What firewall ports are necessary for JOC communication to masters and agents?


  • CloudBees Jenkins Operations Center negotiates a different port for master and agent communication. Can you tell us what ports are involved?
  • We are trying to connect a client-master outside of a firewall to the JOC which is inside the firewall. What firewall ports should be open.


CloudBees Jenkins Operations Center


What you will need to ensure is the following:

  1. All potential users of a client master can access the master over HTTP(S)
  2. All JNLP agents that a client master may be leased can access the master over HTTP(S) and over that master’s JNLP port
  3. All JNLP agents that OC will be leasing can access OC over HTTP(S) and over OC’s JNLP port
  4. All client masters can access OC over HTTP(S) and over OC’s JNLP port

Each of those connections needs to be able to use the same hostname to resolve the connection. The hostname can resolve different IP addresses if you have different DNS servers for different subnets, but the DNS name needs to be the same for users, client masters, shared agents, etc…

Root Cause

Some operating systems do not install a firewall by default, and when using those operating systems it can be trivial to connect masters to OC (or connect JNLP agents to either OC or a regular Jenkins) because the - by default - randomly selected JNLP port will be open.

In a production environment you will need to fix the JNLP port (i.e. the Figure 4.7) (or else you would need to have some trickery that auto-detected the random port and opened up the firewall for that port… given that such trickery would be hard to maintain, we recommend the simplest thing that can possibly work, i.e. a fixed port)

A common problem we have seen is where people are setting up HA and just forward the HTTP port and fail to forward the TCP/IP port for the JNLP connections (a more subtle problem being where they do forward the TCP/IP port but do not set up the correct port forwarding options).

Have more questions?


Please sign in to leave a comment.