Cominf Network: Performance Descr

COMInf Network
PERFORMANCE DESCR.
6/1555-APR 901 0124 Uen D9

Copyright
© Copyright Ericsson (LMI) 2011. All rights reserved.
Disclaimer
No part of this document may be reproduced in any form without the written
permission of the copyright owner
The contents of this document are subject to revision without notice due to
continued progress in methodology, design, and manufacturing. Ericsson shall
have no liability for any error or damage of any kind resulting from the use
of this document.
6/1555-APR 901 0124 Uen D9 | 2011-04-12

Contents
Contents
1 Introduction 1
1.1 Purpose 2
1.2 Scope 3
1.3 Typographic Conventions 3
2 COMInf O&M Network 5
3 COMInf Network IP Architecture 7

3.1 Deployment Example 7
3.2 High Availability (HA) 14
3.3 Network Switch 15
3.4 Firewall Router 16
3.5 O&M Router 82
3.6 COMInf Services and Redundancy 83
3.7 IP Multipath Facility 83
4 COMInf X.25 Network Architecture 85
5 Interfacing to the Managed Networks 87

5.1 Interfacing to WCDMA RAN 87
5.2 IP Interfacing to GSM RAN 88
5.3 IP Interfacing to LTE RAN 88
5.4 X.25 Interfacing to GSM RAN 89
5.5 Interfacing to the Core Network 91
5.6 Interfacing the Service Network 92
6 Upgrade 93
Glossary 115
Reference List 117
6/1555-APR 901 0124 Uen D9 | 2011-04-12

COMInf Network
6/1555-APR 901 0124 Uen D9 | 2011-04-12

Introduction
1 Introduction
This document provides information for the following activities:
• Integration of equipment required to create a Common Operation &

Maintenance Infrastructure (COMInf) network. COMInf is Ericsson's
product solution for the Operation & Maintenance (O&M) network and
comprises the following:
0 COMInf servers providing a variety of different services for OSS end

users and for network elements such as DNS, LDAP, DHCP, NTP and
licensing services.
0 COMInf Network enabling the OSS to communicate with the network

elements it manages and with other systems such as Network
Management Systems (NMS).
• Connection of nodes and networks necessary to create an Operations

Support System (OSS).
• Connection to managed networks and required open firewall ports.
For an overview of COMInf and the environment it is used in, see Figure 1.
For a more detailed description of COMInf refer to the COMInf Description,
Reference [3]
6/1555-APR 901 0124 Uen D9 | 2011-04-12 1

COMInf Network
External NMS
system
O&M
Operator COMInf server nodes COMInf Network
clients OSS
Master
Server
COMInf O&M
Network Infrastructure
Access/Core
Access/Core
Network(s)
Access/Core
Network(s)
Network(s)
Network elements
NetworkOverview
Figure 1 OSS Network Overview
Communication with the network elements in the network is performed using the
Internet Protocol (IP) and its companion protocols, and, or, the X.25 protocol.
In the COMInf network, IP traffic is carried over Ethernet. In the Access and
Core networks, IP traffic may be carried over Asynchronous Transfer Mode
(ATM) and or Ethernet.
For the GSM RAN and Core Network, the OSS Master Server sometimes
communicates to network elements using the X.25 protocol. The X.25 protocol
is used for communicating with AXE based nodes using the IOG11 or IOG20
frontend processors.
1.1 Purpose
The purpose of this document is to aid network engineers design their COMInf
network. The document describes the components that comprise a COMInf
network, and how to configure and connect them. The COMInf Installation
Plan, Reference [5], describes the order in which COMInf network components
need to be installed.
2 6/1555-APR 901 0124 Uen D9 | 2011-04-12

Introduction
1.2 Scope
This document describes how to integrate COMInf and connect it to the
following systems:
• WCDMA Radio Access Network (WCDMA RAN)
• GSM Radio Access Network (GSM RAN)
• Core Network
• Service Network
• External NMS system
• Client hardware for operator access
• LTE Radio Access Network (LTE RAN)
This document only covers O&M of the RANs, the Core Network, the Service
Network and the Network deployment for both Blade and Non-Blade OSS
installations. A Non-Blade deployment has rack mounted servers with a
SPARC OSS Master Server and a mixture of SPARC and x86 for all other
server types. A Blade deployment has x86 Blade servers only with no rack
based servers apart from the Solaris Management Workstation (MWS). In a
x86 Blade deployment the MWS must be an x86 rack mounted server. O&M of
the COMInf network and payload traffic are outside the scope of this document.
This integration is on the link layer (IP and X.25 layers) and does not relate to
the application layer.
This document does not describe dimensioning information. This is explained

in COMInf Dimensioning and Deployment Guidelines, Reference [4].
1.3 Typographic Conventions

The typographic conventions for all CPI in OSS-RC is found in Operations
Support System (OSS) Glossary, Reference [2].
6/1555-APR 901 0124 Uen D9 | 2011-04-12 3

COMInf Network
4 6/1555-APR 901 0124 Uen D9 | 2011-04-12

COMInf O&M Network
2 COMInf O&M Network
The COMInf network comprises the COMInf IP Network (see Section 3 on page
7) and the COMInf X.25 Network (see Section 4 on page 85).
Note: X.25 traffic can be carried over IP, in which case, the COMInf IP
network and the COMInf X.25 Network are connected together.
6/1555-APR 901 0124 Uen D9 | 2011-04-12 5

COMInf Network
6 6/1555-APR 901 0124 Uen D9 | 2011-04-12

COMInf Network IP Architecture
3 COMInf Network IP Architecture
3.1 Deployment Example

COMInf services are deployed in different ways depending on the RANs and
NEs to be supported. Several factors limit how services can be deployed
on physical servers. One limiting factor is the firewall security policy that is
designed to reflect specific firewall security domains. For a given installation,
customisation may be required to allocate the different services amongst the
physical servers. Several factors influence the mapping of the services to the
servers.
The OSS-RC is deployed one of two ways:
• Non-Blade deployment, see Page 9.
• x86 Blade deployment, see OSS-RC Blade Deployment Diagram

Description, Reference [11].
Note: Both Page 9 and OSS-RC Blade Deployment Diagram Description,

Reference [11], provide simplified overviews of these deployment, Both
contain a single LAN interface (used for O&M Traffic). In reality most
servers employ three LAN interfaces: one for O&M Traffic, one for
remote management, and one for backup.
All servers requiring backup use a second LAN interface that is dedicated for
backup. All LAN interfaces used for backup are connected to a dedicated VLAN
for backup and the Backup server (BS) itself. The firewall is not connected to
the backup VLAN so the backup traffic can not be routed to any other VLAN.
All machines are equipped with a dedicated LAN interface for remote
management. All LAN interfaces for remote management are connected to a
dedicated remote management VLAN and the MWS. This makes it possible
to attach to the Integrated Lights Out Manager (ILOM) console and perform
remote maintenance from the MWS. The firewall is not connected to the remote
management VLAN so the remote management traffic can not be routed to
any other VLAN.
In deployments where a SAN (Storage Area Network) is in use the Unix

Application Server, OSS Admin1, OSS Admin2, MWS and ENIQ servers must
be attached to the OSS Storage VLAN.
The main components of the COMInf network are as follows:
• A Network Switch connecting the IP nodes together. The switch employs

Virtual Local Area Networks (VLANs) for all services offered by COMInf.
Several VLANs are defined within COMInf, see Page 9 and OSS-RC
Blade Deployment Diagram Description,Reference [11] . The remote
management VLAN is connected to the dedicated Ethernet port on all
6/1555-APR 901 0124 Uen D9 | 2011-04-12 7

COMInf Network
Solaris machines for remote management and also the MWS. This makes it
possible to attach to the Sun Integrated Lights Out Manager (ILOM) console
and perform remote maintenance from the MWS. It is worth noting that the
MWS is a normal installation of Solaris. The other extra VLAN is used for
backup. The backup VLAN is not shown in the figure but is connected to
every node via a second LAN interface. So most COMInf nodes use three
Ethernet ports, one for normal traffic, one for backup and one for service.
Traffic within a VLAN is handled solely by the switch.
• An IP firewall/router supervises IP traffic traversing different O&M traffic

VLANs. The IP traffic between VLANs is controlled by the firewall policy. All
VLANs except the backup and remote management VLAN are connected
to the firewall/router.
• Managed networks like LRAN, WRAN , GRAN, Service and CORE.
• The O&M Router, an IP router that interfaces between COMInf and

ATM/Ethernet based WCDMA networks
• The O&M X.25 Router making conversion between X.25 over Ethernet
(also called XOE) to X.25 over TCP/IP (also called XOT).
• OSS Client hardware where users can access the OSS-RC applications
from their Solaris WS or Windows PC via the ICA protocol.
• Several Solaris and Windows based machines running different services

that together makes it possible to manage Radio Access Networks and
Core Networks.
8 6/1555-APR 901 0124 Uen D9 | 2011-04-12

Figure 2 OSS-RC Non-Blade Deployment
The OSS-RC Blade deployment diagram can be found in OSS-RC Blade

Deployment Diagram Description Reference [11].
The following chapters are a short description of the different VLANs and the
servers and appliances attached to those VLANs.
3.1.1 VLAN OSS Services
The VLAN OSS Services connects several important OSS servers.
• OSS Master Server (MS) (Non-Blade only)
• Cluster Mate (CM) (Non-Blade only)
• Event Based Application Server (EBAS)
• Service Network Management System (SNMS) (Non-Blade only)
• Management Workstation (MWS)
• Admin1 and Admin2 (x86 Blade only)
A separate Management Workstation is used to install the servers through a

GUI. The MWS is connected through a LAN interface and possesses an extra
LAN interface connected to the remote management VLAN for use with Sun's
Lights Out Manager (LOM). None of those servers belong to COMInf itself but
6/1555-APR 901 0124 Uen D9 | 2011-04-12 9

COMInf Network
are attached to COMInf. In the x86 Blade deployments, O&M Services Primary
and Secondary, UAS, OMSAS, and NEDSS are installed by Solaris Jumpstart
from MWS (using the dedicated DHCP service on MWS).
The O&M X.25 Router is a network appliance for interfacing between

X.25/Ethernet (also called XOE, X.25 Over Ethernet) and X.25/TCP-IP (also
called XOT, X.25 Over TCP). A similar router is connected at the other end of a
X.25 aware NE. This makes it possible to use IP transport for X.25 data.
3.1.2 VLAN PM Services

This VLAN connects two servers that are part of the Ericsson Network IQ
product:
• Ericsson Network IQ Server (ENIQS).
• Business Intelligence Server (BIS).
None of those servers belong to COMInf itself but are attached to COMInf. The
ENIQ product collects performance management data for several OSS-RC
systems so this VLAN is shared among several OSS-RC systems (in contrast
to the other VLANs that only belong to one single OSS-RC system).
3.1.3 VLAN OCS Services

The VLAN OCS Services connects the application servers where Solaris and
Windows OSS applications are executing. The following COMInf servers are
attached to this VLAN:
• UNIX Application Server (UAS). This machine (or machines) host native
Solaris applications such as most OSS-RC applications.
• OCS Infrastructure Server/Windows Application Server (OIS/WAS).

This machine hosts Windows Active Directory service, native Windows
applications such as software from Business Objects and both Microsoft
and Citrix license services. The Citrix license service is mandatory also in a
configuration with only UAS machines.
• OCS Infrastructure Server (OIS). This machine host Windows Active

Directory service and both Microsoft and Citrix licence services.
• Windows Application Server (WAS). This machine (or machines) hosts

native Windows applications such as software for Business Objects and
Ericsson WinFIOL.
3.1.4 VLAN OCS Access

The VLAN OCS Access connects a single server type, the OCS Access Portal.
The following COMInf server type is attached to this VLAN:
10 6/1555-APR 901 0124 Uen D9 | 2011-04-12

• OCS Access Portal (OAP). This machine (or machines) host services from
Citrix such as Web Interface and ICA over SSL which is also known as
Citrix Secure Gateway. OSS users access this machine through a standard
web browser to run OSS applications.
3.1.5 VLAN INF Services

The VLAN INF Services connects servers that host several basic IP
infrastructure services. The following COMInf servers are attached to this
VLAN:
• NTP clock. A network appliance that provides an accurate time to other

nodes.
• Operation and Maintenance Infrastructure Server (O&M INF). This is

deployed on Non-Blade systems. It is strongly recommended to have two
separate machines and deploy DNS, DHCP and NTP on both machines.
This provides redundancy for these services. These servers host the
following services:
0 BIND Domain Name Server (DNS)
0 Sun Dynamic Host Control Protocol (DHCP)
0 Network Time Protocol (NTP)
0 Unidirectional SMRS.
0 Single Logon Server (SLS)
0 LDAP Server.
0 CPP Authentication And Authorization Service (CAAS) with CAAS

servlet
• O&M Services Server. This is deployed on x86 Blades. These servers

host the following services:
0 BIND Domain Name Server (DNS)
0 Sun Dynamic Host Control Protocol (DHCP)
0 Network Time Protocol (NTP)
0 Citrix license service
0 SMRS Master service
6/1555-APR 901 0124 Uen D9 | 2011-04-12 11

COMInf Network
Note: In an x86 Blade based deployment the Bi-directional SMRS

master (NESS) and the Uni-directional SMRS master service,
previously running on the O&M Infrastructure Server have been
replaced by the SMRS service located on the O&M Services
primary server. To use this service you must also have the
NEDSS servers. The distributed Uni-SMRS slaves have also
been replaced by the NEDSS servers.
0 Single Logon Server (SLS)
0 LDAP Server
0 CPP Authentication And Authorization Service (CAAS) with CAAS

servlet
• Network Element Support Server (NESS). This is deployed on Non-Blade

systems. This machine hosts the Bidirectional SMRS Master service used
in GRAN, WRAN, LRAN and CORE.
3.1.6 VLAN SAS Service

The VLAN SAS Service connects the server used for CPP NE Identity
Management. The following COMInf server is attached to this VLAN:
• Operation and Maintenance Security Administration Server (OMSAS). This

machine hosts several CPP NE Identity Management services like CAAS
Admin and CAAS Authorization Database. Certificate Signing Authority
(CSA) can be deployed on OMSAS and performs the Certificate Authority
(CA) function.
3.1.7 VLAN M@H Services

This VLAN connects the Clavister In Control Server to the SEGW which is
part of the M@H RAN.
3.1.8 VLAN Backup

The backup VLAN is mandatory for x86 Blade deployments but not for SPARC
deployments. It is used to access the MWS during the split cluster upgrade
mechanism in x86 deployment. This machine host a backup service. The
backup server is connected via the switch to the backup VLAN. Machines that
require backing up are connected to the VLAN Backup using a dedicated
Ethernet interface.
In an x86 Blade deployment all servers within the OSS LAN must be connected
to the backup VLAN.
12 6/1555-APR 901 0124 Uen D9 | 2011-04-12

3.1.9 VLAN OSS Storage
The backup VLAN is mandatory for x86 Blade deployments but not for
SPARC deployments. It is recommended that an RFC 1918 compliant private
addressed is used for this VLAN. This allows communication from other
domains using SSH and https. The storage VLAN is both switched and routed
• VLAN OSS Storage connects to servers within the OSS service domain.
• VLAN OSS Storage is used for OSS support and infrastructure services and
UAS server in an OSS-RC deployments. The UAS requires a dedicated
network interface on this VLAN.
• VLAN OSS Storage for ENIQ connectivity. This VLAN is used only for
communication between ENIQ and the storage devices.
• The NAS is attached to the OSS Storage VLAN.
3.1.10 VLAN Remote Management
The dedicated management LAN interface of every machine is used and

connected to a dedicated LAN interface at the MWS. This makes it possible
for the MWS to reach every node and use the Integrated Lights Out Manager
(ILOM) console for remote management without having to go through the
firewall.
3.1.11 Upgrade VLANS
The upgrade VLANs are deployed on the x86 Blade environment. The VLANs
are as follows:
• OSS Services upgrade.
• OCS Services upgrade.
• INF Services upgrade.
Note: During normal operation no Blade servers are connected to these

upgrade VLANs.
The upgrade VLANs are used during upgrade testing on the Blade environment.
The upgrade VLANs should have the same characteristics as the standard
VLANs for OSS services , OCS Services and INF Services. The upgrade
VLANs should have different VLAN id's so that packets with the same IP
address but with different VLAN tags can be routed correctly in the switch. This
means that the switch has to provide layer 3 capable switching in order to
perform pre-cutover testing.
6/1555-APR 901 0124 Uen D9 | 2011-04-12 13

