Showing results for 
Search instead for 
Did you mean: 

TMS ports

Hi Everyone,

Hi have a TMS in a DMZ and a coupple of C20 in LAN;

I have open from DMZ to C20 the following port : 80,443 TCP and 161 UDP. But TMS can't reach the C20.

what are the correct ports to open in the firewall for add the C20 in the TMS?



12 Replies 12

Cisco Employee
Cisco Employee


You should refer to the Cisco TMS Admin Guide, in parituclar the section that discusses Support for Remote Systems/SoHo systems on what is required when adding a remote system to the Cisco TMS:

Hi, I have checked that the ports required in the Manual: tcp 80, 443 and UDP 161

are open in my Firewall.

any suggestions?

If possible, the easiest way to add a remote system to Cisco TMS is to first have the system registered in Cisco TMS before you bring it to the remote location. Before you unplug it, go to Edit Settings in the Settings tab for the system and click Enforce Management Settings. If the system will be behind a firewall that is not open or doesn’t have HTTP or HTTPS ports opened up, you also have to go to the Connection tab on that endpoint and change System Connectivity to Behind Firewall. Cisco TMS will then set the management address on that system to Cisco TMS external management address. When the system is plugged in from the remote location, the system will then send a boot event to Cisco TMS and from then on the system will be available from Cisco TMS, i.e. heartbeat.

If the above isn't possible, then you'll need to set the external management address of Cisco TMS on the endpoint. Note that this is the address that you've configured in TMS at Admin Tools > Configuration > Network Settings  > Advanced Network Settings for Systems on Public Internet/Behind Firewall.  When this has been set, the endpoint will send a register event to Cisco TMS, and when Cisco TMS receives this and notices that the system is not already in Cisco TMS, it will add it to a list. One must then add the system to Cisco TMS afterwards.

If your system is in public, not behind a firewall or behind a firewall that has opened up the HTTP or HTTPS ports, it is advised to change the system connectivity on the system to Reachable on Public Internet. This way it will also be possible for Cisco TMS to set up calls where the endpoint is calling out, and not only being called to.

Hi Dale!

Btw, what is the difference in between the communication of "on public internet" vs. "on lan"?

Does public internet skip snmp traps and use https preferred or what happens there?


Please remember to rate helpful responses and identify

The two Reachable On connectivities are pretty much the same, except for the management URL they get when you enforce management settings, they both pick a different address from the ones configured in the Network Settings. In both cases systems can be reached directly and the same protocol will be used for both.

Behind FW is different because TMS cannot reach these systems, they will communicate with TMS using the SOHO heartbeat mechanism as described in the Admin guide.

ok, sure, the FQN under "Advanced Network Settings for Systems on Public Internet/Behind Firewall".

Anyhow, it might be handy if that config would extended to have a:

* on external communication allow only secure communication

which also should disallow unencrypted http, snmp, ftp, ... from and to the endpoint

Please remember to rate helpful responses and identify

It may be that you endpoint is configured for the DNS name of TMS and does not have DNS configured or a proxy sits between your C20 and TMS that requires authentication.

Can you browse to the feedback URL ( can get it from and xstatus feed command) from a PC that is on the same subnet as the C20

Martin Koch

Hi Carlo!

I would assume you have done something not 100% correct.

You said DMZ, do you have any kind of NAT in between?

How does it look when you try to add a system, some screenshots would be handy.

I would do a tcpdump/wireshark on the endpoint/on the TMS and compare what is send/received.

A look inside the logfiles has also never harmed :-)

Did you try to access the http and https interface of the endpoint from the TMS?

Btw, for sysadmin reasons I would also open ssh from the TMS to the endpoints.

Please vote the answers!

Please remember to rate helpful responses and identify

Hi ,

thanks to all.

I resolved this issue by open udp 161. The firewall  wasn't  configure  ok.

the last question:  if the port 161 udp  was blocked  by firewall, why  when I add the the c20 in tms with

"Discover Non-SNMP Systems" checked,  the TMS  response is : system no found?

Good to hear that you resolved it Carlo and thanks for the feedback As far as your question, could be the IP address, DNS name or IP Range you entered and TMS simply couldn't resolve it because of the FW. At any rate, case resolved. Happy trails with the Cisco TMS

This should work without SNMP for the SOHO featue. I have C20 working to TMS server with only port 80/443 open to the TMS server. 

The max. you can do if behind firewall is to more or less "pre register" the endpoint in TMS.

If he added the system in TMS it might not work as it failed and so it might not have set up the TMS parameters on the

endpoint. In this case he would have had to set the parameters on the endpoint so the system tries to connect to

the TMS, then it should have shown up as "behind firewall".

But this would be a bad workaround as we already know the issue here, wrong firewall settings.

So if it is expected to work then the network is most likely a good way to start to look into.

Besides that the recomandation to check the DNS entries is also valid and should be done anyhow.

Also to check on the TMS network settings page that the FQDN are properly set.


Please remember to rate helpful responses and identify

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers