2.6 Access and Communication Requirements across Your Migration Network

Ensure that your network environment meets the following requirements for access, discovery, and migration.

NOTE:Refer to the deployment diagrams based on your migration target to understand the ports and flow of information between the various migration components. See Section III, Preparing Your Migration Environment.

2.6.1 Requirements for Discovery

Table 2-18 lists software, network, and firewall requirements that systems in your environment must meet for the discovery and inventory process. For information about discovery procedures, see Section IV, Discovering and Preparing Workloads and Targets.

Table 2-18 Network Communication Prerequisites for Discovery Operations

System

Prerequisites

All workloads

Ping (ICMP echo request and response) support

All source workloads in AWS

  • PowerShell 2.0 or higher

All Windows sources and Hyper-V hosts

  • Microsoft .NET Framework version 2.0 SP2, 3.5 SP1, or 4.0

  • Requires credentials for built-in Administrator, domain Administrator account with access to Admin$ share, or local Administrator account with administrator privileges.

    NOTE:To allow a local Administrator account that has administrator privileges to discover Windows workloads, you must enable remote access permissions for this account.

    • For local Administrator account that is a member of Windows domain account: Do one of the following:

      • Create a Group Policy to enable remote access for the account.

      • Ensure that the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System registry setting has a registry key named LocalAccountTokenFilterPolicy of type 'DWORD' and value '1'.

    • For local Administrator account that is not a member of Windows domain account: Ensure that the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System registry setting has a registry key named LocalAccountTokenFilterPolicy of type 'DWORD' and value '1'.

    For more information about creating a Group Policy or using the registry settings to enforce remote access for the account, see Enforce local account restrictions for remote access in Microsoft Documentation.

  • The Windows Firewall configured to allow File and Printer Sharing. Use one of these options:

    • Option 1, using Windows Firewall: Use the basic Windows Firewall Control Panel item (firewall.cpl) and select File and printer Sharing in the list of exceptions.

      - OR -

    • Option 2, using Windows Firewall with Advanced Security: Use the Windows Firewall with Advanced Security utility (wf.msc) with the following Inbound Rules enabled and set to Allow:

      • File and Printer Sharing (Echo Request - ICMPv4In)

      • File and Printer Sharing (Echo Request - ICMPv6In)

      • File and Printer Sharing (NB-Datagram-In)

      • File and Printer Sharing (NB-Name-In)

      • File and Printer Sharing (NB-Session-In)

      • File and Printer Sharing (SMB-In)

      • File and Printer Sharing (Spooler Service - RPC)

      • File and Printer Sharing (Spooler Service - RPC-EPMAP)

  • The Windows Firewall configured to allow Windows Management Instrumentation (WMI-In).

  • (Conditional) If the volumes are encrypted with the BitLocker disk encryption feature, they must be unlocked.

All Linux sources

Linux KVM servers

  • Secure Shell (SSH) server

  • Open port 22 (TCP)

  • Custom SSH ports are supported; specify the port number during discovery: <hostname | IP_address>:<port_number>.

  • Root-level access. For information on using an account other than root, see KB Article 7920711.

    NOTE:For source Linux workloads in Amazon Web Services, AMI templates automatically create a default non-root system user account that is enabled for sudo. The user name for this account varies by AMI provider. For Amazon Linux images, the non-root user name is ec2-user for most Linux distributions. It is centos for CentOS AMIs. For more information, refer to your AMI provider documentation.

    In AWS, a non-root user must run the sudo -i command to access the root shell and then run the Migrate Agent commands. Typing sudo in each Migrate Agent Utility command might result in a failure on some source workloads.

VMware ESX/ESXi Servers

  • VMware account with an Administrator role

  • VMware Web services API and file management API (HTTPS / port 443 TCP)

VMware vCenter Servers

The user with access must be assigned the appropriate roles and permissions. Refer to the pertinent release of VMware documentation for more information.

Cloud-based targets:

  • Amazon Web Services

  • Microsoft Azure

  • VMware vCloud

Open port 443 (TCP) for HTTPS communications with the target management portal.

