What firewall ports are necessary for JOC communication to controllers and agents?

Article ID:204177520
2 minute readKnowledge base

Issue

  • CloudBees Jenkins Operations Center negotiates a different port for controller and agent communication. Can you tell us what ports are involved?

  • We are trying to connect a client-controller outside of a firewall to the JOC which is inside the firewall. What firewall ports should be open.

Environment

CloudBees Jenkins Operations Center

Resolution

What you will need to ensure is the following:

  1. All potential users of a client controller can access the controller over HTTP(S)

  2. All JNLP agents that a client controller may be leased can access the controller over HTTP(S) and over that controller’s JNLP port

  3. All JNLP agents that OC will be leasing can access OC over HTTP(S) and over OC’s JNLP port

  4. All client controllers can access OC over HTTP(S) and over OC’s JNLP port

Each of those connections needs to be able to use the same hostname to resolve the connection. The hostname can resolve different IP addresses if you have different DNS servers for different subnets, but the DNS name needs to be the same for users, client controllers, shared agents, etc…​

Root Cause

Some operating systems do not install a firewall by default, and when using those operating systems it can be trivial to connect controllers to OC (or connect JNLP agents to either OC or a regular Jenkins) because the - by default - randomly selected JNLP port will be open.

In a production environment you will need to fix the JNLP port (i.e. the Figure 4.7) (or else you would need to have some trickery that auto-detected the random port and opened up the firewall for that port…​ given that such trickery would be hard to maintain, we recommend the simplest thing that can possibly work, i.e. a fixed port)

A common problem we have seen is where people are setting up HA and just forward the HTTP port and fail to forward the TCP/IP port for the JNLP connections (a more subtle problem being where they do forward the TCP/IP port but do not set up the correct port forwarding options).