The following ports are used by Prinergy, and need to be open for Prinergy to work:

Port

Protocol

Process

80

TCP

IIS Server, Setup, Track, *Automatic License Renewal

443*
HTTPS (*required for automatic license renewal functionality)

445

TCP

SMB

548

TCP

AFP (only required if clients use AFP to mount job volumes)

1024 - 9000

TCP

Daemons, JTPs, UADM, Workshop

1521, 2481

TCP

Oracle

30208, 30209

TCP

PrinterJTP to Veris

49100 - 49102

TCP

Orbacus connection for daemons

49108, 58888

TCP

Link

37000, 37001

TCP

DiagView daemon, DiagView

50010

UDP

Floating License Manager

56765

TCP

Floating License Manager

37100, 37101

TCP

Dashboard components

61233, 61234, 61235, 18804

TCP

RBA components

18005, 18080

TCP

Prinergy Layout Automation

37102, 37150 - 37250, 61237

TCP

Digital Print

52001

TCP

Colorflow

37002

UDP

Plocator

32000-32003, 31000-31003, 52002, 8082-8085, 8091

TCP

Help system

Note: AFP port information is given for informational purposes and legacy configurations only. AFP is not qualified with Prinergy Workflow 8.0.


The Built-in Windows Firewall is not supported

The software firewall that ships with Windows 2008 and Windows 2012 is not supported on a Prinergy Connect/Direct/Powerpack server.
Aside from the list of static ports listed above, Prinergy Connect/Direct/Powerpack uses many ephemeral (temporary) TCP/IP ports over a very wide range. Activating the built-in Windows firewall will cause unpredictable system behavior.
Any firewalling requirements must be met with an external device. Choices include a hardware firewall, software firewall running on another (non-Prinergy) server, or a firewall appliance in a virtual environment. Placement of the firewall in your network infrastructure is important, as Prinergy requires a large range of ports to be opened between primary and secondary servers and Workshop clients.
Information about the firewall requirements of InSite Prepress Portal, InSite Creative Workflow, and other Kodak portal products can be found in the respective products' documentation.

Additional Firewall considerations

If there is a firewall between the Prinergy servers and the Workshop clients, it is critical that the firewall does not close idle connections after some arbitrary time period.  If it does, this could result in lags or stalls in Workshop when it is forced to re-establish its connections to the server.  Instead, the firewall should be configured to only close the connection if it is determined to be dead by probing to the end hosts to determine the validity of the connection.  This feature is known as 'Dead Connection Detection' on Cisco firewalls.  If such a feature does not exist on your chosen firewall then the idle timeout should be set to a period equal to a typical production shift and operators should be warned that Workshop may stall for up to a couple of minutes when they return to it if it has been left running but idle for a longer period.

Local-Link IPv4

Subnet IP range 169.254.x.x is reserved within the IPv4 specification for Local-Link self-assigned IP addresses and is not operationally compatible with Prinergy Workflow server software. 
See IETF.org article rtfc3927 - https://tools.ietf.org/html/rfc3927