by

PA Management Node

    • Web Interface (Administration and Hosting Panel)
      • 8880: HTTP access to PA Administration Panel
      • 8443: HTTPS access to PA Administration Panel

  • Public API
    • 8440: Public API Manager
  • Communication with Service Nodes
    • 80: Connection to PA package repository from service nodes
    • 8352-8364: PA internal ports for accepting requests from Service Node(s)
    • 8412: PA internal port for accepting requests from Service Node(s)
    • 8490: PA internal port for accepting requests from Service Node(s)
    • 8532: PA internal port for accepting requests from Service Node(s)
    • 8400: PA internal port for accepting requests from Service Node(s)
  • Test (used by utility PA.sn_test)
    • 51618: For testing bi-directional communication with a service node

If the PA Management Node is not only used as the Administration Panel, but also for hosting, it is necessary to open the ports for the desired hosting services.

Service Node(s)

The ports below are required to be opened on all of the service nodes:

  • 8352-8364: PA internal ports for accepting requests from Management Node
  • 8412: PA internal port for accepting requests from Management Node
  • 8490: PA internal port for accepting requests from Management Node
  • 8532: PA internal port for accepting requests from Management Node
  • 8443: PA internal port for accepting requests from Management Node
  • 51619: For testing bi-directional communication with a management node

Ports for hosting services on the Service Node also must be open:

IIS Service Node:

Before adding a service node running Windows 2012 R2, it is required to log into the node and issue the following commands in the console:

Configure WinRM service:

sc config winrm start= auto
sc start winrm


%windir%\system32\timeout /t 5
cmd /c winrm put winrm/config/service @{AllowUnencrypted = "true"}

%windir%\system32\timeout /t 2
cmd /c winrm put winrm/config/service/Auth @{Basic = "true"}

%windir%\system32\timeout /t 2
cmd /c winrm create winrm/config/Listener?Address=*+Transport=http @{Port="5985"}

netsh advfirewall firewall add rule name="WinRM in" dir=in profile=any protocol=TCP localport=5985 remoteip=203.0.113.2 localip=any action=allow

Enable other necessary ports:

# HTTP & HTTPS
netsh advfirewall firewall add rule name="HTTP 80 port" dir=in profile=any protocol=TCP localport=80 remoteip=any localip=any action=allow

netsh advfirewall firewall add rule name="HTTPS 443 port" dir=in profile=any protocol=TCP localport=443 remoteip=any localip=any action=allow

# FTP
netsh advfirewall firewall add rule name=”FTP Passive Connections” dir=in action=allow service=ftpsvc protocol=TCP

netsh advfirewall set global StatefulFTP disable

# PA service ports
netsh advfirewall firewall add rule name="POA in" dir=in profile=any protocol=TCP localport=8352 remoteip=203.0.113.2 localip=any action=allow

netsh advfirewall firewall add rule name="POA in 2" dir=in profile=any protocol=TCP localport=8354 remoteip=203.0.113.2 localip=any action=allow

where 203.0.113.2 is IP address of the Management Node.

SmarterMail Service Node:

Add the rules below to allow mail services and communication with the Management Node:

Configure WinRM service:

sc config winrm start= auto
sc start winrm


%windir%\system32\timeout /t 5
cmd /c winrm put winrm/config/service @{AllowUnencrypted = "true"}

%windir%\system32\timeout /t 2
cmd /c winrm put winrm/config/service/Auth @{Basic = "true"}

%windir%\system32\timeout /t 2
cmd /c winrm create winrm/config/Listener?Address=*+Transport=http @{Port="5985"}

netsh advfirewall firewall add rule name="WinRM in" dir=in profile=any protocol=TCP localport=5985 remoteip=203.0.113.2 localip=any action=allow

Enable other necessary ports:

# Mail services
netsh advfirewall firewall add rule name="SMTP" dir=in profile=any protocol=TCP localport=25 remoteip=any localip=any action=allow

netsh advfirewall firewall add rule name="SMTPS" dir=in profile=any protocol=TCP localport=465 remoteip=any localip=any action=allow

netsh advfirewall firewall add rule name="587 mail submission" dir=in profile=any protocol=TCP localport=587 remoteip=any localip=any action=allow

netsh advfirewall firewall add rule name="POP3" dir=in profile=any protocol=TCP localport=110 remoteip=any localip=any action=allow

netsh advfirewall firewall add rule name="POP3S" dir=in profile=any protocol=TCP localport=995 remoteip=any localip=any action=allow

netsh advfirewall firewall add rule name="IMAP" dir=in profile=any protocol=TCP localport=143 remoteip=any localip=any action=allow

netsh advfirewall firewall add rule name="IMAPS" dir=in profile=any protocol=TCP localport=993 remoteip=any localip=any action=allow

# SmarterMail communication port
netsh advfirewall firewall add rule name="SmarterMail admin port" dir=in profile=any protocol=TCP localport=9998 remoteip=203.0.113.2 localip=any action=allow

where 203.0.113.2 is the IP address of the Management Node.

Apache Service Node:

  • 80: HTTP
  • 443: HTTPS
  • 21: FTP
  • Port range 60000:65000 for FTP passive mode. Additionally add the line ‘PassivePorts 60000 65000’ into the ‘/etc/proftpd.conf’ file.

Postfix Service Node:

  • 587: Mail submission TCP port
  • 143: Imap TCP port
  • 995: Secure POP TCP port
  • 465: Secure SMTP TCP port
  • 993: Secure IMAP TCP port
  • 25: SMTP port

Webmail Service Node:

  • 80: HTTP post

Database Service Node:

  • 3306: MySQL TCP port
  • 5432: Postgresql TCP port
  • 1433: MSSQL TCP port

DNS Service Node:

  • 53: DNS UDP port

Backup Service Node:

  • 21: FTP
  • Port range 60000:65000 for FTP passive mode. Additionally add the line 'PassivePorts 60000 65000' into the'/etc/proftpd.conf' file.

Additional Information

Below, you can find an example of the iptables rules on the PA Management Node. Requests on ports 8354 and 8352 are accepted only from Service Node IP addresses.

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
PA-SN-Rules-INPUT  tcp  --  anywhere             anywhere            tcp dpt:8354
PA-SN-Rules-INPUT  tcp  --  anywhere             anywhere            tcp dpt:8352

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain PA-SN-Rules-INPUT (2 references)
target     prot opt source               destination
ACCEPT     tcp  --  10.39.13.201         anywhere
ACCEPT     tcp  --  10.39.25.202         anywhere
ACCEPT     tcp  --  10.39.25.203         anywhere
ACCEPT     tcp  --  10.39.25.204         anywhere
ACCEPT     tcp  --  10.39.25.205         anywhere
ACCEPT     tcp  --  PAmn.plesk.ru       anywhere
DROP       tcp  --  anywhere             anywhere

The iptables rules on the Service Node are shown below. Requests on ports 8354 and 8352 are accepted only from the Management Node.

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
PA_INPUT  all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain PA_INPUT (1 references)
target     prot opt source               destination
DROP       tcp  -- !10.39.25.201         anywhere            tcp dpt:8354
DROP       tcp  -- !10.39.25.201         anywhere            tcp dpt:8352

Leave a Reply

Your email address will not be published. Required fields are marked *