none
Firewall ports Failover Clustering in Server 2016 RRS feed

  • Question

  • Hello - I'm configuring MS Failover Cluster across two datacenters with different IP Ranges using server 2016. What firewall ports are needed to setup two nodes cluster and witness file share ?

    Thanks


    ad

    Tuesday, May 30, 2017 3:58 PM

All replies

  • Hi,

    Cluster Service


    The Cluster service controls server cluster operations and manages the cluster database. A cluster is a collection of independent computers that act as a single computer. Managers, programmers, and users see the cluster as a single system. The software distributes data among the nodes of the cluster. If a node fails, other nodes provide the services and data that were formerly provided by the missing node. When a node is added or repaired, the cluster software migrates some data to that node.

    System service name: ClusSvc

    Application Protocol Ports
    Cluster Service UDP 3343
    Cluster Service TCP 3343 (This port is required during a node join operation.)
    RPC TCP 135
    Cluster Administrator UDP 137
    Randomly allocated high UDP ports¹ UDP Random port number between 1024 and 65535
    Random port number between 49152 and 65535²

    Note:
    Additionally, for successful validation on Windows Failover Clusters on 2008 and above, allow inbound and outbound traffic for ICMP4, ICMP6, and port 445/TCP for SMB.

    ¹ For more information about how to customize these ports, see "Remote Procedure Calls and DCOM" in the "References" section.
    ² This is the range in Windows Server 2012, Windows 8, Windows Server 2008 R2, Windows 7, Windows Server 2008, and Windows Vista.

    And file share witness should be as same as file share use TCP 139/445 and UDP 137/138.


    Best Regards
    Cartman
    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, May 31, 2017 8:31 AM
    Moderator
  • Hi,

    I am checking to see if the problem has been resolved. If there's anything you'd like to know, please feel free to ask.


    Best Regards
    Cartman
    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, June 6, 2017 2:14 AM
    Moderator
  • Thank you. You also need TCP Random port number between 49152 and 65535

    For Witness file Share you need TCP 139 and 445. Why you need UDP 137/138 for file share witness server?


    ad

    Tuesday, June 6, 2017 4:30 PM
  • Hi,

     UDP 137/138 is for SMB over Netbios.


    Best Regards
    Cartman
    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, June 9, 2017 5:35 AM
    Moderator
  • Hi, thank you for the info! this is very helpful. I have taken over a cluster that was already in place and notice that the inbound rules from the cluster show allow for all profiles. Should I limit the Failover Cluster rules to just the Domain? FYI this is not in a DMZ, and should only be accessed internally.

    Thanks for the help!

    Tre

    Monday, October 7, 2019 2:41 PM