Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, May 30, 2017 3:58 PM
Hello - I'm configuring MS Failover Cluster across two datacenters with different IP Ranges using server 2016. What firewall ports are needed to setup two nodes cluster and witness file share ?
Thanks
ad
All replies (5)
Wednesday, May 31, 2017 8:31 AM | 2 votes
Hi,
Cluster Service
The Cluster service controls server cluster operations and manages the cluster database. A cluster is a collection of independent computers that act as a single computer. Managers, programmers, and users see the cluster as a single system. The software distributes data among the nodes of the cluster. If a node fails, other nodes provide the services and data that were formerly provided by the missing node. When a node is added or repaired, the cluster software migrates some data to that node.
System service name: ClusSvc
| Application | Protocol | Ports |
| Cluster Service | UDP | 3343 |
| Cluster Service | TCP | 3343 (This port is required during a node join operation.) |
| RPC | TCP | 135 |
| Cluster Administrator | UDP | 137 |
| Randomly allocated high UDP ports¹ | UDP | Random port number between 1024 and 65535 Random port number between 49152 and 65535² |
Note:
Additionally, for successful validation on Windows Failover Clusters on 2008 and above, allow inbound and outbound traffic for ICMP4, ICMP6, and port 445/TCP for SMB.
¹ For more information about how to customize these ports, see "Remote Procedure Calls and DCOM" in the "References" section.
² This is the range in Windows Server 2012, Windows 8, Windows Server 2008 R2, Windows 7, Windows Server 2008, and Windows Vista.
And file share witness should be as same as file share use TCP 139/445 and UDP 137/138.
Best Regards
Cartman
Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact [email protected]
Tuesday, June 6, 2017 2:14 AM
Hi,
I am checking to see if the problem has been resolved. If there's anything you'd like to know, please feel free to ask.
Best Regards
Cartman
Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact [email protected]
Tuesday, June 6, 2017 4:30 PM
Thank you. You also need TCP Random port number between 49152 and 65535
For Witness file Share you need TCP 139 and 445. Why you need UDP 137/138 for file share witness server?
ad
Friday, June 9, 2017 5:35 AM
Hi,
UDP 137/138 is for SMB over Netbios.
Best Regards
Cartman
Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact [email protected]
Monday, October 7, 2019 2:41 PM
Hi, thank you for the info! this is very helpful. I have taken over a cluster that was already in place and notice that the inbound rules from the cluster show allow for all profiles. Should I limit the Failover Cluster rules to just the Domain? FYI this is not in a DMZ, and should only be accessed internally.
Thanks for the help!
Tre