COMInf Network
3.2 High Availability (HA)

This section describes how the High Availability (HA) version of the OSS Master
Server is connected to the network.
NETWORK SWITCH
FIREWALL/
ROUTER
O&M
ROUTER
Managed
Networks
OSS Services
MASTER
SERVER 1
VLAN
OSS VLAN
SERVICES, OSS
MASTER BACKUP SERVICES
SERVER 2
COMInf_HA_A
Figure 3 Connecting the High Availability Master Servers to COMInf
3.2.1 HA-CS
This section describes how the High Availability Cluster Solution (HA-CS)
version of the OSS Master Server is connected to the COMInf network. The
HA-CS Master Server consists of two Master Servers working in a High
Availability configuration. Both are connected to the COMInf network in the
same way as a single Master Server is. In addition, they are interconnected
with a number of directly connected crossed Ethernet cables. The HA-CS
solution is described in High Availability Cluster Solution OSS-RC Function
Description, Reference [8]. The diagram in Figure 3 shows how the HA-CS
Master Servers are connected to COMInf.
Note: During jumpstart of the OSS RC Application Servers towards the MWS,
the firewall must be transparent in both directions OCS-OSS and
OSS-OCS. This means that the settings according to Table 1 shall be
applied after the jumpstart is completed.
3.2.2 HA-RS
This section describes how the High Availability Replication Solution, HA-RS
version of the OSS Master Server is connected to COMInf. HA-RS Master
Server consists of two Master Servers, Primary & Secondary located at two
geographically separated sites. Only one server (active server) is running
OSS-RC application software at any point in time, this server replicates data
at volume level to the secondary server, see Function Description for High
14 6/1555-APR 901 0124 Uen D9 | 2011-04-12

Availability Replication Solution (HA-RS) for OSS-RC, Reference [9] for more
details. Each site requires its own installation of the COMInf network and both
sites are connected to the COMInf network in the same way as a single Master
Server. NE traffic has to be switch from the primary to secondary site at failover.
3.3 Network Switch

The Network Switch is a layer 2 (Ethernet) switch. It is partitioned in a number
of VLANs that are used for the OSS-RC infrastructure. These VLANs (except
the VLAN backup and VLAN remote management) correspond to the Security
Domains, as described in Section 3.4 on page 16. The OSS-RC traffic VLANS
are:
• VLAN OSS Services contains the OSS-RC Master Server (MS), Event
Based Application Server (EBAS), Service Network Master Server (SNMS)
and the Management Work Station (MWS).
• VLAN PM Services contains the Ericsson Network IQ Server (ENIQS) and

Business Intelligence Server (BIS) (optional).
• VLAN OCS Services contains the OCS Infrastructure Server (OIS)/Windows

Application Servers (WAS) and the UNIX Application Servers (UAS).
• VLAN OCS Access Services contains the OCS Access Portal in case ICA
over SSL is used or Citrix Web Interface (optional).
• VLAN Infra contains the COMInf Infrastructure servers (O&M INF), O&M
Services server and the Network Element Support Server (NESS).
• VLAN SAS Service contains the Operation and Maintenance Security

Administration Server (OMSAS) (optional)
• VLAN M@H Service contains the Clavister InControl Server (optional)
The backup VLAN is connected to the Backup Server for the OSS nodes it
backs up. This VLAN is only used for backup traffic. It is not routed to other
VLANs or nodes.
The remote management VLAN is connected to all nodes for remote

management and the MWS machine. This VLAN is only used for remote
management traffic. It is not routed to other VLANs or nodes.
The traffic VLANs are connected to the Firewall Router using either a physical
network cable for each VLAN, or using VLAN trunking (802.1q). With VLAN
trunking, several or all VLANs are connected to the Firewall Router using one
single physical network cable. When VLAN trunking is used the bandwidth will
be shared among the participating VLANs. As a general rule use all available
physical ports at the Firewall Router before employing VLAN trunking. This will
ease troubleshooting when looking at LAN traffic for a specific port.
In x86 Blade deployments the following VLANs have to be created;.
6/1555-APR 901 0124 Uen D9 | 2011-04-12 15

COMInf Network
• Private VLAN (Used for HA).
• Heartbeat VLAN (Used for HA).
• Upgrade VLAN (Used for Upgrade).
Private and Heartbeat are connected through the switch but as pass through.
3.4 Firewall Router

The COMInf network is divided into security domains (sometimes called security
zones or enclaves.) The Firewall Router connects to all security domains
and analyses traffic between them. Traffic between two security domains is
scrutinized by the Firewall Router, but traffic within each domain flows freely.
Also, the Firewall Router acts as a (level 3) IP router. It routes IP packets

between the networks that make up the security domains. The routing function
in the Firewall Router also implements the VLAN Tagging that is used on the
link to the Network Switch.
In a Blade deployment, firewall rules should not be applied before the SFS/NAS
installation is done. For further information on configuring SFS/NAS, refer to
Installation and Commissioning Guide for Symantec FileStore for OSS-RC
EMC Installation Documentation, Reference [10].
Currently there are four basic security domains. They are independent of the
network type managed by the OSS and of any additional customer specific
products:
• OSS Services Security Domain
• Infrastructure Security Domain
• OCS Services Security Domain
• OSS Client Security Domain
The following domains are optional. For example, the Core Network Security
Domain is only required if the OSS manages a core network, the NMS Security
Domain is only required if an NMS is used, and so on. The optional domains
are:
• OCS Access Security Domain
• PM Services Security Domain
• M@H Services Security Domain
• O&M Security Administration Security Domain
• SMRS Slave Security Domain
16 6/1555-APR 901 0124 Uen D9 | 2011-04-12

• WCDMA RAN Security Domain
• GSM RAN Security Domain
• Core Network Security Domain
• Service Network Security Domain
• NMS Security Domain
• LTE RAN Security Domain
• M@H RAN Security Domain
The security domains are illustrated in Figure 4.
Figure 4 Security Domains
The OSS Services Security Domain contains the nodes that connect to the
VLAN OSS Services. The OSS Master Server, CM (Cluster Mate), EBAS
(Event Based Application Server) are located in this domain. A separate MWS,
makes it possible to install the servers via a GUI as several servers lack a
6/1555-APR 901 0124 Uen D9 | 2011-04-12 17

COMInf Network
graphical display card and has to be connected to via the LAN interface.
The MWS also has a second Ethernet interface connected to the remote
management port on all COMInf machines.
The PM Services Security Domain contains the nodes Ericsson Network IQ

Server (ENIQ) and the Business Intelligence Server (BIS).
In the Non-Blade deployments, the Infrastructure Security Domain consists of

the nodes carrying the DNS, DHCP, NTP, LDAP, UNI-SMRS, BI-SMRS and
SLS. This corresponds to VLAN Infra Services. It also hosts some of the CAAS
components.
In the Blade deployments, the Infrastructure Security Domain consists of the

nodes carrying the DNS, DHCP, NTP, LDAP, SMRS Master, Citrix License
service and SLS. This corresponds to VLAN Infra Services. It also hosts some
of the CAAS components.
The OCS Services Security Domain consists of the nodes connected to the
OCS Services VLAN. The Application Server or Servers are located here. Also
the OCS Infrastructure Server (OIS) is located here.
Note: On the x86 Blade deployments, OIS is located on WAS.
The Security Administration Security domain consists of the O&M Security

Administration Server (OMSAS) which hosts some of the components in the
CAAS application.
The SMRS Slave Security Domain consists of the BI-SMRS slave machine.
The OCS Access Security Domain consists of the node OCS Access Portal
Server. This node is necessary if the functions ICA over SSL or Citrix Web
Interface is needed.
The WCDMA RAN Security Domain consists of nodes in the WCDMA RAN,
that is, RBS, RNC, RANAG and Site LAN nodes.
The LTE RAN Security Domain consists of nodes in the LTE RAN.
The GSM RAN Security Domain consists of the nodes in the GSM RAN. These
nodes are the various IP interfaces of the BSCs and also the SMPC.
The Core Network Security Domain consists of the nodes in the Core Network.
The Service Network Security Domain consists of the nodes in the Service
Network.
The OCS Security Domain consists of clients of the OCS Servers. This domain
is special in that it may be part of the customers corporate network. In this
case, the OSS Clients domain will be part of a much larger network. This has to
be considered in the security design of your corporate network. For example,
routing must work between the OSS Client Security Domain and your corporate
network. There are security aspects to cater for as well. You may want to
18 6/1555-APR 901 0124 Uen D9 | 2011-04-12

connect COMInf to your corporate network through its Firewall Router, in order
to protect your corporate network from attacks originating in COMInf. Also, you
may want to implement a policy that allows only a limited part of your corporate
network to access COMInf.
The NMS Security Domain contains external NMS systems.
M@H RAN functionality is distributed on 5 nodes, Home BSC (HBSC), HSN,

SEGW and HSS.
In chapter VLAN Backup on Section 3.1.8 on page 12 and chapter VLAN

Remote Management at Section 3.1.10 on page 13, two other VLANs are
defined. These VLANs are not included in the Security Domains figure, Figure
4. The reason is that these VLANs are not routed to any other network. They
are not connected to the Firewall Router, and nodes connected to the backup
VLAN or remote management VLAN do not have routing enabled. Therefore,
these VLANs are omitted from the firewall configuration.
3.4.1 General Firewall Configuration

The connectivity matrix in Table 1 shows which communication is allowed
through the Firewall Router. The connectivity matrix only considers
communication between the domains. Communication within a domain is not
scrutinized.
The information in the connectivity matrix is not based on a specific firewall from
a specific vendor but, the following should be noted:
• NAT (Network Address Translation) isonly be used between the OSS Client
Security Domain and the OCS Services/Access Security Domain. Between
all other domains NAT must not be used. The reason is that between all
other domains CORBA is used which will not work if NAT is enabled.
• A firewall that supports stateful inspection of the following services/protocols

is recommended; NTP, DNS, FTP, NFS, LDAP, DHCP and Sun-RPC. If
this is met, it significantly reduces the number of ports that explicitly need to
be opened.
• The services NFS make use of Sun Remote Procedure Call, RPC, services.
The RPC service itself executes at a well known port 111 but dynamically
assigns and opens other TCP/UDP ports for other services defined by
Sun program numbers. The NFS service is composed of nfsprog/100003
and mountd/100005. Without a firewall that is RPC aware you need to
check at the NFS with the Solaris command rpcinfo -p and check the
actual allocated port numbers and open the corresponding ports in the
firewall. With a RPC aware firewall, the firewall itself will open the NFS
port dynamically.
6/1555-APR 901 0124 Uen D9 | 2011-04-12 19

COMInf Network
Note: During jumpstart of the OSS RC Application Servers towards the MWS,
the firewall must be transparent in both directions OCS-OSS and
OSS-OCS. This means that the settings according to Table 1 shall be
applied after the jumpstart is completed.
3.4.1.1 Optional Firewall Configuration
ICA over SSL/TLS introduces a new firewall security domain called OCS Access
containing an OAP (OCS Access Portal) machine. The OAP runs Citrix Web
Interface secured by Citrix Secure Gateway (CSG). This arrangement requires
only a single secure port (443) to be opened between the user's OC machine
and the CSG. The OC web browser uses HTTPS and the Citrix ICA client uses
ICA over SSL/TLS to reach both UNIX and Windows Application servers.
The following figures shows three configurations that Ericsson support when
connecting the clients in the customers' VLAN:
Figure 5 Standard OCS Deployment Non-Blade Systems
20 6/1555-APR 901 0124 Uen D9 | 2011-04-12

Figure 6 Standard OCS Deployment x86 Blade Systems
Figure 7 Enhanced OCS Deployment Non-Blade Systems
6/1555-APR 901 0124 Uen D9 | 2011-04-12 21

COMInf Network
Figure 8 Enhanced OCS Deployment x86 Blade Systems
The Enhanced deployment uses the OAP with both the Web Interface and
the Citrix Secure Gateway. The ICA user uses HTTPS to attach to the Web
Interface with all Citrix published applications from OIS/WAS, WAS and UAS.
The Citrix ICA client attaches indirectly via CSG to the UAS or OIS/WAS or
WAS by using ICA over SSL.
In the figures above on the Standard and Enhanced deployment, a number of

different protocols are mentioned, ICA is using port 1494, HTTP is using port
80 and ICA/SSL is using port 443. The communication paths differ in the two
deployments and that impacts the firewall configuration. Follow the procedure
which outlines how to change the basic firewall matrix to support the introduction
of the OCS Access like the Standard or the Enhanced configurations.
• Table 14 needs to changed. Port 80 (ICA browsing) and port 1494 (Citrix
ICA protocol) should be closed.
• Table 12 needs to be changed. Port 80 (ICA browsing) and port 1494

(Citrix ICA protocol) should be closed in the Enhanced configuration and
port 80 shall be closed in the Standard configuration.
• A new table with connections from OSS Client domain to OCS Access
domain needs to be defined. See Table 30.
• A new table with connections from WCDMA RAN Security domain to OCS
Access domain needs to be defined. See Table 31.
• A new table with connections from OCS Access domain to OCS Service
domain needs to be defined. See Table 13.
22 6/1555-APR 901 0124 Uen D9 | 2011-04-12

3.4.1.2 Connectivity Matrix
The connectivity matrix, see Table 1, can be used as an aid for configuring the
Firewall Router. An X denotes traffic within an domain, and is not covered. “No”
means that no communication is allowed. “All” means that communication is
allowed for any port, without restriction.
Note: Communication from anything on the LAN to OSS services, OCS

services and INF services VLANs apply to the standard network and
upgrade VLANs network but upgrade VLANs are not routable to the
RAN/LTE/CORE network.
Table 1 Connectivity Matrix

To OSS To To Infra To Security To To To To To OSS
Service OCS structure Administrati OSS SMRS OCS WCDM Storage
s Servic Services on Domain Clien Slave Acces A
es ts s RAN
From OSS Table Table Table 17 Table 46 No No No Table Table 62

Services 59 11 32
From OCS Table 3 Table Table

X Table 18 Table 19 20 No No 33 No
Services
From Infrastru Table Table
cture Services Table 4 No X Table 29 No 24 No 34 No
From Security
Administration Table 5 No Table 21 X No No No No No
Domain
From OSS No Table Table 22 No X No Table No No

Clients 12 30
From SMRS No No Table 23 No No X No No No

Slave
From OCS No Table No No No No X No No
Access 13
From WCDMA Table 6 Table Table 25 No No Table Table X No

RAN 14 60 31
From GSM Table 7 Table Table 26 No No Table No No No

RAN 15 27
From Core Table 8 Table Table 28 No No Table No No No

Network 16 61
From Service Table 9 No No No No No No No No

Network
From NMS Table No No No No No No No No
10
From PM Table
Services 43 No Table 44 No No No No No Table 63
From LTE RAN Table Table Table Table

47 51 Table 52 No No 54 53 X No
From M@H No Table

Services 56 No No No No No No No
From M@H No No No No No No No No No
RAN
From OSS No No Table 64 No No No No No No

Storage
6/1555-APR 901 0124 Uen D9 | 2011-04-12 23

COMInf Network
Table 2 Connectivity Matrix (continued)

To GSM To Core To Servic To NMS To PM To LTE To M@H To M@H
RAN Network e Networ Services RAN Services RAN
k
(1)
From OSS Services Table 35 Table 37 Table 40 All Table 41 Table 48 No No
From OCS Services Table 36 Table 38 No No Table 42 Table 49 Table 55 No

From Infrastructure
Services No Table 39 No No No Table 50 No No
From Security
Administration No No No No No No No No
Domain
From OSS Clients No No No No No No No No
From SMRS Slave No No No No No No No No
From OCS Access No No No No No No No No
From WCDMA RAN No No No No No No No No
From GSM RAN X No No No No No No No
From Core Network No X No No No No No No
From Service No No X No No No No No
Network
From NMS No No No X Table 45 No No No
From PM Services No No No No X No No No
From LTE RAN No No No No No No No No
From M@H No No No No No No No Table 57
Services
From M@H RAN No No No No No No Table 58 No
(1) NMS ports are unknown for Ericsson
During jumpstart of all servers from the MWS the firewall must be transparent
in both directions between the OCS Services VLAN and the OSS Services
VLAN. This means that the settings in the following table shall be applied after
the jumpstart is completed.
Table 3 OCS Services Security Domain to OSS Services Security Domain

