The required ports to operate LMS is different for activation process and normal operation (including remote server).
In case you are running remote server configuration, you need to open the ports from 27000 to 27009.
Activation Workflow
For Online Licensing and Online/Offline Activation of the license, Port (443) for TCP and UDP must be open.
The required ports for activation are:
- lms.bt.siemens.com [194.138.12.72]: LMS Server (FNO) / LMU Webservice, https access to port 443
Communication with our services requires to use following cryptographic protocols:
- TLS 1.2 - recommended
- TLS 1.1 – deprecated
Digital Signature Verification
For normal operation, an additional port should be opened: cdpldap.pki-services.siemens.com [194.138.20.37]: LDAP, Access to port 389
For more details see: http://www.siemens.com/corp/en/index/digital_id.htm
Hardening 3rd Party Components
As part of the LMS setup the dongle driver of Gemalto (aka SafeNet) gets installed. This driver includes an admin control center on: http://localhost:1947. Per default the remote access is disabled.
For LMU 2.4 and later, change the settings as below:
- Start LMU and navigate to Settings -> Dongle Overview -> Configuration (or open http://localhost:1947/_int_/config.html)
- Set “Allow Remote Access to ACC” and “Allow Remote Access to Admin API” to Disabled.
- Click on Submit button to save changes.
Disable remote connections for Automation License Manager
Description
Information for Desigo CC on the CERT advisory for Siemens Automation License Manager Vulnerabilities.
The ALM software components described in the CERT advisory "SSA-284342 (Last Update 2016-10-12): Vulnerabilities in Automation License Manager (ALM)" (ICSA-16-287-02) are installed during Desigo CC installation.
Solution
Only the ports listed in the Desigo CC Installation Manual document should be opened in the firewall (refer to the “Firewall Settings” chapter). The ALM port (4410/TCP) should therefore not be permitted in the firewall rules, which eliminates vulnerability to network attacks. Sites could additionally deactivate the accessibility of port 4410 for remote connections in the Automation License Manager client (File -> Settings dialog)