Supermicro’s IPMI Firewall Rules

If your internal firewall is very restrictive or you need to expose IPMI to the outside world, you might be presented with a bit of a challenge due to quite varied port selection.

The first ports you have to allow are of course TCP 80 and 443 for web management interface. Almost all IPMI implementations have it and quite often it's the interface with the most features. For example, Supermicro's implementation only allows BIOS update and port number changes over web interface. This interface unfortunately stops just short of allowing console access.

To get access via IPMI tool (I use Supermicro's IPMI View) you need to have UDP port 623 allowed through. This will allow logging into the IPMI interface and seeing machine's status. Unfortunately, this too stops short of console access.

The key to the console (aka KVM) access is in TCP ports 3520 and 5900. These will allow you to see and type into. And only if you ever ran IPMI in nonrestrictive network would you notice something missing.

The missing piece is the menu, allowing you to mount virtual media and similar. For this you need to enable TCP port 623. This will finally allow full control over the hardware.

It's a bit of annoyance that so many ports are needed but in general this doesn't present the problem. Unless there are special circumstances, you shouldn't access IPMI from the outside via port forwarding. What you should do is use VPN and then use IPMI via it.

Leave a Reply

Your email address will not be published. Required fields are marked *