Appl. Protoco Transp. Dst Port no Comment
l Protocol
FTP TCP 21 PM: REI Recording File
Viewer; SMO and NIO:
Product inventory
SSH TCP 22 SSH and SFTP to MS.
Telnet TCP 23 GUI -> FHA Server
TFTP UDP 69 Needs to be open only
during jump-start of UNIX
Workstation or UNIX
Application Server.
24 6/1555-APR 901 0124 Uen D9 | 2011-04-12


l Protocol
HTTP TCP 80 ALEX and WebI
rpcbind TCP,UD 111 Sun rpcbind
P
SNMP UDP 162 System Monitoring
Application,Server layer,Trap
Handler component
Application,Server layer,
Event manager component
Topology manager
component
Configuration manager
component
Application,Servert layer,
Platform component
Application,Advanced
System Monitoring Add-on
layer, System event and
configuration tracking
component (cstservice)
Agent information caching
component (Metadata)
LDAP TCP 389 Solaris Authentication Service
RMI over IIOP TCP 1099 Internal RMI Registry
- TCP 1724 Audit Trail daemon port.
NFS TCP,UD 2049 Sun Network File System.
P Read Firewall Configuration
chapter onSection 3.4.1 on
page 19 about NFS services
using RPC and how different
firewalls treat this dynamic
service.
6/1555-APR 901 0124 Uen D9 | 2011-04-12 25

COMInf Network

l Protocol
RMI TCP 2099 SunMC console service on
MWS.
nlockmgr TCP,UD 4045 Sun nlockmgr
P
SQL TCP 5025 SQL queries from Business
Objects towards the
databases.
Encrypted licen UDP 5093 Sentinel license server RMS
se requests
HP Proprietary TCP 7510 HP Web Interface
HP Proprietary TCP 7777 HP Remote Console
HTTP TCP 7778 Oracle Web Server
HTTP TCP 8020 Novell iManager internal
Apache server port
HTTPS TCP 8043 SunMC console service on
MWS
HTTP TCP 8080 Formula Server access
SunMC console service on
MWS
Veritas Cluster TCP 32817 Needed if OSS-RC HA
Proprietary solution is used
Veritas Cluster TCP 32843 Needed if OSS-RC HA
Proprietary solution is used
RMI TCP 49188 IRATHOM Audit Service
RMI/SSL TCP 49189 IRATHOM Audit Service
RMI TCP 49190 OSS Connection Service
RMI/SSL TCP 49191 OSS Connection Service
RMI TCP 49194 SMX
RMI TCP 49195 SMX - secure
RMI TCP 49196 Cell PCI Service
RMI/SSL TCP 49197 Cell PCI Service
Ericsson TCP 49200 AipCM GUI to AipCM server
proprietary
RMI TCP 49201 Real Time Performance
Service
26 6/1555-APR 901 0124 Uen D9 | 2011-04-12


l Protocol
RMI/SSL TCP 49202 Real Time Performance
Service
RMI TCP 49203 GSM Topology Service
RMI/SSL TCP 49204 GSM Topology Service
Ericsson TCP 49210 ICS Server
proprietary
Ericsson TCP 49240 IMS-CM GUI to IMS-CM
proprietary server
Ericsson TCP 49252 GSN-CM GUI to GSN-CM
proprietary server
SSLIOP TCP 2007 SNMS Managed Object
Server Port
HTTPS TCP 8444 SNMS Managed Object Web
Server Port
IIOP TCP 11000 CORBA Naming Service.
IIOP TCP 11001 CORBA Event Service.
IIOP TCP 49253 OSS CIF: Used by Log Viewer
IIOP TCP 49255 IMM Client to IMM Server.
IIOP TCP 49256 GUI -> OPS Server. Both
OPS GUI and Server use
Visibroker and CSU.
SSLIOP TCP 49257 OPS GUI to OPS server
SSLIOP TCP 49258 GUI -> SMO Server.
SMO/NIO uses Visibroker
and CSU.
Ericsson TCP 49259 GUI -> SMO Server. Used for
proprietary import & export file function.
The static port is hard coded.
SSLIOP TCP 49261 GUI -> SMO AXE module.
Both GUI and module use
Visibroker and CSU.
SSLIOP TCP 49262 GUI -> SMO GSN module.
Visibroker and CSU.
SSLIOP TCP 49263 GUI -> SMO RBS module.
Visibroker and CSU.
6/1555-APR 901 0124 Uen D9 | 2011-04-12 27

COMInf Network

l Protocol
IIOP TCP 49267 OSS RNO RecordingDb
server
IIOP TCP 49268 OSS RNO FasResultDb
server
IIOP TCP 49269 OSS RNO NcsResultDb
server
IIOP TCP 49270 OSS RNO MrrResultDb
server
IIOP TCP 49271 OSS RNO TetResultDb
server
IIOP TCP 49272 OSS RNO FoxResultDb
server
IIOP TCP 49273 OSS RNO NoxResultDb
server
IIOP TCP 49274 OSS RNO Pdb server
IIOP TCP 49275 OSS RNO MibServer server
IIOP TCP 49276 OSS RNO BrfJavaUtilServer
server
IIOP TCP 49277 OSS RNO BrfEventServer
server
IIOP TCP 49278 OSS RNO SyroxServer server
Ericsson TCP 49292 OSS NWS PMT Collector
proprietary Server
IIOP TCP 49293 OSS NWS SMIA SMCA
Server
IIOP TCP 49294 OSS NWS SMIA SMAD
Server
IIOP TCP 49295 OSS NWS SMIA NIM Server
IIOP TCP 49296 OSS NWS SMIA TBS Server
SSLIOP TCP 49302 NWS SMIA SMCA Server
SSLIOP TCP 49304 NWS SMIA SMAD Server
SSLIOP TCP 49306 NWS SMIA NIMServer
SSLIOP TCP 49308 NWS SMIA TBS Server
IIOP TCP 49550 PDM server
SSLIOP TCP 49551 PDM server
IIOP TCP 49600 IRATHOM server
28 6/1555-APR 901 0124 Uen D9 | 2011-04-12


l Protocol
SSLIOP TCP 49601 IRATHOM server
SSLIOP TCP 49650 OSS CN-CM NAM Client to
NAM Repository Server.
SSLIOP TCP 49660 OSS CN-CM NAM Client to
NAM Repository Server.
SSLIOP TCP 49671 OSS RNO NcsResultDb
server
SSLIOP TCP 49673 OSS RNO MrrResultDb
server
SSLIOP TCP 49675 OSS RNO TetResultDb
server
SSLIOP TCP 49677 OSS RNO FoxResultDb
server
SSLIOP TCP 49679 OSS RNO NoxResultDb
server
SSLIOP TCP 49681 OSS RNO Pdb server
SSLIOP TCP 49683 OSS RNO MibServer server
SSLIOP TCP 49685 OSS RNO BrfJavaUtilServer
server
SSLIOP TCP 49687 OSS RNO SyroxServer server
SSLIOP TCP 49689 OSS RNO MIB_CS server
SSLIOP TCP 49691 OSS RNO BrfResult server
SSLIOP TCP 49693 OSS RNO RnoSets server
IIOP TCP 49700 Object Explorer (unsecure)
SSLIOP TCP 49702 Object Explorer (secure)
Ericsson TCP 49705 CNAM
Proprietary
SSLIOP TCP 49709 OSS CIF Internal Notification
Agent (secure)
SSLIOP TCP 49711 nms_cif_sm_server
SSLIOP TCP 49716 OSS CIF: Used by SM GUI
SSLIOP TCP 49722 Secure ParameterServer SSL
calls
SSLIOP TCP 49724 Secure StartStopRestart SSL
calls
SSLIOP TCP 49726 OSS NCM PROP Server
6/1555-APR 901 0124 Uen D9 | 2011-04-12 29

COMInf Network

l Protocol
SSLIOP TCP 49728 NCMS
IIOP TCP 49729 NCMS
SSLIOP TCP 49730–49739 OSS NCM gcc servers
(secure)
RMI TCP 49750 Topology Composite Service
RMI/SSL TCP 49751 Topology Composite Service
RMI TCP 49752 CM Composite Service
RMI/SSL TCP 49753 CM Composite Service
RMI TCP 49754 LTE CM Service
RMI/SSL TCP 49755 LTE CM Service
RMI TCP 49758 Cell Service
RMI/SSL TCP 49759 Cell Service
IIOP TCP 49761-49770 OSS NCM gcc servers
(unsecure)
IIOP TCP 49771 OSS RNO RnoSets server
Ericsson TCP 49774 OSS RPMO Agent
proprietary
Ericsson TCP 49775 OSS RPMO Stream Interface
proprietary used for event dumper
IIOP TCP 49776 OSS RPMO Agent Corba Port
IIOP TCP 49779 RPMO Weba-Agent
IIOP TCP 49780 RPMO Webs-Server
IIOP TCP 49784 OSS CIF Internal Notification
Service
IIOP TCP 49786 OSS CIF Internal Notification
Agent
IIOP TCP 49790 ONE Client GUI to Server
SSLIOP TCP 49791 ONE Client GUI to Server
IIOP TCP 49792 OSS NCM PROP Server
IIOP TCP 49794 OSS RPMO Rebs
Proprietary TCP 49796 Core CM MMCM GUI to
server
IIOP TCP 49801 OSS WRAN CM Core
explorer server ORB listener
port
30 6/1555-APR 901 0124 Uen D9 | 2011-04-12


l Protocol
IIOP TCP 49802 CM Plan Administration
Service
IIOP TCP 49803 CM Bulk Service
IIOP TCP 49804 CM Consistency Check
Service
IIOP TCP 49811 OSS WRAN CM RADIO: CM
server ORB listener port
IIOP TCP 49812 OSS WRAN CM RADIO:
Radio network topology
server ORB listener port
SSLIOP TCP 49814 OSS WRAN CM RADIO:
CM server (secure)
rnh_config_reg_managed
SSLIOP TCP 49816 OSS WRAN CM
RADIO: Radio network
topology server (secure)
rnh_topology_reg_managed
Disabled-IIOP TCP 49817 CM Consistency Check
Service
SSLIOP TCP 49818 CM Consistency Check
Service
IIOP TCP 49821 OSS WRAN CM
TRANSPORT: Telis server
ORB listener port
IIOP TCP 49822 OSS WRAN CM
TRANSPORT: Add RBS
Wizard server ORB listener
port
TRANSPORT: Telis server
(secure)
TRANSPORT: Add RBS
Wizard server (secure)
IIOP TCP 49831 SMO and NIO: region server
ORB listener port
Disabled-IIOP TCP 49836 CM Plan Administration
Service
6/1555-APR 901 0124 Uen D9 | 2011-04-12 31

COMInf Network

l Protocol
SSLIOP TCP 49837 CM Plan Administration
Service
IIOP TCP 49841 PM: PMS region server ORB
listener port
SSLIOP TCP 49848 OSS WRAN-CM PMS
IIOP TCP 49854 OSS WRAN-CM CMS: SNAD
SSLIOP TCP 49856 OSS WRAN-CM CMS: SNAD
(secure)
IIOP TCP 49861 PM: RED region server ORB
listener port
IIOP TCP 49870 FWK: region server ORB
listener port
RMI TCP 49880 LTE Cell Service
RMI/SSL TCP 49881 LTE Cell Service
SSLIOP TCP 49892 NSA server
IIOP TCP 49893 NSA server
SSLIOP TCP 49899 WRAN CM wran_bcg_manag
ed (secure)
IIOP TCP 49901 OSS FM: Resource
Information Adapter
IIOP TCP 49902 OSS FM Distribution Server
IIOP TCP 49903 OSS FM: Information Model
Synchronizer
IIOP TCP 49905 OSS FM: Alarm Status Viewer
IMHCom TCP 49909 FM: IMH_nm_server
IMHCom TCP 49910 FM: IMH_action_server
IMHCom TCP 49911 FM: IMH_alarm_server
IMHCom TCP 49912 FM: IMH_FMAI_server
IMHCom TCP 49913 OSS FM: IMH Alarm Text
Routing server
SSLIOP TCP 49919 OSS FM Distribution Server
IIOP TCP 49980 AC connection to ARNE
Server
SSLIOP TCP 49986 ARNE server
SSLIOP TCP 49989 FWK region server
32 6/1555-APR 901 0124 Uen D9 | 2011-04-12


l Protocol
IIOP TCP 49990 Job Manager GUIs
SSLIOP TCP 49995 Job Manager GUIs (secure)
Ericsson TCP 50003 OSS AXM EAM: Command
proprietary and Response Initiator for
IOG20 MTP
IOG20 X.29
Ericsson TCP 50006 OSS AXM EAM: Subscription
proprietary server
Ericsson TCP 50007 OSS AXM EAM: External
proprietary Session Management Server
Ericsson TCP 50008 OSS AXM EAM: Protocol
proprietary Initiator for EAM File Store
Ericsson TCP 50009 OSS AXM EAM: File Protocol
proprietary Initiator for IOG20
Sun RPC TCP 50015 OSS CIF TBS: Cap_pdb_nfh
Server
Sun RPC TCP 50016 OSS CIF TBS: PMS Error
Server
Sun RPC TCP 50017 OSS CIF TBS: Ipcdir Server
IIOP TCP 50018 OSS CIF GUIbound Naming
Service
IIOP TCP 50020 OSS CIF: Used by SM GUI
IIOP TCP 50021 CM Consistency Check
Service
IIOP TCP 50023 CIF AM GUI communication
SSLIOP TCP 50024 CIF AM GUI comm (secure)
IIOP TCP 50026 CIF LS communication
SSLIOP TCP 50027 CIF LS comm (secure)
HTTP TCP 50029 OSS CIF Tomcat
IIOP TCP 50030 TSS Password Server
IIOP TCP 50031 TSS Authority Server
IIOP TCP 50032 TSS Basic Server
SSLIOP TCP 50033 TSS Password Server
SSLIOP TCP 50034 TSS Authority Server
6/1555-APR 901 0124 Uen D9 | 2011-04-12 33

COMInf Network

l Protocol
SSLIOP TCP 50035 TSS Basic Server
IIOP TCP 50040 CIF StartStopRestart IIOP
calls (SSR)
IIOP TCP 50041 OSS CIF ParameterService
IIOP calls (PAS)
RMI TCP 50042 GB RMI Registry
RMI TCP 50043 WCDMA Topology Service
RMI/SSL TCP 50044 WCDMA Topology Service
RMI TCP 50045 Status Service
RMI/SSL TCP 50046 Status Service
RMI TCP 50047 FM Alarm Service
RMI/SSL TCP 50048 FM Alarm Service
RMI TCP 50049 PM KPI Service
RMI/SSL TCP 50050 PM KPI Service
RMI TCP 50051 PM Traffic Recordings Service
RMI/SSL TCP 50052 PM Traffic Recordings Service
RMI TCP 50053 NE Log Service
RMI/SSL TCP 50054 NE Log Service
RMI TCP 50055 Management Service
RMI/SSL TCP 50056 Management Service
RMI TCP 50057 Java Message Service
RMI/SSL TCP 50058 Java Message Service
RMI TCP 50059 JMX Service
RMI/SSL TCP 50060 JMX Service
RMI TCP 50061 CM Bulk Export Service
RMI/SSL TCP 50062 CM Bulk Export Service
RMI TCP 50063 CM Bulk Import Service
RMI/SSL TCP 50064 CM Bulk Import Service
IIOP TCP 50073 OSS CIF SouthBound Naming
Service
SSLIOP TCP 50076 IMM Clients (IMM GUI & IMM
CLI) to IMM Server
IIOP TCP 50090 OSS RNO MIB_CS server
34 6/1555-APR 901 0124 Uen D9 | 2011-04-12


l Protocol
IIOP TCP 50091 OSS RNO BrfResult server
SSLIOP TCP 50094 OSS RNO RecordingDb
server
SSLIOP TCP 50096 OSS RNO FasResultDb
server
SSLIOP TCP 50098 OSS RNO BrfEventServer
server
IIOP TCP 50100–50119 20 ports used jointly by OSS
AXM EMT: CLS GUI, SRM
GUI and EMAM GUI
IIOP TCP 50120 OSS RNR PMR Server
SSLIOP TCP 50123 OSS smo_cpp
IIOP TCP 50127 OSS smo_csm
IIOP TCP 50128 OSS smo_axe
IIOP TCP 50129 OSS smo_gsn
IIOP TCP 50130 OSS smo_rbs
IIOP TCP 50131 OSS smo_srv
IIOP TCP 50132 OSS smo_script
SSLIOP TCP 50133 OSS smo_script
IIOP TCP 50135 OSS smo_j20
SSLIOP TCP 50136 OSS smo_j20
APG40
APG30
IIOP TCP 50143 OSS CIF Visibroker OAD
IIOP TCP 50144 OSS CIF OpenFusion
LogService
SSLIOP TCP 50150 RNR PMR Server
IIOP TCP 50160 Realtime Trace
SSLIOP TCP 50161 Realtime Trace
Ericsson TCP 50163-50170 AXM/EAM
Proprietary
CAP-IPC
6/1555-APR 901 0124 Uen D9 | 2011-04-12 35

