Submitting your feedback...
Knowledge Base Article
2820OSI8 - Which firewall ports should be opened for a PI Data Archive?
Product: PI Data Archive
Version(s): 2010 and later

(December 2016) This article mentions PI trusts, now superseded by more secure forms of authentication. AL00309 discusses the move from PI trusts to Windows Integrated Security (WIS) for PI API.  

Issue

Which firewall ports should be open for the PI Data Archive to properly function?

Solution

The firewall ports required are grouped into categories: required technologies, base functionality, and optional functionality. Required technology rules are required to interact with 3rd party applications or components.  In many environments, the required technologies rules will already be in place. Base functionality rules are required for any installation of the PI Data Archive. Optional functionality rules are only required if the optional functionality has been implemented.

Infrastructure

Functionality Remote Application Protocol Port Direction Local Application Service
SPN registration (PI Mappings) Domain Controller TCP/UDP 135 Outbound PI Data Archive PI Network Manager
Kerberos (PI Mappings) Key Distribution Center TCP/UDP 88 Outbound PI Client PI Network Manager
NTLM (PI Mappings) Domain Controller TCP/UDP Dynamic Outbound PI Data Archive PI Network Manager
IP/Host lookup (PI Trust) DNS TCP/UDP 53 Outbound PI Data Archive PI Network Manager
Domain/OSUser lookup (PI Trust) Domain Controller TCP/UDP Dynamic Outbound PI Data Archive PI Network Manager

Base Functionality

Functionality Remote Application Protocol Port Direction Local Application Service
Client connections to PI Data Archive All client applications TCP 5450 Inbound PI Data Archive PI Network Manager
PI AF Link Synchronization, MDB Reset or MDB Re-migration PI Data Archive TCP 5457 Inbound PI AF Server PI AF Application Service

Optional Functionality

Functionality Remote Application Protocol Port Direction Local Application Service
PI High Availability (Replication) PI Data Archive (Secondary) TCP 5450 Inbound PI Data Archive (Primary) PI Network Manager
PI High Availability (Adding members, Re-initializing members.)* PI Data Archive (Primary) & PI Client (PI Collective Manager) TCP 445 Inbound PI Data Archive (Secondary) PI Network Manager
PI AF Link MDB Re-migration* PI Data Archive & PI Client (PI SMT) TCP 445 Inbound PI AF Server PI AF Application Service


*Only required if remotely searching or browsing for local users and groups is necessary.  If domain groups are used for mappings, or mappings are managed locally, this port does not need to be opened.

Background

Connections

All communication with the PI Data Archive are strictly over port 5450.

When a PI Interface or PI Client connects to the PI Data Archive, it initiates a series of connections from an arbitrarily selected “ephemeral” port (chosen by the operating system) on the client computer to port 5450 on the PI Data Archive; the client will always initiate a connection to the PI Data Archive.

PI MDB to AF Synchronization

PI AF Link utilizes the PI AF SDK to synchronize the PI Module Database with PI AF. The PI Server must be able to open a connection to the PI AF Server over port 5457 for all operations with PI AF Link.

See also KB00751 "Which firewall ports should be opened for PI AF Server? "​

High Availability

Replication for PI collective members through direct connections from each Secondary PI Data Archive to the Primary PI Data Archive over port 5450.

If a member is being added to the PI collective, or a PI collective member is being re-initialized, the Secondary PI Data Archive services will be stopped from the client machine running PI Collective Manager over port 445. A backup from the Primary PI Data Archive is then transferred to the Secondary PI Data Archive over port 445 to establish a baseline configuration of the Secondary.

PI Mappings

At startup the PI Data Archive attempts to register a Service Principal Name (SPN) with the Domain Controller over port 135. An SPN is used in the event that the Client machines will be authenticating via the Kerberos protocol. When connecting to the PI Server using WIS (Windows Integrated Security), either the Windows protocol Kerberos or NTLM (NT LAN Manager) is selected.

With Kerberos, the Client machine first authenticates with the Key Distribution Center over port 88 prior to any communication with the PI Data Archive.

With NTLM, the Client machine communicates with the PI Data Archive first. It is then the responsibility of the PI Data Archive to authenticate the Client’s Windows credentials with the Domain Controller over dynamic Windows RPC ports (for more information, refer to MS KB # 832017)

PI Trusts

IP/Host information


For PI SDK connections, the hostname / fqdn (Fully Qualified Domain Name) field for a PI Trust lookup is provided by the connecting Client application.

For PI API connections (such as PI Interfaces), the hostname / fqdn field for a PI Trust lookup is not provided by the connecting Client application and is retrieved by the PI Data Archive via reverse name lookup over port 53. 

Note: OSIsoft recommends DNS-based reverse lookup name method for security, maintenance and reliability. But in rare cases when DNS resolution is not possible, NetBIOS resolution on port 137 or  Link Local Multicast Name resolution on port 5355 are also available.

Windows Domain and User

For PI SDK connections, the Windows user’s SID (Security Identifier) is provided by the connecting Client application for PI Trust lookups (Domain and OSUser fields). The PI Data Archive resolves the SID to the Windows User through the Domain Controller over dynamic Windows RPC ports. For more information, refer to Microsoft Technet MS KB # 832017.

For PI API connections, these PI Trust fields are not used.

Notes

For a directory for all available KB articles describing how to configure firewall and ports number for many OSIsoft products, see KB01162 - Firewall Port Requirements.
Article ID: 2820OSI8 Created: 2002-02-05
Article Type: Troubleshooting Last Updated: 2017-05-17