Which ports are required to be open for a TeamForge site?

The components of a CollabNet TeamForge installation listen on a number of operating system ports.

A small subset must be exposed externally to enable users to access TeamForge services. Any port that is not absolutely needed must be closed.

You can select your open ports in one of these ways:

Ports open to the Internet

Open the following operating system level ports. All other ports must be firewalled off to maintain security.

Important: Do not open port 7080 or port 8080 to the Internet. These ports are only for communications between the TeamForge application and the source code integration service, when those two site components are running on separate boxes.
22 (SSH)
Port 22 is the default port for the secure shell (SSH). This is required for basic SSH administrative functionality and for CVS, as all CVS transactions occur over SSH. If all Teamforge repositories are in SVN (the default for Teamforge), then this port should be closed to the public and only accessible to the system administrators.

If you have to expose SSH to the Internet, the best way to protect it is to require SSH keys and not allow password authentication, and do not permit root logins over SSH. If you must use local authentication for SSH, enforce regular password changes and password complexity.

Note: If you have to expose SSH internally, limit access to the port to a bastion host if you can; otherwise limit it to specific trusted hosts or subnets.
25 (SMTP)
Port 25 is the default port for SMTP (email). CollabNet TeamForge discussion forums include mailing list functionality that allows users to send email to the TeamForge server. The James mail server included with TeamForge listens on port 25 to accept this mail for processing.
80 (HTTP)
Port 80 is the default port for Web data transfer. We strongly recommend that you set up SSL and use port 80 only to redirect to port 443.
443 (https)
Port 443 is the default port for encrypted Web data transfer (HTTPS). The Apache web server should be configured to encrypt all data so that it cannot be compromised by a third party with malicious intent. Apache can be configured to force all traffic to be sent over HTTPS, even when a request is sent via port 80 (HTTP).

TeamForge can help you take care of this, if you tell it to. See Set up SSL for your TeamForge site for details.

29418 (Gerrit SSH)
Port 29418 is the default port which should be open for Gerrit SSH.

Ports for internal use only

Open the REPORTS_DATABASE_PORT if you are granting direct access to the datamart from specific IPs using the REPORTS_DB_ACCESS_HOSTS site-options.conf token.

Ports to be open in the firewall environment for TeamForge 17.4

Name Source Box Target Box Port Notes
Apache ALL TeamForge App 80 or 443 443 for ssl
TeamForge Database TeamForge App TeamForge Database 5432  
SVN Integration TeamForge App SVN 80 or 443 443 for ssl
GIT Integration TeamForge App GIT 80 or 443 443 for ssl
GIT ssh ALL GIT 29418  
Search TeamForge App Search 2099  
Binaries TeamForge App Binaries 8500  
Reports DB TeamForge App Reports DB 5432 or 5632 5432 is used by default as Reports DB is co-hosted with TeamForge database. 5632 can be used if you want Reports DB on a separate port.
Reports ETL TeamForge App Reports ETL 7010  
Code Search (Elasticsearch) ALL Code Search (Elasticsearch) 9200  
Note: No manual port configuration is required for the following services if they are all installed on the TeamForge App server:
  • TeamForge Database
  • SVN Integration
  • Search
  • Binaries
  • Reports DB
  • Reports ETL

Ports used by TeamForge EventQ services

Port service Host
8844 HTTP / HTTPS App server
6379 Redis App server
27017 MongoDB DB server
28017 MongoDB HTTP console DB server
5672 RabbitMQ MQ server
15672 RabbitMQ management console MQ server

Ports to be open in a firewall environment for EventQ

The following use cases detail TeamForge EventQ’s firewall/routing requirements. By default, end-user web access is proxied through the primary TeamForge web server. TeamForge EventQ adapters supply data using the MQ layer and therefore need access to the MQ server (default port 5672). There are also private access requirements between the various installed services as detailed below.
Port From To Description
443/80 App server TeamForge server App communication with TeamForge server
8844 TeamForge server App server TeamForge communication with App server
5672 TeamForge EventQ Adapters MQ server Message communication between Adapters and MQ server
5672 App server MQ server App communication with MQ server
5672 TeamForge server MQ server TeamForge communication with MQ server
15672 ALL MQ server App administration of MQ server
27017 App server DB server App server communication with DB server
22 App server MQ server App ssh to MQ server, installation only
22 App server DB server App ssh to DB server, installation only

TeamForge DevOps Lifecycle Manager port requirements

ActionHub uses the following ports by default.
  • 5672: To communicate with RabbitMQ. (Daemon and Web Server both require)
  • 5432: To communicate with PG Database (Daemon and Web Server both require)
  • 8187: Port used by Tomcat for Web Server front end
  • 8191: Port used by the Daemon
ActionFlow uses the following ports by default.
  • 80: HTTP not exposed
  • 443: HTTPS needs to be exposed to the client
  • 5672: RabbitMQ not exposed

ActionDesigner uses the following port by default: 8001.