COMInf Network

l Protocol
IIOP TCP 50171 EBA SEBS
SSLIOP TCP 50173 EBA SEBS
IIOP TCP 50174 EBA EBSS
SSLIOP TCP 50176 EBA EBSS
IIOP TCP 50177 WRAN CM: RNR
SSLIOP TCP 50179 WRAN CM: RNR
Proprietary and Response Initiator for
MSC-S BC (APG43) nodes
Ericsson TCP 50181 OSS AXM EAM: Protocol
Proprietary Iniator for EAM File Store
Ericsson TCP 50182 OSS AXM EAM: External
Proprietary Session Management Server
Ericsson TCP 50183 OSS AXM EAM: Subscription
Proprietary Server
SSLIOP TCP 50220–50239 20 ports used jointly by OSS
AXM EMT: CLS GUI, SRM
GUI and EMAM GUI
CAP IPC TCP 50600–51599 TBS
Gensym GSI TCP 52130 OSS FM Fault Manager
eXpert (FMX), G2
Gensym TCP 52131- 52190 OSS FM Fault Manager
Javalink eXpert (FMX), Gensym
Javlink
SSLIOP TCP 52192 OSS FM: Resource
Information Adapter
SSLIOP TCP 52194 OSS FM: Information Model
Synchronizer
SSLIOP TCP 52196 OSS FM Alarm Status Viewer
IIOP TCP 52199 CIF Trace Server
Telnet TCP 52200 Telnet access for WinFIOL
to AXE from AS via telnet
gateway on MS.
SSLIOP TCP 55500 RPMO Rebs server
SSLIOP TCP 55501 RPMO agent
SSLIOP TCP 55502 RPMO WebsServer
SSLIOP TCP 55503 RPMO WebaAgent
36 6/1555-APR 901 0124 Uen D9 | 2011-04-12


l Protocol
RPC UDP 32768–65535 Not needed if the following
services are enabled: LDAP,
NFS
TCP SSLIOP 50337 OSS LTE RAN-CM:CV
RMI TCP 50496 RBS Power Save Service
RMI/SSL TCP 50497 RBS Power Save Service
RMI TCP 50300 Planned Configuration
Management Service
RMI/SSL TCP 50301 Planned Configuration
Management Service
Activation Service
Activation Service
Operations Service
Operations Service
RMI TCP 50309 WCDMA CM Service
RMI/SSL TCP 50310 WCDMA CM Service
RMI TCP 50311 WCDMA Cell Service
RMI/SSL TCP 50312 WCDMA Cell Service
RMI TCP 50313 Rules Service
RMI/SSL TCP 50314 Rules Service
RMI TCP 50315 Profiles Service
RMI/SSL TCP 50316 Profiles Service
RMI TCP 50317 Templates Service
RMI/SSL TCP 50318 Templates Service
RMI TCP 50319 Grouping Service
RMI/SSL TCP 50320 Grouping Service
RMI TCP 50321 Access Control Service
RMI/SSL TCP 50322 Access Control Service
RMI TCP 50323 License Service
RMI/SSL TCP 50324 License Service
RMI TCP 50327 ConfigAdmin
6/1555-APR 901 0124 Uen D9 | 2011-04-12 37

COMInf Network

l Protocol
RMI/SSL TCP 50328 ConfigAdmin
RMI TCP 50329 Logging Service
RMI/SSL TCP 50330 Logging Service
RMI TCP 50333 AIF Service
RMI/SSL TCP 50334 AIF Service
RMI TCP 50346 Scheduling Service
RMI/SSL TCP 50347 Scheduling Service
RMI TCP 50344 BSIM Service
RMI/SSL TCP 50345 BSIM Service
SNMP UDP 50600-50719 Agent Layer of the System
Monitoring application
initiates session towards the
Server Layer of the System
Monitoring application.
IIOP TCP 63000 CORBA listening port (BASE
Topology Manager)
IIOP TCP 63001 CORBA listening port (BASE
Topology Poll Scheduler)
IIOP TCP 63004 CORBA listening port (ACT
server listening port)
IIOP TCP 63005 CORBA listening port
(Performance Monitor)
RMI TCP 49152 NSD for EPC Topology
Service
RMI TCP 49153 NSD for EPC Alarms Service
RMI TCP 49154 NSD for EPC Performance
Service
RMI TCP 49155 NSD for EPC Status Service
RMI TCP 49156 NSD for EPC Logs Service
RMI TCP 49157 NSD for EPC Traffic
Recording Service
RMI TCP 49158 NSD for EPC Configuration
Management Service
38 6/1555-APR 901 0124 Uen D9 | 2011-04-12


l Protocol
Ericsson TCP 49159 - 49183 OSS AXM EAM C++ and
Proprietary Java client applications
CAP-IPC or access EAM Initiator (server)
IIOP processes via CAP-IPC and
CORBA IDL respectively
RMI TCP 65534 MME Pool and EPC
Provisioning - EPC UCS
Service
RMI TCP 65535 Utility Services - DNS Service
Table 4 Infrastructure Security Domain to OSS Services Security Domain

Appl. Protocol Transp. Protoc Dst Port no Comment
ol
SNMP UDP 162 System Monitori
ng Application,S
erver layer,Trap
Handler compon
ent
ng Application,
Server layer,
Event manager
component
ng Application,
Server layer,
Topology manag
er component
ng Application,
Server layer,
Configuration
manager
component
ng Application,
Server layer,
Platform
component
6/1555-APR 901 0124 Uen D9 | 2011-04-12 39

COMInf Network

ol
SNMP UDP 167 System Monitor
ing Application,
Advanced Syst
em Monitoring
Add-on layer,
System event
and configuration
tracking compon
ent (cstservice)
ng Application,
Server layer,
Agent information
caching compon
ent (Metadata)
SSH TCP 22 BI-SMRS to
Master Server
IIOP TCP 50018 Name Service
SNMP UDP 50600-50719 Agent Layer
of the System
Monitoring
application
initiates session
towards the
Server Layer
of the System
Monitoring
application.
Table 5 Security Administration Security Domain to OSS Services Security

Domain
ol
SSH UDP 22 OMSAS to OSS
Master Server
SNMP UDP 162 Sun Manageme
nt Centre Trap
Handler
SSLIOP TCP 49630 NE Data Proxy
IIOP TCP 49632 NE Data Proxy
40 6/1555-APR 901 0124 Uen D9 | 2011-04-12


ol
SSLIOP TCP 49634 OSS-Handler
<--> SCS
Communication
IIOP TCP 50018 Name Service
Table 6 WCDMA RAN Security Domain to OSS Services Security Domain

Appl. Transp. Dst Port no Origination Comment
Protocol Protocol Node
IIOP TCP 50338 RNC,RBS,RXI WMA Node Discovery
(unsecure)
SSLIOP TCP 50339 RNC,RBS,RXI WMA Node Discovery
(unsecure)
IIOP TCP 49300 RNC, RBS, Telisoi server
RXI
IIOP TCP 49640 RNC, RBS, Security activation
RXI
RXI
IIOP TCP 49833 RNC, RBS, NE to SMO and
RXI NIO callbacks
(1)
(unsecure).
SSLIOP TCP 49835 RNC, RBS, NE to SMO and NIO
(1)
RXI callbacks (secure)
IIOP TCP 49851 RNC, RBS, NE to CMS callbacks
(1)
RXI (unsecure).
SSLIOP TCP 49853 RNC, RBS, NE to CMS callbacks
(1)
RXI (secure)
IIOP TCP 49894 RNC, RBS, NE to NSA callbacks
RXI (unsecure)
SSLIOP TCP 49896 RNC, RBS, NE to NSA callbacks
RXI (secure)
SNMP TCP 161 AST-CM Site Management
SSH TCP 22 AST-CM Site Management
6/1555-APR 901 0124 Uen D9 | 2011-04-12 41

COMInf Network

IIOP TCP 49920, RNC, RBS, NE to FM/CIRPMAN
49923, RXI callbacks (unsecure)
(1)
49926,
49929,
49932,
49935,
49938,
49941,
49944,
49947,
49950,
49953,
49956,
49959,
49962,
49965,
49968,
49971,
49974,
49977
SSLIOP TCP 49922, RNC, RBS, NE to FM/CIRPMAN
(1)
49925, RXI callbacks (secure)
49928,
49931,
49934,
49937,
49940,
49943,
49946,
49949,
49952,
49955,
49958,
49961,
49964,
49967,
49970,
49973,
49976,
49979
Table 7 GSM RAN Security Domain to OSS Services Security Domain

Appl. Transp. Dst Port no Originating Comment
FTP TCP 21 SMPC FTP
42 6/1555-APR 901 0124 Uen D9 | 2011-04-12

Appl. Transp. Dst Port no Originating Comment

SSH-FTP TCP 22 SMPC Alarms from SMPC
to OSS Master
Server
Secure FTP
SNMP UDP 162 BSC LAN Swit SNMP traps
ch (Extreme
Summit)
Ericsson TCP 50000 APG40 OSS receives
proprietary spontaneous
reports from APG
40
Ericsson TCP 50005 APG30 OSS AXM EAM:
proprietary OSS receives
spontaneous
reports from APG30
Ericsson TCP 50009 IOG20 OSS AXM EAM:
proprietary File Protocol
Initiator for IOG20
Ericsson TCP 50010- APG40 OSS receives file
proprietary 50014 notifications from
APG 40
Proprietary spontaneous
reports from APG 4
Ericsson TCP 50185–501 APG43 OSS AXM EAM :
Proprietary 89 OSS receives file
notifications from
APG 43
Table 8 Core Network Security Domain to OSS Services Security Domain

Appl. Transp. Dst Port Origination Comment
Protocol Protocol no Node
SNMP TCP 162 SGSN, CGSN, SNMP traps
GGSN
SNMP UDP 162 SGSN, CGSN, SNMP traps
GGSN, IMT
SNMP UDP 163 IMT SNMP events
IIOP TCP 49260 MGw NE to SMO callbacks
(unsecure)
6/1555-APR 901 0124 Uen D9 | 2011-04-12 43

COMInf Network

SSLIOP TCP 49265 MGw NE to SMO callbacks
(secure)
RXI
RXI
IIOP TCP 49920, MGw NE to FM/CIRPMAN
49923, callbacks (unsecure)
49926,
49929,
49932,
49935,
49938,
49941,
49944,
49947,
49950,
49953,
49956,
49959,
49962,
49965,
49968,
49971,
49974,
49977
SSLIOP TCP 49922, MGw NE to FM/CIRPMAN
49925, callbacks (secure)
49928,
49931,
49934,
49937,
49940,
49943,
49946,
49949,
49952,
49955,
49958,
49961,
49964,
49967,
49970,
49973,
49976,
49979
44 6/1555-APR 901 0124 Uen D9 | 2011-04-12


proprietary spontaneous reports
from APG 40
Ericsson TCP 50005 APG30 OSS AXM EAM: OSS
proprietary receives spontaneous
reports from APG30
Ericsson TCP 50009 IOG20 OSS AXM EAM: File
proprietary Protocol Initiator for
IOG20
Ericsson TCP 50010- APG40 OSS receives file
proprietary 50014 notifications from
APG 40
proprietary spontaneous reports
from APG43
Ericsson TCP 50185–50 APG43 OSS AXM EAM:
Proprietary 189 OSS receives file
notifications from
APG43
RPC TCP 52120 DXX Sending of alarms on
the DAI interface
Table 9 SN Security Domain to OSS Services Security Domain

Appl. Transp. Dst Port Comment
Protocol Protocol no
SNMP UDP 162 Reception of SNMP traps and notifications
Table 10 NMS Security Domain to OSS Services Security Domain

Appl. Transp. Dst Port no Comment
Protocol Protocol
FTP TCP 21 WRAN-CM
SSH TCP 22 SSH and SFTP
SNMP UDP 161 Simple Network Management
Protocol
rexec TCP 512 OSS FM: BNSI Agent
rsh TCP 514 OSS FM: BNSI Agent
SQL TCP 5025 Sybase SQL.
IIOP TCP 49254 CIF NB Naming Service
6/1555-APR 901 0124 Uen D9 | 2011-04-12 45

COMInf Network

Protocol Protocol
IIOP TCP 49760 OSS NCM northbound Bulk CM IRP
IIOP TCP 49785 OSS CIF External Notification
Service
IIOP TCP 49787 OSS CIF External Notification Agent
IIOP TCP 49832 SMO and NIO: Region server ORB
listener port
IIOP TCP 49842 PM: PMS Region server ORB
listener port
SSLIOP TCP 49849 WRAN CM PMS
IIOP TCP 49904 OSS FM: Alarm IRP Agent, Corba
Solution Set
IIOP TCP 49981 NMS connection to BCMIRP
SSLIOP TCP 52197 OSS FM: Alarm IRP Agent, Corba
Solution Set
Table 11 OSS Services Security Domain to OCS Services Security Domain

Protocol Protocol
DHCP UDP 67 Not needed if the following services
in the firewall are enabled: DHCP
Veritas UDP 1-1024 Only needed if Veritas Cluster is
Cluster used in a OSS-RC HA deployment
Proprieta
ry
Protocol for Sun Management
Centre
RPC UDP 32768–65535 Not needed if the following services
in the firewall are enabled: NFS
IIOP TCP 53248–55295 Port pool controlled by port daemon
for Corba callbacks to GUIs.
RMI TCP 50329 SM Logs Service
RMI TCP 50330 SM Logs Service
JMS TCP 50331 SM Java Message Service
JMS TCP 50332 SM Java Message Service
JMS TCP 6161 Apache ActiveMQ message broker
46 6/1555-APR 901 0124 Uen D9 | 2011-04-12


Protocol Protocol
RMI TCP 49718 SM server
SNMP UDP 50720-50739 Server Layer of the System
Monitoring application initiates
session towards the Agent Layer of
the System Monitoring application.
SNMP UDP 50740 Default System Monitoring
Application Agent port 161 shall
be reconfigured to this higher port.
Server Layer of initiates session
towards the Agent Layer.
Table 12 OCS Clients Security Domain to OCS Services Security Domain

(1)
HTTP TCP 80 ICA browsing
(2)
ICA TCP 1494 Citrix ICA protocol.
(1) Shall be closed in Standard and Enhanced deployment.
(2) Shall be closed in enhanced deployment.
Table 13 OCS Access to OCS Service

ol
HTTP TCP 80 ICA browsing and
STA traffic
ICA TCP 1494 Citrix ICA
protocol
Table 14 WCDMA RAN Security Domain to OCS Services Security Domain

(1)
ICA TCP 1494 Citrix ICA protocol
(2)
IIOP TCP 53248-55295 RNC, RBS,
RXI
EMAS notifications
SSLIOP TCP 53248-55295 RNC, RBS, EMAS notifications
RXI
(1) Only from Site LANs in WCDMA RAN
(2) Only from Network Elements in WCDMA RAN, not from Site LANs
6/1555-APR 901 0124 Uen D9 | 2011-04-12 47

COMInf Network
Table 15 GSM RAN Security Domain to OCS Services Security Domain

Appl. Transp. Dst Port Originating Comment
SNMP UDP 162 SMPC Alarm traps
Table 16 Core Network Security Domain to OCS Services Security Domain

