The following ports are used by Prinergy, and need to be open for Prinergy to work:
IIS Server, Setup, Track, *Automatic License Renewal
|443*||TCP||HTTPS (*required for automatic license renewal functionality)|
AFP (only required if clients use AFP to mount job volumes)
1024 - 9000
Daemons, JTPs, UADM, Workshop
PrinterJTP to Veris
49100 - 49102
Orbacus connection for daemons
DiagView daemon, DiagView
Floating License Manager
Floating License Manager
61233, 61234, 61235, 18804
Prinergy Layout Automation
37102, 37150 - 37250, 61237
32000-32003, 31000-31003, 52002, 8082-8085, 8091
Note: AFP port information is given for informational purposes and legacy configurations only. AFP is not qualified with Prinergy Workflow 8.0.
The Built-in Windows Firewall is not supported
The software firewall that ships with Windows 2008 and Windows 2012 is not supported on a Prinergy Connect/Direct/Powerpack server.
Aside from the list of static ports listed above, Prinergy Connect/Direct/Powerpack uses many ephemeral (temporary) TCP/IP ports over a very wide range. Activating the built-in Windows firewall will cause unpredictable system behavior.
Any firewalling requirements must be met with an external device. Choices include a hardware firewall, software firewall running on another (non-Prinergy) server, or a firewall appliance in a virtual environment. Placement of the firewall in your network infrastructure is important, as Prinergy requires a large range of ports to be opened between primary and secondary servers and Workshop clients.
Information about the firewall requirements of InSite Prepress Portal, InSite Creative Workflow, and other Kodak portal products can be found in the respective products' documentation.
Additional Firewall considerations
If there is a firewall between the Prinergy servers and the Workshop clients, it is critical that the firewall does not close idle connections after some arbitrary time period. If it does, this could result in lags or stalls in Workshop when it is forced to re-establish its connections to the server. Instead, the firewall should be configured to only close the connection if it is determined to be dead by probing to the end hosts to determine the validity of the connection. This feature is known as 'Dead Connection Detection' on Cisco firewalls. If such a feature does not exist on your chosen firewall then the idle timeout should be set to a period equal to a typical production shift and operators should be warned that Workshop may stall for up to a couple of minutes when they return to it if it has been left running but idle for a longer period.
Subnet IP range 169.254.x.x is reserved within the IPv4 specification for Local-Link self-assigned IP addresses and is not operationally compatible with Prinergy Workflow server software.
See IETF.org article rtfc3927 - https://tools.ietf.org/html/rfc3927