The required ports to operate LMS is different for activation process and normal operation (including remote server).

In case you are running remote server configuration, you need to open the ports from 27000 to 27009.

Activation Workflow

For Online Licensing and Online/Offline Activation of the license, Port (443) for TCP and UDP must be open.

The required ports for activation are:

  • lms.bt.siemens.com [194.138.12.72]: LMS Server (FNO) / LMU Webservice, https access to port 443
  • NOTICE! Within Siemens network this host is mapped to 158.226.135.60.

Communication with our services requires to use following cryptographic protocols:

  • TLS 1.2 - recommended
  • TLS 1.1 – deprecated

Digital Signature Verification

For normal operation, an additional port should be opened: cdpldap.pki-services.siemens.com [194.138.20.37]: LDAP, Access to port 389

NOTICE! This port is required to be enabled for revocation check of the used code signing certificate issued by Siemens.

For more details see: http://www.siemens.com/corp/en/index/digital_id.htm

Hardening 3rd Party Components

As part of the LMS setup the dongle driver of Gemalto (aka SafeNet) gets installed. This driver includes an admin control center on: http://localhost:1947. Per default the remote access is disabled.

For LMU 2.4 and later, change the settings as below:

  1. Start LMU and navigate to Settings -> Dongle Overview -> Configuration (or open http://localhost:1947/_int_/config.html)
  2. Set “Allow Remote Access to ACC” and “Allow Remote Access to Admin API” to Disabled.
  3. Click on Submit button to save changes.

Disable remote connections for Automation License Manager

Description

Information for Desigo CC on the CERT advisory for Siemens Automation License Manager Vulnerabilities.

The ALM software components described in the CERT advisory "SSA-284342 (Last Update 2016-10-12): Vulnerabilities in Automation License Manager (ALM)" (ICSA-16-287-02) are installed during Desigo CC installation.

Solution

Only the ports listed in the Desigo CC Installation Manual document should be opened in the firewall (refer to the “Firewall Settings” chapter). The ALM port (4410/TCP) should therefore not be permitted in the firewall rules, which eliminates vulnerability to network attacks. Sites could additionally deactivate the accessibility of port 4410 for remote connections in the Automation License Manager client (File -> Settings dialog)