HTTP TCP 80 MGw ICA browsing.
Only from site LAN
in Core
SNMP TCP 162 GGSN (J20)
SNMP UDP 162 GGSN (J20)
ICA TCP 1494 MGw Citrix ICA protocol.
Only from site LAN
in Core
IIOP TCP 53248-55295 MGw EMAS notifications
(1)
SSLIOP TCP 53248-55295 MGw EMAS notification

(1)
s
SNMP TCP 162 TSP based EM: NM toolbox
nodes SNMP traps
(messages)
from TSP to
SNMP Manager.
Port number is
configurable in
TSP
(1) Only from MGw Network Elements in Core Network, not from Site LANs
Table 17 OSS Services Security Domain to Infrastructure Security Domain

Protocol Protocol
FTP TCP 21 SMO to get and send information
from/to SMRS
DNS UDP 53 Domain Name System
DHCP UDP 67 DHCP
NTP UDP 123 Network Time Protocol
48 6/1555-APR 901 0124 Uen D9 | 2011-04-12


Protocol Protocol
Protocol for Sun Management
Centre
NFS TCP,UD 2049 Sun Network File System). Read
P Section 3.4.1 on page 19 about
NFS services using RPC and how
different firewalls treat this dynamic
service.
LDAP TCP 389 Unsecure Solaris Authentication
Service
TLS/SSL TCP 636 Secure Solaris Authentication
Service
SNMP UDP 50720-50739 Server Layer of the System
Monitoring application initiates
session towards the Agent Layer of
the System Monitoring application.
SNMP UDP 50740 Default System Monitoring Agent
port 161 shall be reconfigured to this
higher port. Server Layer initiates
session towards the Agent Layer .
Table 18 OCS Services Security Domain to Infrastructure Security Domain

Protocol Protocol
DNS UDP 53 Domain Name System
DHCP UDP 67 DHCP
RPC TCP,UD 111 RPC bind to portmapper
P
HTTP TCP 80 For obtaining SLS standalone mode
credential
NTP UDP 123 Network Time Protocol
HTTPS TCP 8443 For obtaining SLS Network mode
credential
Service
Service
6/1555-APR 901 0124 Uen D9 | 2011-04-12 49

COMInf Network
Table 19 OCS Services Security Domain to Security Administration Security

Domain
Protocol Protocol
SSH TCP 22 SSH access to run CAAS Admin
Table 20 OCS Services Security Domain to OSS Client Security Domain

Protocol Protocol
LPR TCP 515 Print function from FM application if
printer is in corporate LAN
Table 21 Security Administration Security Domain to Infrastructure Security

Domain
Protocol Protocol
SSH TCP 22 SSH/SFTP during CAAS replication
DNS UDP 53 DNS traffic
NTP UDP 123 NTP traffic
NCP TCP 524 Replication
SSL TCP 50200 MySQL communication between DB
master and DB slave
SSLIOP TCP 50300 CAAS Admin to CAAS Distributor
communication
Service
Service
Table 22 OSS Client Security Domain to Infrastructure Security Domain

Protocol Protocol
HTTPS TCP 8443 Allowing Browser based clients to
download Stand-Alone Credentials
50 6/1555-APR 901 0124 Uen D9 | 2011-04-12

Table 23 SMRS Slave Security Domain to Infrastructure Security Domain

ol
SSH TCP 22 BI-SMRS slave to
BI-SMRS Master
NTP UDP 123 BI-SMRS slave to
BI-SMRS Master
Table 24 Infrastructure Security Domain to SMRS Slave Security Domain

ol
SSH TCP 22
Table 25 WCDMA RAN Security Domain to Infrastructure Security Domain

FTP TCP 21 RNC, RBS,
RXI
SSH TCP 22 RNC, RBS, SSH and SFTP.
RXI, Distribut
ed UNI-SMRS
Slave
DNS UDP 53 RNC, RBS, DNS traffic
RXI
(1)
DHCP UDP 67 RNC, RBS,
RXI
TFTP UDP 69 RNC, RBS, Traffic to UNI-SMRS
RXI Master or UNI-SMRS
Slave machine.
NTP UDP 123 RNC, RBS, NTP traffic
RXI
syslog UDP 514 RNC, RBS, Traffic to UNI-SMRS
RXI Master or UNI-SMRS
Slave machine.
HTTPS TCP 8443 RNC, RBS, SLS
RXI
HTTP TCP 50142 RNC, RBS, AAQ (Authorization and
/SSL RXI authentication)
IIOP TCP 50210 RNC, RBS, Callbacks to LAAD
RXI distributor
6/1555-APR 901 0124 Uen D9 | 2011-04-12 51

COMInf Network

RXI distributor
RXI distributor
RXI distributor
RXI distributor
SSLIOP TCP 49724 Node WCDMA Secure SSL calls
RAN to Infra
(1) DHCP requests from devices on Site LANs relayed by the WCDMA RAN NEs.
Table 26 GSM RAN Security Domain to Infrastructure Security Domain

Protocol Protocol
(1)
DNS UDP 53
TFTP UDP 69 BSC LAN switch unsecure
(2)
upgrade
(1)(2)
NTP UDP 123
(2)
syslog UDP 514 Syslog entries
(1) Optional
(2) Only applicable if the SMRS slave domain does not exist
Table 27 GRAN Security Domain to SMRS Slave Security Domain

ol
FTP TCP 21
SFTP TCP 22 Communication
with the SMRS
slave
TFTP UDP 69 BSC LAN
switch unsecure
upgrade
NTP UDP 123 GSM NE time
sync towards
NEDSS
syslog UDP 514 Syslog entries
52 6/1555-APR 901 0124 Uen D9 | 2011-04-12

Table 28 Core Network Security Domain to Infrastructure Security Domain

FTP TCP 21 MGw FTP from SMRS
SSH/SFTP TCP 22 MGw SMRS file transfer in
secure mode
DNS UDP 53 MGw DNS traffic
DHCP UDP 67 MGw Site Lan DHCP traffic
NTP UDP 123 NTP traffic
HTTPS TCP 8443 MGw SLS log-in
HTTP TCP 50142 MGw AAQ (Authorization
/SSL and authentication)
IIOP TCP 50210 MGw Callbacks to LAAD
distributor
distributor
distributor
distributor
distributor
Table 29 Infrastructure Security Domain to Security Administration Security

Domain
SSH TCP 22 SSH/SFTP during CAAS replication
NCP TCP 524 Replication
SSL TCP 50200 MySQL communication between DB
master and DB slave
LDAP TCP 389 Unsecure Solaris Authentication Service
TLS/SSL TCP 636 Secure Solaris Authentication Service
6/1555-APR 901 0124 Uen D9 | 2011-04-12 53

COMInf Network
Table 30 OSS Client to OCS Access

ol
ICA over TCP 443 Both ICA and
SSL/TLS and HTTP is carried
HTTPS within SSL/TLS.
(1)
(1) This port shall just be open in Enhanced deployment otherwise closed.
Table 31 WCDMA RAN Security to OCS Access

ol
HTTPS within SSL/TLS
Table 32 OSS Services Security Domain to WCDMA RAN Security Domain

Appl. Transp. Dst Port Destination Comment
FTP TCP 21 RNC, RBS, PMS and SMO/NIO
RXI
SSH/SFTP TCP 22 RNC, RBS, Secure file transfer,
RXI, AST-CM secure CLI
Telnet TCP 23 RNC, RBS, COLI access in case
RXI SSH is not activated
HTTP TCP 80 RNC, RBS, Fetching CORBA
RXI Naming Service IOR
IIOP TCP 56834 RNC, RBS, CORBA Services
RXI
SNMP TCP 161 AST-CM Site Management
RMI TCP 50333 RBS AIF Service
IIOP TCP 56835 RNC, RBS, CORBA Naming
RXI Service
SSLIOP TCP 56836 RNC, RBS, Secure CORBA
RXI Services
54 6/1555-APR 901 0124 Uen D9 | 2011-04-12

Table 33 OCS Services Security Domain to WCDMA RAN Security Domain

FTP TCP 21 RNC, RBS, If FTP from OCS
RXI to WCDMA RAN is
needed
SSH/SFTP TCP 22 RNC, RBS, Secure shell/Secure
RXI file transfer. Opened
in case COLI access
and File transfer from
AS shall be allowed.
Telnet TCP 23 RNC, RBS, COLI access in case
RXI SSH is not activated.
Opened in case
COLI access and
File transfer from AS
shall be allowed
HTTP TCP 80 RNC, RBS, Launching EM/Name
RXI service
RXI
IIOP TCP 56835 RNC, RBS, CORBA Naming
RXI Service
RXI Services
Table 34 Infrastructure Security Domain to WCDMA RAN Security Domain

SSH/SFTP TCP 22 RNC, RBS, Secure shell/Secure
RXI file transfer. SMRS
master server file
transfer towards the
Distributed SMRS.
HTTP TCP 80 RNC, RBS, Fetching IOR
RXI
NTP UDP 123 RNC, RBS, Not needed if the
RXI following services
in the firewall are
enabled: NTP
6/1555-APR 901 0124 Uen D9 | 2011-04-12 55

COMInf Network

RXI
RXI Services
Table 35 OSS Services Security Domain to GSM RAN Security Domain

FTP TCP 21 All APG40 FTP commands
based nodes
SSH/SFTP TCP 22 All APG40 Secure CLI, secure
based nodes file transfer
BSC Lan
Switch
Telnet TCP 23 All APG40 CLI
based nodes
SNMP UDP 161 BSC Lan SNMP traps
Switch
Telnet/CP TCP 5000 All APG40 CLI for MML
based nodes command session
ADH TCP 63001 All APG40 MML-interface for
based nodes OSS
ADH TCP 63002 All APG40 MML-interface for
based nodes OSS
R-PMO TCP See comm BSC Port defined with
ent command RRAPI
and is dependant
on each BSC
installation.
56 6/1555-APR 901 0124 Uen D9 | 2011-04-12


GMLOG TCP See comm BSC Port defined with
ent command RRAPI
and is dependant
on each BSC
installation.
OEN TCP See comm BSC Port defined with
ent command RRAPI
and is dependant
on each BSC
installation.
SE Proxy TCP 830 SB Internal communica
tion.
Table 36 OCS Services Security Domain to GSM RAN Security Domain

Appl. Protoc Transp. Dst Port Destination Comment
ol Protocol no Node
FTP TCP 21 All APG40 FTP commands
based nodes
+ SMPC
SSH/SFTP TCP 22 All APG40 Secure file transfer,
based nodes secure CLI
+ SMPC
Telnet TCP 23 All APG40 CLI
based nodes
+ SMPC
SNMP UDP 161 SMPC
6/1555-APR 901 0124 Uen D9 | 2011-04-12 57

COMInf Network

ol Protocol no Node
pcAnywhere TCP 5631 All APG40 Optional compon
based nodes ent, not delivered
in OSS-RC. Used
for APG system
administration.
pcAnywhere TCP 5632 All APG40 Optional compon
in OSS-RC. Used
for APG system
administration.
pcAnywhere UDP 5632 All APG40 Optional compon
in OSS-RC. Used
for APG system
administration.
HTTP TCP 10000 SMPC SMPC tool
HTTPS TCP 10443 SMPC SMPC tool, secure
mode
ROMT over IP TCP 12000 - RBS
12110
SSH/CP TCP 52000 All APG40 Secure CLI for
based nodes MML command
session and secure
file transfer
session and secure
file transfer
session and secure
file transfer
session and secure
file transfer
session and secure
file transfer
58 6/1555-APR 901 0124 Uen D9 | 2011-04-12


ol Protocol no Node
session and secure
file transfer
session and secure
file transfer
session and secure
file transfer
Table 37 OSS Services Security Domain to Core Network Security Domain

FTP TCP 21 APG40 based FTP commands
nodes +
CGSN, SGSN,
GGSN + MGw
SSH/SFTP TCP 22 APG40 based Secure CLI, secure file
nodes + transfer
CGSN, SGSN,
GGSN + MGw
Telnet TCP 23 APG40 based CLI
nodes +
CGSN, SGSN,
GGSN + MGw
HTTP TCP 80 MGw Fetching CORBA
Naming Service IOR
SNMP TCP 161 CGSN, SGSN
(WPP based)
GGSN (J20
based)
SNMP UDP 161 CGSN, SGSN
(WPP based)
GGSN (J20
based)
NMW
IMT
6/1555-APR 901 0124 Uen D9 | 2011-04-12 59

COMInf Network

IIOP TCP 4001 CGSN, SGSN CORBA Services
(WPP based)
SNMP UDP 4362 AXD SNMP port for Get and
Set operations
Telnet/CP TCP 5000 APG40 based CLI for MML command
nodes session
nodes session
nodes session
nodes session
nodes session
nodes session
IIOP TCP 56834 MGw CORBA Services
IIOP TCP 56835 MGw CORBA Naming
Services
SSLIOP TCP 56836 MGw Secure Corba
Services
ADH TCP 63001 APG40 based MML-interface for
nodes OSS
ADH TCP 63002 APG40 based MML-interface for
nodes OSS
Secure TCP 7423 TSP based EM: NM toolbox
LDAP Nodes (Provisioning)
MySQL TCP 3306 TSP based EM: NM toolbox
nodes (Logging) when
applicable
HTTPS TCP 443 TSP based EM: NM toolbox (web
nodes server)
IIOP TCP 7111 TSP based EM: NM toolbox
nodes COSNaming service
IIOP TCP 30360 TSP based EM: NM toolbox
nodes CORBA Gateway
(slave)
60 6/1555-APR 901 0124 Uen D9 | 2011-04-12


SNMP UDP 161 TSP based EM: NM toolbox SNMP
nodes requests to TSP (Fault
Management)
SS7/DCM TCP 8600 TSP based EM: NM toolbox
nodes SS7/DCM CP
Manager
nodes SS7/DCM OAM
nodes SS7/DCM reserved
(CP Manager)
nodes SS7/DCM reserved
(OAM)
Diameter TCP 3868 TSP based EM: NM toolbox
nodes Diameter Base
Protocol. Well known
port. Configurable in
TSP
Diameter TCP 8700- TSP based EM: NM toolbox
8732 nodes Diameter base
Protocol reserved
for future use
Table 38 OCS Services Security Domain to Core Network Security Domain

Appl. Protoco Transp. Dst Port Destination Comment
l Protocol no Node
FTP TCP 21 APG40 based File transfer
nodes + MGw
+ CGSN,
SGSN, GGSN
SSH/SFTP TCP 22 APG40 based Secure file
nodes + MGw transfer, secure
+ CGSN, CLI
SGSN, GGSN
Telnet TCP 23 APG40 based CLI
nodes + MGw
+ CGSN,
SGSN, GGSN
HTTP TCP 80 MGw Launching EM
6/1555-APR 901 0124 Uen D9 | 2011-04-12 61

COMInf Network

l Protocol no Node
SNMP TCP 161 GGSN (J20
based)
SNMP UDP 161 GGSN (J20
based)
IIOP TCP 4001 SGSN, CGSN CORBA Services
(WPP based)
Telnet/CP TCP 5000 APG40 based CLI for MML
nodes command session
pcAnywhere TCP 5631 APG40 based Used for
nodes APG system
administration.
pcAnywhere TCP 5632 APG40 based Used for
nodes APG system
administration.
pcAnywhere UDP 5632 APG40 based Used for
nodes APG system
administration.
HTTP TCP 8888 SGSN, CGSN Applet launch
(WPP based)
SSH/CP TCP 52000 APG40 based Secure CLI for
nodes MML command
session and
secure file transfer
62 6/1555-APR 901 0124 Uen D9 | 2011-04-12


l Protocol no Node
nodes MML command
session and
nodes MML command
session and
nodes MML command
session and
nodes MML command
session and
nodes MML command
session and
nodes MML command
session and
nodes MML command
session and
IIOP TCP 56834 MGw CORBA Services
IIOP TCP 56835 MGw CORBA Naming
Services
SSLIOP TCP 56836 MGw Secure CORBA
Services
IIOP TCP 53248-5 MGw Port pool
5295 controlled by port
daemon for Corba
callbacks to GUIs
6/1555-APR 901 0124 Uen D9 | 2011-04-12 63

COMInf Network
Table 39 Infrastructure Security Domain to CORE Network Security Domain

HTTP TCP 80 RNC, RBS, Fetching IOR
RXI
RXI
RXI Services
Table 40 OSS Service to Service Network