2.6.2 Requirements for Workload Registration

You can use Migrate Agent to register and inventory workloads instead of using Migrate discovery. Table 2-19 lists software, network, and firewall requirements that systems in your environment must meet for the registration and inventory process using Migrate Agent. For information about registration procedures, see Registering Workloads and Discovering Details with Migrate Agent. See also Section F.0, Migrate Agent Utility.

Table 2-19 Network Communication Prerequisites for Migrate Agent Registration Operations

System

Prerequisites

PlateSpin Server hosts

  • Open port 443 (TCP) for HTTPS communications with source workloads.

  • Open port 22 (TCP) for SSH communications with Linux source workloads.

  • A public IP address is required for PlateSpin Server host.

  • In PlateSpin Configuration, set the AlternateServerAddress parameter to the Migrate server’s public IP address. The setting is configured automatically for Migrate servers available in Azure Marketplace and for Migrate servers deployed using the AWS Quick Start.

All source workloads

  • Open port 443 (TCP) for HTTPS communications with Migrate server.

  • A public IP address is required for source workloads.

All Windows source workloads

  • The user who executes Migrate Agent commands must have Administrator privileges.

  • For remote connections to the source workload, open port 3389 (TCP) for RDP access to the machine to install Migrate Agent.

All Linux source workloads

  • Root-level access. For information on using an account other than root, see KB Article 7920711.

    NOTE:For source Linux workloads in Amazon Web Services, AMI templates automatically create a default non-root system user account that is enabled for sudo. The user name for this account varies by AMI provider. For Amazon Linux images, the non-root user name is ec2-user for most Linux distributions. It is centos for CentOS AMIs. For more information, refer to your AMI provider documentation.

    In AWS, a non-root user must run the sudo -i command to access the root shell and then run the Migrate Agent commands. Typing sudo in each Migrate Agent Utility command might result in a failure on some source workloads.

  • For remote connections to the source Linux workload:

    • Secure Shell (SSH) server

    • Open port 22 (TCP)

    • Custom SSH ports are supported; specify the port number during discovery: <hostname | IP_address>:<port_number>.

2.6.3 Requirements for Migration

Table 2-20 lists software and firewall requirements that systems in your environment must meet for problem-free operation during workload migration jobs.

Table 2-20 Network Communication Prerequisites for Workload Migration

System

Open Port (Default)

Remarks

PlateSpin Server hosts

Either TCP 80 or TCP 443

  • Port 80 (TCP) is required for HTTP communication among the PlateSpin Server, sources, and targets.

  • Port 443 (TCP) is required for HTTPS communication (if SSL is used) between the PlateSpin Server and the source or target machines.

All source workloads

TCP 3725

Required for targets to initiate communication during file-level data transfer, except for I2X jobs, during which this port needs to be open on the migration target only. For Server Sync jobs, this port is required for both sources and targets.

The port number is configurable by setting the FileTransferPort parameter in the PlateSpin Configuration settings for the Migrate server.

When the PlateSpin Migrate server is installed on-premise, by default the target workload will connect to the source workload on port 3725 (TCP), although this setting can be reversed (source workload connects to target workload) by changing the SourceListensForConnection parameter setting from True to False.

When the PlateSpin Migrate server is deployed in the cloud from the PlateSpin Migrate server image available in the Azure Marketplace or using the AWS Quick Start, the default direction of this connection is reversed automatically: the source workload will connect to the target workload in the cloud on port 3725 (TCP).

All targets

TCP 3725

Required for file-level Server Sync

All Windows sources and targets

NetBIOS 137 - 139

Required for NetBIOS communications.

All Windows Server Cluster workloads. See Clusters.

Ensure that the PlateSpin Server can resolve DNS forward lookup and reverse lookup for the IP addresses of the Windows Server Cluster and its cluster nodes. You can update the DNS server or update the local hosts file (%systemroot%\system32\drivers\etc\hosts) on the PlateSpin Server.

All Windows sources

SMB (TCP 139, 445 and UDP 137, 138)

 

All Linux sources

Linux KVM servers

TCP 22

 

PlateSpin Server hosts;

All Windows sources

TCP 135/445

For DCOM/RPC communication between PlateSpin Server and a source for taking control of and rebooting the workload through WMI.

NOTE:WMI (RPC/DCOM) can use TCP ports 135 and 445 as well as random/dynamically assigned ports above 1024.

