Why don't SCI use tcp port 8443?

  • 1
  • Question
  • Updated 3 months ago
Hi.

Customer is using SCI and vSZ(above 3.5).

But thier SCI don't use 8443 port.

We can see some port using connection SCI and vSZ on document.


But SCI don't use 8443 in result I check it using tcpdump on SCI shell.

SCI reciecve only packets for 8883 port from vSZ.





Doesn't it use outbound-8443 port?

Is it intended?

Should we only open inbound tcp 8883 port from vSZ to SCI?

Thanks.
Photo of Jeronimo

Jeronimo

  • 172 Posts
  • 19 Reply Likes

Posted 3 months ago

  • 1
Photo of See Ho Ting

See Ho Ting

  • 27 Posts
  • 6 Reply Likes
Hi Jeronimo,

Yes, port 8883 is used for SZ to communicate with SCI. This is because the communication protocol used is MQTT and port 8883 is the official port for MQTT over SSL and is registered with IANA (http://www.iana.org).

Port 8443 is typically reserved for HTTP and thus we are not using it for MQTT.

For firewall rules, traffic is outbound from SZ to SCI. Sorry, the documentation is not clear. The 8443 is for SZ 3.4 and below where the API is HTTPS based. SZ 3.5 and above will be using port 8883.

Hope this helps.

Thanks!
(Edited)
Photo of Jeronimo

Jeronimo

  • 172 Posts
  • 19 Reply Likes
Thanks for reply, See Hong.

If in sz 3.5 above SCI don't use 8443 port, plz write down correctly in document.

Does SCI use 8443 for polling from SCI to vSZ?

Does SCI only recieve packet through 8883 port form vSZ to SCI?

And should We open only inbound 8883 port on Firewall? 

Or in 3.4 below, does SCI use 8443 for polling from SCI to vSZ?

Plz let me know about it. 

And if it is incorrect, write down clearly in document.

It causes confusion.

Regards.
(Edited)
Photo of See Ho Ting

See Ho Ting

  • 27 Posts
  • 6 Reply Likes
Hi Jeronimo,

Quick answers to your questions:

If in sz 3.5 above SCI don't use 8443 port, plz write down correctly in document.
=> Yes, we will have this documented more clearly ASAP.

Does SCI use 8443 for polling from SCI to vSZ?
=> Yes, but this is only for SZ3.4.2 and below. From SZ3.5 onwards, the API has changed completely from HTTPS pull to MQTT pull.

Does SCI only recieve packet through 8883 port form vSZ to SCI?
=> Yes. And again, this is only for SZ3.5 and above.

And should We open only inbound 8883 port on Firewall? 
=> Yes, that is correct.

Or in 3.4 below, does SCI use 8443 for polling from SCI to vSZ?
=> Yes, for SZ3.4 and below, SCI uses 8443 to poll the SZ.

Hope this helps and we apologise for the ambiguity in the documentation.

Thanks!
Photo of Jeronimo

Jeronimo

  • 172 Posts
  • 19 Reply Likes
Hi See ho Ting.

Thank for kindly and deep reply.

I got it perfectly.

In first, plz upload about it on KB.

Additionally question.

We have two vSZ bound to cluster.

If two vSZ is existed on cluster, should we add both on SCI?

Currently we add only one vSZ.


Plz let me know about it.

Thank you very much.
Photo of Lakshmi Nagarajan

Lakshmi Nagarajan

  • 17 Posts
  • 3 Reply Likes
Hi Jeronimo,  you are doing the right thing by adding only one vSZ. if you have more than one vSZ in a cluster, you need to add only one of them to SCI. 

Thanks
Lakshmi 
Photo of Jeronimo

Jeronimo

  • 171 Posts
  • 19 Reply Likes
Thank you very much Lakshmi.

I got it from your reply.

Regrards.
Jeronimo