Appl. Proto Transp. Dst Port no Destination Comment
col Protocol Node
SNMP TCP 161 Alarm querie
s
Table 41 OSS Services to PM Services

ol
SNMP UDP 162 Sun Manageme
nt Centre Trap
Handler
SQL TCP 2640 Database access
from MS
NFS TCP, UDP 2049 Sun Network File
System). Read
Section 3.4.1 on
page 19 about
NFS services
using RPC and
how different
firewalls treat this
dynamic service.
64 6/1555-APR 901 0124 Uen D9 | 2011-04-12

SNMP UDP 50720-50739 Server Layer

of the System
Monitoring
application
initiates session
towards the
Agent Layer
of the System
Monitoring
application.
SNMP UDP 50740 Default System
Monitoring
Application Agent
port 161 shall
be reconfigured
to this higher
port. Server
Layer initiates
session towards
the Agent Layer .
Table 42 OCS Services to PM Services

ol
SSH TCP 22 Admin of server
ENIQS
HTTP TCP 80 ENIQ web portal
at server BIS
SQL TCP 2640, 2641 Admin of ENIQ
database and BO
administration
HTTPS TCP 8080 Admin of server
ENIQS and
ENIQ web portal
at server BIS.
Tomcat Connect
Proprietary TCP 6400 BO - CMS Name
Server Port
Proprietary TCP 6401 BO - Adaptive
Processing
Server
Proprietary TCP 6402 BO - Central
Management
Server
6/1555-APR 901 0124 Uen D9 | 2011-04-12 65

COMInf Network
Proprietary TCP 6403 BO - Input File

Repository
Proprietary TCP 6404 BO - Multi
Dimensional
Analysis Services
Server
Proprietary TCP 6405 BO - Output File
Repository
Proprietary TCP 6406 BO - Web
Intelligence
Processing
Server
Proprietary TCP 6410 BO - Server
Intelligence
Agent (SIA)
Proprietary TCP 6420 BO - client
auditing Port
Proprietary TCP 8443 tomcat Redirect
HTTPS TCP 443 Secure Web
Client access
from WAS to the
BIS
Table 43 PM Services to OSS Services

ol
ng Application,S
erver layer, Trap
Handler
ng Application,
Server layer,
Event manager
component
ng Application,
Server layer,
Topology manag
er component
66 6/1555-APR 901 0124 Uen D9 | 2011-04-12


ng Application,
Server layer,
Configuration
manager
component
ng Application,
Server layer,
Platform
component
ing Application,
Advanced Syst
em Monitoring
Add-on layer,
System event
and configuration
tracking compon
ent (cstservice)
ng Application,
Server layer,
Agent information
caching compon
ent (Metadata)
SSH/NFS TCP 22 NFS through
SSH
SQL TCP 5025 Access of PM
data at MS
6/1555-APR 901 0124 Uen D9 | 2011-04-12 67

COMInf Network

System). Read
the Section 3.4.1
on page 19 about
NFS services
using RPC and
how different
dynamic service.
of the System
Monitoring
application
initiates session
towards the
Server Layer
of the System
Monitoring
application. .
Table 44 PM Services to INF

ol
DNS UDP 53 DNS requests
NTP UDP 123 NTP requests
Table 45 NMS to PM Services

ol
SQL TCP 2640 ENIQ external
SQL interface
Table 46 OSS to Security Administration

ol
SNMP UDP 1165 Simple Network
Management
Protocol for Sun
Management
Centre
SSLIOP TCP 50250 - 50251 CAAS and
NEDP CORBA
Callbacks
68 6/1555-APR 901 0124 Uen D9 | 2011-04-12

Table 47 LTE RAN to OSS Services

Appl. Proto Transp. Dst Port no Origination Comment
col Protocol Node
TCP IIOP 49260 eNodeB Cello NE
to SMO
(1)
callbacks.
TCP SSLIOP 49265 eNodeB Secure Cello
NE -> SMO
(1)
callbacks.
TCP SSLIOP 50335 eNodeB NE to Cabi
net Viewer
Callbacks
(secure)
TCP IIOP 50336 eNodeB NE to Cabi
net Viewer
callbacks
(unsecure)
TCP IIOP 50340 eNodeB LTE RAN
Node
Discovery
(unsecure)
TCP SSLIOP 50341 eNodeB LTE RAN
Node Discov
ery (secure)
TCP IIOP 49851 RBS NE to CMS
callbacks
(unsecure)
TCP SSLIOP 49853 RBS NE to CMS
callbacks
(secure)
6/1555-APR 901 0124 Uen D9 | 2011-04-12 69

COMInf Network
TCP IIOP 49920, RBS NE to FM/C

49923, IRPMAN
49926, callbacks
49929, (unsecure)
49932,
49935,
49938,
49941,
49944,
49947,
49950,
49953,
49956,
49959,
49962,
49965,
49968,
49971,
49974,
49977
TCP SSLIOP 49922, RBS NE to FM/C
49925, IRPMAN
49928, callbacks
49931, (secure)
49934,
49937,
49940,
49943,
49946,
49949,
49952,
49955,
49958,
49961,
49964,
49967,
49970,
49973,
49976,
49979
TCP IIOP 50073 eRBS Corba South
Bound
Naming
Service
70 6/1555-APR 901 0124 Uen D9 | 2011-04-12

SSLIOP TCP 50349 eRBS Secure NE

callbacks
50353 from LRAN
RBS (ssliop)
50357
50361
50365
50369
50373
50377
50381
50385
50389
50393
50397
50401
50405
6/1555-APR 901 0124 Uen D9 | 2011-04-12 71

COMInf Network
Disabled-IIO TCP 50350 eRBS Secure NE

P callbacks
50354 from LRAN
RBS (disable
50358
d iiop)
50362
50366
50370
50374
50378
50382
50386
50390
50394
50398
50402
50406
IIOP TCP 50351 eRBS Unsecure
NE callbacks
50355 from LRAN
RBS (iiop)
50359
50363
50367
50371
50375
50379
50383
50387
50391
50395
50399
50403
50407
72 6/1555-APR 901 0124 Uen D9 | 2011-04-12

(1) Only from Network Elements in LTE RAN, not from Site LANs
Table 48 OSS Services Security Domain to LTE RAN Security Domain

FTP TCP 21 LTE RBS PMS and SMO/NIO
SSH/SFTP TCP 22 LTE RBS Secure file transfer,
secure CLI
Telnet TCP 23 LTE RBS COLI access in case
SSH is not activated
HTTP TCP 80 LTE RBS Fetching CORBA
Naming Service IOR
IIOP TCP 56834 LTE RBS CORBA Services
SNMP TCP 161 LTE RBS Site Management
IIOP TCP 56835 LTE RBS CORBA Naming
Service
SSLIOP TCP 56836 LTE RBS Secure CORBA
Services
Table 49 OCS Services Security Domain to LTE RAN Security Domain

FTP TCP 21 LTE RBS If FTP from OCS to
LTE RAN is needed
SSH/SFTP TCP 22 LTE RBS Secure shell/Secure
file transfer. Opened
in case COLI access
and File transfer from
AS shall be allowed.
Telnet TCP 23 LTE RBS COLI access in case
SSH is not activated.
Opened in case
COLI access and
File transfer from AS
shall be allowed
HTTP TCP 80 LTE RBS Launching EM/Name
service
IIOP TCP 56835 LTE RBS CORBA Naming
Service
Services
6/1555-APR 901 0124 Uen D9 | 2011-04-12 73

COMInf Network
Table 50 Infrastructure Security Domain to LTE RAN Security Domain

SSH/SFTP TCP 22 LTE RBS Secure shell/Secure
file transfer. SMRS
master server file
transfer towards the
Distributed SMRS.
HTTP TCP 80 LTE RBS Fetching IOR
NTP UDP 123 LTE RBS Not needed if the
following services
in the firewall are
enabled: NTP
Services
Table 51 LTE RAN Security Domain to OCS Services Security Domain

(1)
ICA TCP 1494 Citrix ICA protocol
IIOP TCP 53248-55295 LTE RBS EMAS notifications
(2)
SSLIOP TCP 53248-55295 LTE RBS EMAS notifications

(1) Only from Site LANs in LTE RAN
(2) Only from Network Elements in LTE RAN, not from Site LANs
Table 52 LTE RAN Security Domain to Infrastructure Security Domain

FTP TCP 21 LTE RBS
SSH TCP 22 LTE RBS SSH and SFTP.
DNS UDP 53 LTE RBS DNS traffic
(1)
DHCP UDP 67 LTE RBS
TFTP UDP 69 LTE RBS Traffic to UNI-SMRS
Master or UNI-SMRS
Slave machine.
NTP UDP 123 LTE RBS NTP traffic
74 6/1555-APR 901 0124 Uen D9 | 2011-04-12


syslog UDP 514 LTE RBS Traffic to UNI-SMRS
Master or UNI-SMRS
Slave machine.
HTTPS TCP 8443 LTE RBS SLS
HTTP TCP 50142 LTE RBS AAQ (Authorization and
/SSL authentication)
IIOP TCP 50210 LTE RBS Callbacks to LAAD
distributor
distributor
distributor
distributor
distributor
SSLIOP TCP 49724 LTE RBS Secure SSL calls
HTTP TCP 8081 LTE RBS SCEP over HTTP used
for certificate enrollment
(1) DHCP requests from devices on Site LANs relayed by the LTE RAN NEs.
Table 53 LTE RAN Security to OCS Access

ol
HTTPS within SSL/TLS
Table 54 LTE RAN Security Domain to SMRS Slave Security Domain

ol
FTP TCP 21 Communication
with the SMRS
slave
SSH/SFTP TCP 22 Communication
with the SMRS
slave
NTP UDP 123 NE time sync
towards NEDSS
6/1555-APR 901 0124 Uen D9 | 2011-04-12 75

COMInf Network
Table 55 From OCS Services To M@H Services

ol
Clavister TCP 9000 InControl
proprietary Client/Server
communication
Table 56 From M@H Services To OCS Services

ol
proprietary Client/Server
communication
Table 57 From M@H Services To M@H RAN

ol
proprietary Server/SEGW
communication
Table 58 From M@H RAN to M@H Services

ol
proprietary Server/SEGW
communication
Table 59 From OSS Services to OSS Services

ol
SNMP UDP 162 System Monito
ring Application
,Server layer,
Trap Handler
ng Application,
Server layer,
Event manager
component
76 6/1555-APR 901 0124 Uen D9 | 2011-04-12


ng Application,
Server layer,
Topology manag
er component
ng Application,
Server layer,
Configuration
manager
component
ng Application,
Server layer,
Platform
component
ing Application,
Advanced Syst
em Monitoring
Add-on layer,
System event
and configuration
tracking compon
ent (cstservice)
ng Application,
Server layer,
Agent information
caching compon
ent (Metadata)
HTTP TCP 50500 Java App Server
- Admin HTTP
HTTPS TCP 50501 Java App Server
- JMS Broker
HTTP TCP 50502 Java App Server
- JMX Interface
IIOP TCP 50503 Java App Server
- P2P HTTP
- P2P HTTPS
- IIOP (unsecure)
JMS TCP 50506 Java App Server
- IIOP (secure)
6/1555-APR 901 0124 Uen D9 | 2011-04-12 77

COMInf Network
EJB RMI TCP 50507 Java App Server

- IIOP (mutual
auth)
JMS TCP 50508 Java App Server
- JMS Service
of the System
Monitoring
application
initiates session
towards the
Server Layer
of the System
Monitoring
application.
IIOP TCP 12468 AC NameService
Connection
IIOP TCP 50352 MS internal
CORBA traffic
50356
50360
50364
50368
50372
50376
50380
50384
50388
50392
50396
50400
50404
50408
78 6/1555-APR 901 0124 Uen D9 | 2011-04-12

Table 60 WCDMA RAN Security Domain to SMRS Slave Security Domain

ol
FTP TCP 21 Communication
with the SMRS
slave
SSH/SFTP TCP 22 Communication
with the SMRS
slave
NTP UDP 123 NE time sync
towards NEDSS
Table 61 Core Network Security Domain to SMRS Slave Security Domain

ol
FTP TCP 21
SFTP TCP 22 Communication
with the SMRS
slave
NTP UDP 123 CORE NE time
sync towards
NEDSS
The Following tables only for X86 Blade servers
Table 62 From OSS Services to OSS Storage

ol
SSH/SFTP TCP 22 Secure shell/Sec
ure file transfer
System). Read
the Section 3.4.1
on page 19 about
NFS services
using RPC and
how different
dynamic service.
6/1555-APR 901 0124 Uen D9 | 2011-04-12 79

COMInf Network
Table 63 From PM Services to OSS Storage

ol
SSH/SFTP TCP 22 Secure shell/Sec
ure file transfer
System). Read
the Section 3.4.1
on page 19 about
NFS services
using RPC and
how different
dynamic service.
Table 64 From OSS Storage to Infra Services

ol
NTP UDP 123
SNMP UDP 161
SNMP UDP 162
Note: It is only needed to open SNMP ports if a monitoring service is deployed

on the network.
3.4.2 Ephemeral Ranges
Ephemeral ports, also called dynamic ports, are ports given out by a computer's
Operating System for an application, client or server hardware which needs
a port but does not care about which port number it uses. An example is a
callback port, where the dynamic port number is sent to the peer over an
previously established connection. The ephemeral port range will differ on
each machine type and configuration.
3.4.2.1 OSS
The table below specifies the ephemeral port range for the different OSS
machines.
80 6/1555-APR 901 0124 Uen D9 | 2011-04-12

Table 65 Ephemeral Port Range for the Different OSS Machines

Domain Machine Ephemeral Port Range
OCS UAS TCP: 12470–49151
(1)
UDP: OS default settings
WAS TCP: 12470–49151
(1)
OIS/WAS UDP: OS default settings
OSS Master Server TCP: 12470–49151
(1)
(1)
Other OSS Servers TCP: OS default settings
(1)
(1)
COMInf O&M Infra Servers TCP: OS default settings
(1)
(1) Default Solaris is 53248–65535
Changing dynamic ports in Windows 2008 computers is done manually. This is

described in OCS Windows Servers, Reference [7].
The implementation of changing dynamic port numbers in Solaris machines

is performed using the Solaris 10 Service Management Facility, SMF. The
SMF scripts are installed under/ericsson/dynport/. They are named
dynport.rc and dynport.xml.
3.4.3 Additional Firewall Router Configuration

In addition to the configuration information supplied in the connectivity matrix
(see Table 1 and Table 2) the Firewall Router requires the following additional
configuration:
• DHCP Relay. The Solaris Application Servers are located in the OCS
Services Security domain and are installed using the Sun jump-start
procedure. This procedure requires the Solaris servers to use DHCP when
booting during installation. As a result, the Firewall Router needs to be
configured as a DHCP Relay, relaying DHCP messages from the OCS
Services Security domain. The DHCP server (for Solaris jump-starting)
is the Management Work Station (MWS) in the OSS Services Security
domain. The firewall configuration matrix also allows DHCP from the OCS
Services to the OSS Services Security domains. NEDSS, OMSAS and
O&M Services are installed on x86 hardware using the Sun jump-start
procedure. This procedure requires that DHCP relay be temporarily
allowed between OSS Security domain and SMRS Slave Security domain
(for NEDSS) or Security Administration domain (for OMSAS) or O&M
Infrastructure Security domain, as MWS has to be used as DHCP server
for this type of installation.
6/1555-APR 901 0124 Uen D9 | 2011-04-12 81

COMInf Network
• TCP Connection Timeout. Set the TCP idle timeout parameter in the
firewall to 65 minutes
Some of the TCP connections passing through the firewall are long-lived.
Without traffic, long delays may occur and as a result the firewall may
mistakenly consider these connections abandoned (for example, for
CORBA connections from the Master Server to the Network Elements).
The OSS is configured to have a maximum idle time for TCP connections
set to 60 minutes. The firewall must not drop idle connections that long.
3.5 O&M Router

The purpose of the O&M Router is to connect the managed network or networks
to the OSS. It is connected in two directions, towards the OSS and towards the
managed networks. Towards the OSS it is connected to the Firewall Router.
Towards the managed networks it can be connected through a variety of link
technologies.
The O&M Router is a general device for connecting managed networks to the
OSS. The router model Ericsson recommends can be equipped with a rich
selection of link layer. For GSM RAN and Core Network, the link layer used is
not defined. WCDMA RANs, on the other hand, have well defined transport
networks. A WCDMA RAN is connected to OSS using an ATM or Ethernet
network.
3.5.1 Considerations for WCDMA RAN

