcp  --  anywhere             anywhere            tcp dpt:8352

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain PA-SN-Rules-INPUT (2 references)
target     prot opt source               destination
ACCEPT     tcp  --  10.39.13.201         anywhere
ACCEPT     tcp  --  10.39.25.202         anywhere
ACCEPT     tcp  --  10.39.25.203         anywhere
ACCEPT     tcp  --  10.39.25.204         anywhere
ACCEPT     tcp  --  10.39.25.205         anywhere
ACCEPT     tcp  --  PAmn.plesk.ru       anywhere
DROP       tcp  --  anywhere             anywhere

The iptables rules on the Service Node are shown below. Requests on ports 8354 and 8352 are accepted only from the Management Node.

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
PA_INPUT  all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain PA_INPUT (1 references)
target     prot opt source               destination
DROP       tcp  -- !10.39.25.201         anywhere            tcp dpt:8354
DROP       tcp  -- !10.39.25.201         anywhere            tcp dpt:8352

Search Words

dns does not respond authoritatively

error hkey

task

Time out: waiting for provisioning customer to Plesk

<ipv4.dns>

nameserver error cannot find

MessageError connecting to mail server.

cannot add win 2012 r2 node

Error connecting to mail server

nable to check the availability of registered hosts in PPA

secure tunnel using openssl

Host in deleting state

The component __coldfusion_support was not installed

Destination host 'msws-191-237-17' (#30), IP '10.48.0.6' : Unable to establish connection with the node #30.

[Errno -1] timed out

Details: Repository error: Transport error: unable to list directory: Curl error: Timeout was reached

unable to check the availability of registered hosts in PPA

ppa firewall

The operation can not be completed because the following component is missing or is not running: pleskd (sc_name '', sc_id #70)

1603

Installing PPA behind NAT

установка

Can not configure agent on host, reason

e0aff7830fa22f92062ee4db78133079 33a70544d00d562bbc5b17762c4ed2b3 c1ecc6010feff26cb42d1d14a7881dd6 caea8340e2d186a540518d08602aa065 a8cdca46e4357a6e38fded820770e272 e12cea1d47a3125d335d68e6d4e15e07 5356b422f65bdad1c3e9edca5d74a1ae 2554725ed606193dd9bbce21365bed4e

Email subscription for changes to this article
Save as PDF