NetSUS + Firewall ports

New Contributor

Hi, I'm looking to set up a NetSUS server here, but would need to know in advance what ports need to be open for it to function and what addresses it would need to be able to contact as by default everything would be closed. I'd be looking at both the software update server functionality as well as making it a netboot server, looking to replace DeployStudio (thinking to use Imagr for that).

Could anyone give me the lowdown on this, or point me to some documentation that would detail it? Thanks


New Contributor

Same here I could not find any info on ports after I imported the appliance could we get some help please?

Contributor II

Off the top of my head, I think this is fairly complete (if it is, maybe worth submitting to as a pull request, perhaps):

For NetBoot:

DHCP/BOOTP (for discovery of NetBoot server and images) listens on UDP ports 67 and 68
TFTP (used to download the initial booter/kernel of the selected NetBoot set) listens on UDP port 69

NetBoot images themselves are served up via HTTP or NFS - I believe the current NetSUS supports both methods (I don't use NetSUS so can't comment further on that):

HTTP listens on TCP port 80
NFS listens on ports 111 and 2049 over TCP and UDP for both.

AFP (used as shadow storage for diskless NetBoot sets) listens on TCP port 548
SMB (used to provide a network share for you to upload your NetBoot sets) listens on TCP ports 139 and 445

Note that if you're wanting to NetBoot across different subnets on your network, you'll need to set up IP Helpers on your switches to pass the DHCP traffic around.

Software Update Server:
The SUS part is just a web server listening on TCP port 80.
It uses Reposado to sync content from Apple, so you'd want to make sure it can connect to Apple's software update services - some guidance here:

The admin web interface is available over HTTPS on TCP port 443
It runs an SSH server for console login on TCP port 22

As for the LDAP Proxy part, I'd guess the standard TCP ports 389 (unencrypted) and maybe 636 (for TLS) would be used, as well as outbound access to your LDAP server you're proxying to.

Release Candidate Programs Tester

@neil.martin83 Please add to the Github project :)