Connecting a WCDMA RAN to the O&M Router requires special handling.
Security configuration in the Firewall Router needs to be complemented with
access restrictions in the O&M router. These access restrictions must allow
nodes on all WCDMA RAN site LANs to access the OCS Services VLAN
(through the Firewall Router). The access restrictions should also stop access
from any RBS, RNC, RANAG or site LAN to any other RBS, RNC, RANAG or
site LANs. This is important to stop an attacker at a WCDMA RAN site LAN
from attacking other nodes in the WCDMA RAN.
Note: These access restrictions can not stop an attack mounted from an RBS
or RNC site LAN and targeting the local RBS or RNC.
3.5.2 Considerations for LTE RAN

Connecting a LTE RAN to the O&M Router requires special handling. Security
configuration in the Firewall Router needs to be complemented with access
restrictions in the O&M router. These access restrictions must allow nodes on
all LTE RAN site LANs to access the OCS Services VLAN (through the Firewall
Router). The access restrictions should also stop access from any RBS or site
LAN to any other RBS or site LANs. This is important to stop an attacker at a
LTE RAN site LAN from attacking other nodes in the LTE RAN.
82 6/1555-APR 901 0124 Uen D9 | 2011-04-12

3.6 COMInf Services and Redundancy

COMInf provides redundancy for the following services: DNS, SLS and LDAP.
For AS and SMRS, redundancy is possible when installing more than one
server.
The Network Switch, Firewall Router and O&M Router are not redundant.
3.7 IP Multipath Facility

The IP Multipath (IPMP) facility provides failover for the IP interface on the
Master Server. To configure IPMP two network connections, from the switch
to the Master Server, and three IP addresses on the OSS Services VLAN
are required: the first on the primary interface, the second on the secondary
interface, and the third IP address as a virtual device on the primary interface.
All IP addresses have to be in the same subnet. An additional cable from the
COMInf network is required, because the second Network Interface Card (NIC)
needs a connection to the router/switch (second NIC is for IPMP).
6/1555-APR 901 0124 Uen D9 | 2011-04-12 83

COMInf Network
84 6/1555-APR 901 0124 Uen D9 | 2011-04-12

COMInf X.25 Network Architecture
4 COMInf X.25 Network Architecture
Traditionally, the communication between the OSS and the AXE Network
Elements is realized using X.25 instead of IP. In particular, the OSS Master
Server has an X.25 interface and communicates with the IOG11 or IOG20
frontend processors of the AXE nodes (AXE nodes are part of the GSM RAN
and Core Network).
Figure 9 shows two ways in which the OSS Master Server connects to X.25
devices:
• The first alternative is the traditional implementation of X.25 is using a

native X.25 network, represented by the lower line in Figure 9.
• The second alternative is a modern method that tunnels X.25 over an IP

network. Using a router capable of tunneling X.25 over IP, the X.25 traffic is
encapsulated in TCP packets. These packets are routed in the IP network
to GSM RAN sites containing BSCs. Another router decapsulates the X.25
packets sending them to the IOG interface of the AXE. This is represented
by the upper line Figure 9.
NETWORK
SWITCH FIREWALL/
ROUTER
O&M
ROUTER
OSS Services Managed

Networks
MASTER
SERVER
X.25 O&M
ROUTER
COMInf_X25_Overview_B
Figure 9 X.25 Network Infrastructure for COMInf
Both the native X.25 network transport and the X.25 over TCP/IP transport
methods are described in Section 5.4 on page 89.
6/1555-APR 901 0124 Uen D9 | 2011-04-12 85

COMInf Network
86 6/1555-APR 901 0124 Uen D9 | 2011-04-12

Interfacing to the Managed Networks
5 Interfacing to the Managed Networks
This chapter describes how the COMInf network connects to the managed
networks. The four types of managed network (WCDMA RAN, GSM RAN,
Core Network, Service Network) connect using a variety of technologies.
Some managed networks, such as the WCDMA or Service Networks employ
well-defined connections methods. Others, such as GSM RAN or Core
Network, offer more flexibility in terms of connection methods.
5.1 Interfacing to WCDMA RAN

The COMInf IP network connects to the WCDMA RAN through the O&M Router.
This translates between the IP-over-Ethernet of COMInf and the IP-over-ATM
of the WCDMA RAN and also allows for IP over Ethernet in the WCDMA RAN
O&M transport network. This is shown in Figure 10. The O&M router also takes
part in the COMInf firewall function, see Section 3.5 on page 82.
NETWORK
SWITCH
FIREWALL/
ROUTER
OSS and
Services O&M
nodes
IP over ROUTER IP over WCDMA
Ethernet ATM Radio
Access
Network
Connecting_to_WRAN_A
Figure 10 Interfacing COMInf to WCDMA RAN
Despite belonging to COMInf, the O&M Router performs certain tasks that are
only relevant for the WCDMA RAN and not for COMInf. For example, the router
performs WCDMA RAN routing (when IP routing protocols are used in the
WCDMA RAN.) Routing between the O&M Router and the RNCs is done using
the Open Shortest Path First (OSPF) routing protocol.
6/1555-APR 901 0124 Uen D9 | 2011-04-12 87

COMInf Network
5.2 IP Interfacing to GSM RAN

The COMInf IP network doesn't employ a well defined interface to the GSM
RAN. Typically, COMInf uses Ethernet or a Wide Area Network (WAN) link
technology, like Frame Relay or ATM, to connect to a transport network. The
transport network is then connected to the GSM RAN sites. When connecting
to WAN links, COMInf typically uses the O&M Router. If connecting to GSM
RAN using Ethernet, the O&M router may be bypassed and the Ethernet
connection is made directly to the Firewall Router. In Figure 11, two examples
are given. The uppermost uses some WAN link to connect to a transport
network, which in turn is connected to the GSM RAN sites. The lowermost
example uses Ethernet, directly connected to the Firewall Router. The Firewall
Router acts both as a firewall and as a router.
NETWORK
SWITCH
FIREWALL/
ROUTER GSM RAN
site
O&M Transport
OSS and
ROUTER IP over Network GSM RAN
Services
nodes WAN site
•••
IP over
Ethernet GSM RAN
site
Connecting_to_GRAN_B
Figure 11 IP Interfacing COMInf to GSM RAN
There are two types of IP nodes in GSM RAN. BSCs are AXE nodes and can
have several IP interfaces each. Most notably, the APG40 frontend processors
are connected to the OSS using IP.
The other type of node is the SMPC. It is based on Solaris and connects
to the OSS using IP.
5.3 IP Interfacing to LTE RAN

The COMInf IP Network uses Ethernet over IP (EoIP) as the interface to LTE
RAN, because Carrier Ethernet will be used as the LTE mobile backbone.
88 6/1555-APR 901 0124 Uen D9 | 2011-04-12

Figure 12 IP Interfacing COMInf to LTE RAN
LTE RAN has only one type of nodes - LTE RBSes.
5.4 X.25 Interfacing to GSM RAN

The COMInf X.25 network can be connected to the GSM RAN X.25 network in
several ways, two of these methods are described in this chapter.
5.4.1 Native X.25 Network Transport

The first connection method is shown in Figure 13. This method is used when
there is an existing X.25 network available, connecting the OSS to the AXE
Network Elements. IP communication between OSS and the AXE nodes
is not supported with this configuration. Using a native X.25 network is not
recommended for new installations.
6/1555-APR 901 0124 Uen D9 | 2011-04-12 89

COMInf Network
Network
Infrastructure
GSM RAN
site
X.25
OSS Services Network GSM RAN
site
MASTER
•••
SERVER
GSM RAN
X.25 over LAPB site
X25_Connecting_to_GRAN_B
Figure 13 X.25 Interfacing COMInf to GSM RAN
The OSS Master Server is equipped with an X.25 interface card. This interface
is connected to a X.25 network, to which the AXE IOGs are connected.
5.4.2 X.25 over IP Transport
The second connection method is shown in Figure 14. This method is

recommended for new installations. Using this method, no dedicated X.25
network needs to be built. Instead, X.25 is tunneled over TCP/IP.
90 6/1555-APR 901 0124 Uen D9 | 2011-04-12

NETWORK
SWITCH FIREWALL/ Transport
ROUTER Network
O&M
ROUTER
•••
VLAN
OSS
OSS Services SERVICES
Example
GSM RAN
site GSM RAN
MASTER X.25 over site
SERVER TCP (XOT) X.25 over TCP
(XOT)
SITE X.25 GSM RAN

O&M site
ROUTER
X.25 over LAPB X.25 O&M
or X.25 over ROUTER X.25 over
Ethernet LAPB
BSC with
IOG
XOT_Connecting_to_GRAN_B
Figure 14 X.25 over TCP Connecting to GSM RAN
The OSS Master Server is connected to an X.25 O&M Router, either through
a LAPB link or using X.25 over Ethernet. The X.25 O&M Router converts the
data stream to X.25 over TCP (XOT), that is, X.25 is tunneled over TCP. The
X.25 data is carried through the Firewall Router to the IP transport network.
The traffic goes through the transport network until it enters a GSM RAN site,
where it contacts a site X.25 O&M Router. Here the X.25 traffic exits the tunnel
and is carried over a LAPB link to the AXE's IOG.
5.5 Interfacing to the Core Network

The COMInf IP network doesn't employ a well defined method of connecting to
the Core Network. Typically, COMInf uses Ethernet or a WAN link technology,
like Frame Relay or ATM, to connect to a transport network. The transport
network is then connected to the Core Network sites. When connecting to
WAN links, COMInf typically uses the O&M Router. If connecting to GSM RAN
using Ethernet, the O&M router may be bypassed and the Ethernet connection
is made directly to the Firewall Router. In Figure 15, two examples are given.
The uppermost uses a WAN link to connect to a transport network, which in
turn is connected to the Core Network sites. The lowermost example uses
Ethernet, directly connected to the Firewall Router. The Firewall Router acts
both as a firewall and as a router.
6/1555-APR 901 0124 Uen D9 | 2011-04-12 91

COMInf Network
NETWORK
SWITCH
FIREWALL/ Core
ROUTER Network
O&M site
OSS and ROUTER Transport
Services IP over Network Core
nodes WAN Network
site
•••
IP over
Ethernet
Core
Network
site
Connecting_to_CN_B
Figure 15 Connecting to the Core Network
The figure only shows connecting to IP nodes. Some Core Network nodes are
AXE based and may need an X.25 connection. In this case, use the same
method as when connecting to X.25 GSM RAN, see Section 5.4 on page 89.
5.6 Interfacing the Service Network

The COMInf IP network uses Ethernet to the transport network. The transport
network is then connected to the Service Network sites. There is no O&M
router involved, so Figure 15 applies to except for the O&M router.
92 6/1555-APR 901 0124 Uen D9 | 2011-04-12

Upgrade
6 Upgrade
The table below shows the ports that have been added or deleted between
deliveries. This is helpful when configuring the firewall after the system has
been upgraded.
Table 66 OSSRC R7.0 SH B

Table From To Domai Service/P Dst Port Added/Re
Domain n rotocol moved
4 OCS Servi OSS Servi TCP 50308 - Removed
ces ces 50328
17 Core Netw OCS Servi TCP 162 Removed
ork ces
33 OSS Servi WCDMA TCP 50333 Removed
ces RAN
39 OCS Servi Core Netw TCP 161, 443, Removed
ces ork 3306,
3868,
7111,
7423,
8600,
8601,
8602,
8603,
8700-873
2, 30360
48 LTE RAN OSS Servi TCP 50336, Added
ces 50340,
50341
- M@H SMRS TCP 22, 123 Removed
RAN Slave
55 LTE RAN SMRS TCP 21, 22, 123 Removed
Slave
Table 67 OSSRC R7.0 C0.1

4 OCS Servi OSS Servi TCP 50346, Added
ces ces 50347
17 Core Netw OCS Servi TCP 162 Added
ork ces
6/1555-APR 901 0124 Uen D9 | 2011-04-12 93

COMInf Network

38 OSS Servi Core Netw TCP 443, 3306, Added
ces ork 3868,
7111,
7423,
8600,
8601,
8602,
8603,
30360,
8700-8732
38 OSS Servi Core Netw UDP 161 Added
ces ork
56 OCS Servi M@H TCP 9000 Added
ces Services
57 M@H OCS Servi TCP 9000 Added
Services ces
58 M@H M@H TCP 999 Added
Services RAN
59 M@H M@H TCP 999 Added
RAN Services
60 OSS Servi OSS Servi TCP 50500, Added
ces ces 50501,
50502,
50503,
50504,
50505,
50506,
50507
50508
94 6/1555-APR 901 0124 Uen D9 | 2011-04-12

Upgrade

61 TD-SCDM OSS Servi TCP 50345, Added
A RAN ces 50409,
50410,
50411,
50413,
50414,
50415,
50417,
50418,
50419,
50421,
50422,
50423,
50425,
50426,
50427,
50429,
50430,
50431,
50433,
50434,
50435,
50437,
50438,
50439,
50441,
50442,
50443,
50446,
50447,
50449,
50450,
50451,
50453,
50454,
50455,
50457,
50458,
50459,
50461,
50462,
50463,
50465,
50466,
50467,
50469,
50470,
50471,
6/1555-APR 901 0124 Uen D9 | 2011-04-12 95

COMInf Network

62 TD-SCDM OCS Servi TCP 80, 1494, Added
A RAN ces ephemeral
63 TD-SCDM OCS Acce TCP 443 Added
A RAN ss
64 TD-SCDM Infrastruct TCP 22 Added
A RAN ure
65 OSS Servi TD-SCDM TCP 21, 22, 23, Added
ces A RAN 80, 161,
56834,
56835
66 OCS Servi TD-SCDM TCP 21, 22, 23, Added
ces A RAN 80, 56834,
56835,
56836
67 Infrastruct TD-SCDM TCP 22, 80, Added
ure A RAN 123, 5683
4, 56836
Table 68 OSSRC R7.0.4

Table From To Domain Service/Pr Dst Port Added/Re
Domain otocol moved
4 OCS Servi OSS Servi TCP 50306 - Removed
ces ces 50308
4 OCS Servi OSS Servi TCP 50496 - Added
ces ces 50497
43 OCS Servi PM Service TCP 6410, 6420 Added
ces , 8443,
6400-6406

4 OCS Servi OSS Servi TCP 50073 Added
ces ces
33 OSS Servi WCDMA TCP 50333 Added
ces RAN
55 LTE RAN SMRS TCP 21, 22, 123 Added
Slave
96 6/1555-APR 901 0124 Uen D9 | 2011-04-12

Upgrade

43 OCS Servi PM Servic TCP 433 Added
ces e
36 OSS Servi GSM RAN TCP 830 Removed
ces
Table 70 OSSRC10.0 Ship F

Table From To Domai Service/Pr Dst Port Added/Re
Domain n otocol moved
4 OCS Servi OSS Servi TCP 50313, Added
ces ces 50314,
50315,
50316,
50317,
50318,
50319,
50320,
50321,
50322,
50323,
50324,
50344,
50345,
50496,
50497
36 OSS Servi GSM RAN TCP 830 Added
ces
55 LTE RAN SMRS TCP 21, 22, 123 Added
Slave
68 WCDMA SMRS TCP 21, 22, 123 Added
RAN Slave
69 Core Netw SMRS TCP 21, 22, 123 Added
ork Slave
Table 71 OSSRC10.0 Ship G

12 OSS Servi OCS Servi TCP 6161 Added
ces ces
12 OSS Servi OCS Servi TCP 49718 Added
ces ces
6/1555-APR 901 0124 Uen D9 | 2011-04-12 97

COMInf Network

38 OSS Servi Core Netw UDP 161 Added
ces ork
9 Core Netw OSS Servi UDP 4362 Added
ork ces
ces ces
ces ces
ces ces
ces ces
ces ces
ces ces
ces ces
Table 72 OSSRC10.1 Ship K