PlateSpin Server hosts

Windows Cluster source and target workloads

TCP 5986, outbound for host; inbound for workloads

Required for HTTPS transport for PowerShell remoting commands to shut down the non-active nodes of a Windows Cluster as appropriate for migration of a Windows Cluster to VMware.

AWS requires a minimum of Microsoft .NET Framework 4.5 for migration of Windows workloads to Nitro System based VM instances

 

To use Nitro System based instances, ensure that Microsoft .NET Framework 4.5 or later is installed on the source Windows workload before Migrate discovery.

2.6.4 Requirements for Migration of Workloads Registered Using Migrate Agent

Table 2-21 lists firewall, network, and software requirements that systems in your environment must meet for problem-free operation during migration of workloads that have been registered with the PlateSpin Server host using Migrate Agent. See also Requirements for Migrate Agent Utility.

Table 2-21 Network Communication Prerequisites for Migration of Workloads Registered Using Migrate Agent

System

Open Port (Default)

Remarks

PlateSpin Server hosts

TCP 443

Required for HTTPS communications with source and target workloads.

A public IP address is required for PlateSpin Server host.

TCP 22

Required for SSH communications with Linux workloads.

PlateSpin Configuration settings

 

Configuration requirements in PlateSpin Configuration for the Migrate server:

  • Set the AlternateServerAddress parameter to the Migrate server’s public IP address. The setting is configured automatically for Migrate servers available in Azure Marketplace and for Migrate servers deployed using the AWS Quick Start. See Configuring Alternate IP Addresses for PlateSpin Server.

  • Set the SourceListensForConnection parameter to False. False is the default setting for Migrate servers available in Azure Marketplace and for Migrate servers deployed using the AWS Quick Start. See Configuring the Contact Direction for the Replication Port.

  • For cloud-based Migrate servers, the server is configured by default for migration to the target type that matches its parent cloud environment. If the source workloads are in the parent cloud environment for migration to a different target, you must remove the default value (leave the field blank) for the ServerIsHostedInCloud parameter to allow all target types to be available in the Add Target dialog.

PlateSpin replication network

 

When you configure the workload migration, ensure that you enable a public IP address for the PlateSpin replication network.

All source and target workloads

TCP 443

Required for HTTPS communications with PlateSpin server.

TCP 3725

Required for Migrate communications between the source and target machines and for data transfer from the source machine to the target machine.

The port number is configurable by setting the FileTransferPort parameter in the PlateSpin Configuration settings for the Migrate server.

When you use the Migrate Agent on the source workload, the source workload contacts the target workload for data transfers. The direction is controlled at the server level. You must configure the replication port direction on the Migrate Server (SourceListensForConnection=False). See Configuring the Contact Direction for the Replication Port. False is the default setting for Migrate servers available in a cloud marketplace.

All Linux target workloads

TCP 22

Required for SSH communications from the PlateSpin server in the PlateSpin Replication Environment.

All target workloads

Public IP addresses are required for target machines to enable source workloads to contact them over port 3725 to begin replications.

Migrate sets public IP addresses on target machines during migration.

2.6.5 Migrations Across Public and Private Networks through NAT

In some cases, a source, a target, or PlateSpin Migrate itself, might be located in an internal (private) network behind a network address translator (NAT) device, unable to communicate with its counterpart during migration.

PlateSpin Migrate enables you to address this issue, depending on which of the following hosts is located behind the NAT device:

  • PlateSpin Server: In your server’s PlateSpin Server Configuration tool, record the additional IP addresses assigned to that host:

    1. Log in as Administrator to the PlateSpin Migrate Web Interface, then open the PlateSpin Server Configuration page at:

      https://Your_PlateSpin_Server/PlateSpinConfiguration/

    2. Locate the AlternateServerAddresses server parameter, click Edit, then add additional IP addresses, delimited by a a semicolon (;), for example:

      10.50.186.147;10.50.186.148
  • Source: As part of that specific migration job, record the additional IP addresses assigned to that workload. See Network Identification (Network Connections).

  • Target: When you are attempting to discover a target, such as VMware ESX, specify the public (or external) IP address in the discovery parameters.