Table From To Service Dst Port Added/R Comme
Domain Domain /Protoc emoved nt
ol /Change
d
4 OCS OSS TCP 50021 Changed CM Cons
Services Services Commen istency
t Check
Service
4 OCS OSS TCP 49897 Remove OSS
Services Services d WRAN
CM Core
explorer
server
(secure)
4 OCS OSS TCP 49883 Remove LH: Log
Services Services d Handling
region
server
(secure)
98 6/1555-APR 901 0124 Uen D9 | 2011-04-12

Upgrade
4 OCS OSS TCP 49881 Remove LH: Log

Services Services d Handling
region
server
ORB
listener
port
4 OCS OSS TCP 49837 Changed CM Plan
Services Services Commen Admini
t stration
Service
4 OCS OSS TCP 49836 Added CM Plan
Services Services Admini
stration
Service
t Check
Service
4 OCS OSS TCP 49817 Added CM Cons
Services Services istency
Check
Service
4 OCS OSS TCP 49808 Changed CM Bulk
Services Services Commen Service
t
11 NMS OSS TCP 49805 Changed CM Bulk
Services Commen Service
t
t Check
Service
4 OCS OSS TCP 49803 Changed CM Bulk
t
4 OCS OSS TCP 49802 Changed CM Plan
Services Services Commen Admini
t stration
Service
4 OCS OSS TCP 1099 Changed Internal
Services Services Commen RMI Regi
t stry
6/1555-APR 901 0124 Uen D9 | 2011-04-12 99

COMInf Network
4 OCS OSS TCP 50042 Changed GB RMI

Services Services Commen Registry
t
4 OCS OSS TCP 50043 Changed WCDMA
Services Services Commen Topology
t Service
4 OCS OSS TCP 50044 Changed WCDMA
Services Services Commen Topology
t Service
4 OCS OSS TCP 50045 Changed Status
t
4 OCS OSS TCP 50046 Changed Status
t
4 OCS OSS TCP 50047 Changed FM Alar
Services Services Commen m Servic
t e
4 OCS OSS TCP 50048 Changed FM Alar
Services Services Commen m Servic
t e
4 OCS OSS TCP 50049 Changed PM KPI
t
4 OCS OSS TCP 50050 Changed PM KPI
t
4 OCS OSS TCP 50051 Changed PM Traf
Services Services Commen fic Reco
t rdings
Service
4 OCS OSS TCP 50052 Changed PM Traf
Services Services Commen fic Reco
t rdings
Service
4 OCS OSS TCP 50053 Changed NE Log
t
4 OCS OSS TCP 50054 Changed NE Log
t
4 OCS OSS TCP 50055 Changed Manag
Services Services Commen ement
t Service
100 6/1555-APR 901 0124 Uen D9 | 2011-04-12

Upgrade
4 OCS OSS TCP 50056 Changed Manag

Services Services Commen ement
t Service
4 OCS OSS TCP 50057 Changed Java
Services Services Commen Message
t Service
4 OCS OSS TCP 50058 Changed Java
Services Services Commen Message
t Service
4 OCS OSS TCP 50059 Changed JMX
t
4 OCS OSS TCP 50060 Added JMX
Services Services Service
4 OCS OSS TCP 50061 Added CM Bulk
Services Services Export
Service
Services Services Export
Service
Services Services Import
Service
Services Services Import
Service
4 OCS OSS TCP 50300 Added Planned
Services Services Config
uration
Manag
ement
Service
uration
Manag
ement
Service
uration
Activatio
n Service
6/1555-APR 901 0124 Uen D9 | 2011-04-12 101

COMInf Network

uration
Activatio
n Service
uration
Oper
ations
Service
uration
Oper
ations
Service
4 OCS OSS TCP 50309 Added WCDMA
Services Services CM Servi
ce
Services Services CM Servi
ce
Services Services Cell Serv
ice
Services Services Cell Serv
ice
4 OCS OSS TCP 50313 Changed Rules
Services Services Commen Services
t
4 OCS OSS TCP 50314 Changed Rules
Services Services Commen Services
t
4 OCS OSS TCP 50315 Changed Profiles
t
4 OCS OSS TCP 50316 Changed Profiles
t
4 OCS OSS TCP 50317 Changed Template
Services Services Commen s Service
t
102 6/1555-APR 901 0124 Uen D9 | 2011-04-12

Upgrade
4 OCS OSS TCP 50318 Changed Template

Services Services Commen s Service
t
4 OCS OSS TCP 50319 Changed Grouping
t
4 OCS OSS TCP 50320 Changed Grouping
t
4 OCS OSS TCP 50321 Changed Access
Services Services Commen Control
t Service
4 OCS OSS TCP 50322 Changed Access
Services Services Commen Control
t Service
4 OCS OSS TCP 50323 Changed License
t
4 OCS OSS TCP 50324 Changed License
t
4 OCS OSS TCP 50327 Changed Config
Services Services Commen Admin
t
4 OCS OSS TCP 50328 Changed Config
Services Services Commen Admin
t
4 OCS OSS TCP 50329 Added Logging
4 OCS OSS TCP 50330 Added Logging
4 OCS OSS TCP 50333 Added AIF Servi
Services Services ce
4 OCS OSS TCP 50334 Added AIF Servi
Services Services ce
4 OCS OSS TCP 50346 Changed Sche
Services Services Commen duling
t Service
4 OCS OSS TCP 50347 Changed Sche
Services Services Commen duling
t Service
6/1555-APR 901 0124 Uen D9 | 2011-04-12 103

COMInf Network
4 OCS OSS TCP 49750 Added Topology

Services Services Composit
e Service
4 OCS OSS TCP 49751 Added Topology
e Service
4 OCS OSS TCP 49752 Added CM
e Service
4 OCS OSS TCP 49753 Added CM
e Service
4 OCS OSS TCP 49754 Added LTE CM
4 OCS OSS TCP 49755 Added LTE CM
4 OCS OSS TCP 49756 Added TDSCD
Services Services MA CM
Service
Services Services MA CM
Service
4 OCS OSS TCP 49758 Added Cell Serv
Services Services ice
4 OCS OSS TCP 49759 Added Cell Serv
Services Services ice
4 OCS OSS TCP 49880 Added LTE Cell
4 OCS OSS TCP 49881 Added LTE Cell
Services Services MA Cell
Service
Services Services MA Cell
Service
4 OCS OSS TCP 2099 Added SunMC
Services Services console
service
on MWS
104 6/1555-APR 901 0124 Uen D9 | 2011-04-12

Upgrade
4 OCS OSS TCP 8043 Added SunMC

service
on MWS
4 OCS OSS TCP 8080 Updated SunMC
service
on MWS
38 OSS Core UDP 161 Updated IMT
Services Network
9 Core OSS UDP 162 Updated IMT
Network Services
9 Core OSS UDP 163 Added SNMP
Network Services Events
Table 73 OSSRC10.2 GA
Table From To Domai Service/Pr Dst Port Added/Re
Domain n otocol moved/Ch
anged
4 OCS Servi OSS Servi UDP 163-168, Added
ces ces
50600-507
19
5 Infrastructu OSS Servi UDP 163-168, Àdded
re Security ces
50600-507
19
6 Security OSS Servi UDP 162 Removed
Administr ces
ation
12 OSS Servi OCS Servi UDP 50720-507 Added
ces ces 39
18 OSS Servi Infrastr UDP 50720-507 Added
ces ucture 39
Security
42 OSS Servi PM Servic UDP 50720-507 Added
ces es 39
6/1555-APR 901 0124 Uen D9 | 2011-04-12 105

COMInf Network
44 PM Servic OSS Servi UDP 163-168, Added

es ces
50600-507
19
60 OSS Servi OSS Servi UDP 163-168, Added
ces ces
50600-507
19
Table 74 OSSRC 10.3

Domain n rotocol moved/Ch
anged
60 OSS Servi OSS Servi TCP 50352 Added
ces ces
50356
50360
50364
50368
50372
50376
50380
50384
50388
50392
50396
50400
50404
50408
106 6/1555-APR 901 0124 Uen D9 | 2011-04-12

Upgrade
48 LTE RAN OSS Servi TCP 50073 Added

ces 50349
50350
50351
50353
50354
50355
50357
50358
50359
50361
50362
50363
50365
50366
50367
50369
50370
50371
50373
50374
50375
50377
50378
50379
50381
50382
50383
50385
50386
50387
50389
50390
50391
50393
50394
50395
50397
50398
50399
50401
50402
50403
50405
50406
50407
4 OCS Servi OSS Servi TCP 50073 Removed
ces ces
6/1555-APR 901 0124 Uen D9 | 2011-04-12 107

COMInf Network

Table From To Domain Service/ Dst Port Added/Re
Domain Protocol moved
ces ces 49183
ces ces 49158
ces ces
49291
49297
49299

Table From To Domain Service/ Dst Port Added/Re
Domain Protocol moved
70 OCS Servi OSS Stora TCP 22,2049 Added
ces ge
71 PM Servic OSS Stora TCP 22,2049 Added
es ge
4 OCS Servi OSS Servi TCP 65534
ces ces
65535

ces ces
ces ces
ces ces
ces ces
ces ces
108 6/1555-APR 901 0124 Uen D9 | 2011-04-12

Upgrade

ces ces
31 OSS Client OCS Acce TCP 80 Removed
ss

ces ces
ces ces
ces ces
ces ces
6/1555-APR 901 0124 Uen D9 | 2011-04-12 109

COMInf Network
Previously TD-SCDM OSS Servi TCP 50409, Removed

Table 61 A RAN ces 50413,
(TD-SCD 50417,
MA RAN 50421,
Security 50425,
Domain 50429,
to OSS 50433,
Services 50437,
Security 50441,
Domain) 50445,
- the whole 50449,
table has 50453,
been remo 50457,
ved 50461,
50465,
50410,
50414,
50418,
50422,
50426,
50430,
50434,
50438,
50442,
50446,
50450,
50454,
50458,
50462,
50466,
50411,
50415,
50419,
50423,
50427,
50431,
50435,
50439,
50443,
50447,
50451,
50455,
50459,
50463,
50467,
50469,
50470,
50471
110 6/1555-APR 901 0124 Uen D9 | 2011-04-12

Upgrade
Previously TD-SCDM OCS Servi TCP 80, 1494, Removed

Table 62 A RAN ces 53248-552
(TD-SCD 95, 53248-
MA RAN 55295
Security
Domain
to OCS
Services
Security
Domain)
- the whole
table has
been remo
ved
Previously TD-SCDM OCS Acce TCP 443 Removed
Table 63 A RAN ss
(TD-SCD
MA RAN
Security
Domain
to OCS
Access
Security
Domain)
- the whole
table has
been remo
ved
Previously TD-SCDM Infrastr TCP 22 Removed
Table 64 A RAN ucture
(TD-SCD Security
MA RAN Domain
Security
Domain
to Infras
tructure
Security
Domain)
- the whole
table has
been remo
ved
6/1555-APR 901 0124 Uen D9 | 2011-04-12 111

COMInf Network
Previously OSS Servi TD-SCDM TCP 21, 22, 23, Removed

Table ces A RAN 80, 56834,
65 (OSS 161, 5683
Services 5, 56836
Security
Domain to
TD-SCD
MA RAN
Security
Domain)
- the whole
table has
been remo
ved
Previously OCS Servi TD-SCDM TCP 21, 22, 23, Removed
Table 66 ces A RAN 80, 56834,
(OCS 56835,
Services 56836
Security
Domain to
TD-SCD
MA RAN
Security
Domain)
- the whole
table has
been remo
ved
Previously Infrastr TD-SCDM TCP 22, 80, Removed
Table 67 ucture A RAN 123, 5683
(Infrast Security 4, 56836
ructure Domain
Security
Domain to
TD-SCD
MA RAN
Security
Domain)
- the whole
table has
been remo
ved
112 6/1555-APR 901 0124 Uen D9 | 2011-04-12

Upgrade

ces ces
49197
49201
49202
49203
49204
65 OSS Stora Infra Servi UPD 127 Added
ge ces New table
ge ces New table
ge ces New table
6/1555-APR 901 0124 Uen D9 | 2011-04-12 113

COMInf Network
114 6/1555-APR 901 0124 Uen D9 | 2011-04-12

Glossary
Glossary
Glossary
The OSS Glossary is included in Reference
[1]
6/1555-APR 901 0124 Uen D9 | 2011-04-12 115

COMInf Network
116 6/1555-APR 901 0124 Uen D9 | 2011-04-12

Reference List
Reference List
[1] Operations Support System (OSS) Glossary
[2] OSS Library Typographic Conventions
[3] COMInf Description
[4] COMInf Dimensioning and Deployment Guidelines
[5] COMInf Installation Plan
[6] UNIX Application Server
[7] OCS Windows Servers
[8] High Availability Cluster Solution OSS-RC Function Description
[9] Function Description for High Availability Replication Solution (HA-RS)

for OSS-RC
[10] Installation and Commissioning Guide for Symantec FileStore for OSS-RC
EMC Installation Documentation
[11] OSS-RC Blade Deployment Diagram Description
6/1555-APR 901 0124 Uen D9 | 2011-04-12 117

Cominf Network: Performance Descr

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cominf Network: Performance Descr

Uploaded by

Copyright:

Available Formats

COMInf Network

6/1555-APR 901 0124 Uen D9

© Copyright Ericsson (LMI) 2011. All rights reserved.

6/1555-APR 901 0124 Uen D9 | 2011-04-12

2 COMInf O&M Network 5

3 COMInf Network IP Architecture 7

4 COMInf X.25 Network Architecture 85

5 Interfacing to the Managed Networks 87

Reference List 117

6/1555-APR 901 0124 Uen D9 | 2011-04-12

6/1555-APR 901 0124 Uen D9 | 2011-04-12

This document provides information for the following activities:

• Integration of equipment required to create a Common Operation &

0 COMInf servers providing a variety of different services for OSS end

0 COMInf Network enabling the OSS to communicate with the network

• Connection of nodes and networks necessary to create an Operations

• Connection to managed networks and required open firewall ports.

6/1555-APR 901 0124 Uen D9 | 2011-04-12 1

Figure 1 OSS Network Overview

2 6/1555-APR 901 0124 Uen D9 | 2011-04-12

• WCDMA Radio Access Network (WCDMA RAN)

• GSM Radio Access Network (GSM RAN)

• External NMS system

• Client hardware for operator access

• LTE Radio Access Network (LTE RAN)

This document does not describe dimensioning information. This is explained

1.3 Typographic Conventions

6/1555-APR 901 0124 Uen D9 | 2011-04-12 3

4 6/1555-APR 901 0124 Uen D9 | 2011-04-12

2 COMInf O&M Network

6/1555-APR 901 0124 Uen D9 | 2011-04-12 5

6 6/1555-APR 901 0124 Uen D9 | 2011-04-12

3 COMInf Network IP Architecture

3.1 Deployment Example

The OSS-RC is deployed one of two ways:

• Non-Blade deployment, see Page 9.

• x86 Blade deployment, see OSS-RC Blade Deployment Diagram

Note: Both Page 9 and OSS-RC Blade Deployment Diagram Description,

In deployments where a SAN (Storage Area Network) is in use the Unix

The main components of the COMInf network are as follows:

• A Network Switch connecting the IP nodes together. The switch employs

6/1555-APR 901 0124 Uen D9 | 2011-04-12 7

• An IP firewall/router supervises IP traffic traversing different O&M traffic

• Managed networks like LRAN, WRAN , GRAN, Service and CORE.

• The O&M Router, an IP router that interfaces between COMInf and

• Several Solaris and Windows based machines running different services

8 6/1555-APR 901 0124 Uen D9 | 2011-04-12

Figure 2 OSS-RC Non-Blade Deployment

The OSS-RC Blade deployment diagram can be found in OSS-RC Blade

3.1.1 VLAN OSS Services

The VLAN OSS Services connects several important OSS servers.

• OSS Master Server (MS) (Non-Blade only)

• Cluster Mate (CM) (Non-Blade only)

• Event Based Application Server (EBAS)

• Service Network Management System (SNMS) (Non-Blade only)

• Management Workstation (MWS)

• Admin1 and Admin2 (x86 Blade only)

A separate Management Workstation is used to install the servers through a

6/1555-APR 901 0124 Uen D9 | 2011-04-12 9

The O&M X.25 Router is a network appliance for interfacing between

3.1.2 VLAN PM Services

• Ericsson Network IQ Server (ENIQS).

• Business Intelligence Server (BIS).