Making Unicenter talk through a Firewall

1

Making Unicenter talk through a Firewall

Unicenter NSMRevised August 11 2003

Unicenter Architecture

Class

2

Agenda

• Introduction• WorldView Discovery• Destination Port Customization• From Port Selection • DSM Routing • Scenarios

• Different Architecture Reviews• Enterprise Management

• CAM / CAFT , CCI , Event Management• Unicenter Options• ITRM covered separately


Class

3

Objectives

• Deployment of working through a firewall will vary for different sites

• The architecture will be highly dependent on • Level of risk accepted• Rules dictated by the firewall administration.• Rules governing blocking and unblocking of ports.

• This presentation walks through different scenarios.• Scenarios selected covers most of the requirements

dictated by different security administrations


Class

4

Firewall Requirements

• Considerations for Firewall• Reduce the number of ports to be

unblocked• Minimize port Contention• Block UDP ports• Minimize the number of hosts that

requires ports to be unblocked• Block traffic initiated from outside

firewall


Class

5

Need for Firewalls

• Exponential growth on Cyber Crime

• Hackers, cyber criminals, e-terrorists

• Problem caused by recent denial of service attacks, high-lighted the need for a resilient and secure DMZ environment.

• Secure Internet environments requires Firewalls


Class

6

DoS

• Any software deployed in DMZ requires protection against malicious access or denial of service attacks. This requires review of security solutions to prevent these attacks which is out of scope of this presentation


Class

7

What is a Firewall?

• In general terms a Firewall stops a fire from spreading• An internet-Firewall acts more like a moat by

preventing dangers from the internet spreading to your internal network

• It serves multiple purposes:-• It restricts people to entering at a carefully controlled point• It prevents attackers from getting close to other defenses• It restricts people to leaving at a carefully controlled point

• The firewall typically sees all data flowing into or out of your network and so has the opportunity to ensure the traffic is acceptable


Class

8

What can’t a Firewall do?

• Firewalls are not invulnerable• It does not protect against people already inside• It does not protect against connections which do not go

through it• It cannot protect against unknown ‘new’ threats• Cannot provide complete protection against viruses• Even the best defenses may be breached • It works best if combined with other internal defenses (i.e.

TNG Security, SSO etc)

• Considerably expensive (time and effort)• Can cause considerable annoyance to authorized

users


Class

9

What can a Firewall do?

• A Firewall is a focus for security decisions• a single checkpoint for all access - allows you to concentrate security

measures at this point• more efficient than spreading security measures through-out the

organization • secure (possibly more expensive) software and hardware at a single

point will reduce overall costs

• A Firewall can enforce security policy• Most services across the Internet are insecure - firewalls can see all

access and so can enforce the agreed policies

• A Firewall can log internet activity• misuses internally, attempted unsuccessful accesses, statistics etc

• A Firewall limits your exposure• Firewalls can be used to reduce the impact of security breaches and

by installing firewalls between departments the security risks can be greatly reduced


Class

10

How do you configure a firewall?

• Firewalls can be configured in many different ways• Firewalls can be viewed as the collection of

techniques (I.e. packet filtering, proxy services, physical architecture etc) which are used to overcome different problems.

• The problems the firewall needs to overcome are dependant on the services which must be supplied, the level of risk which is acceptable and ultimately how much money can be spent.

• Firewall Architectures• Dual Homed Host Architecture• Screened Host Architecture• Screened Subnet Architecture• Combinations ….


Class

11

Standard Firewall Configuration

Interior Network (Secure)

Perimeter Network (Not Secure)

NT ServerWorkstation

External Server

External Network

Exterior Router

Interior Router

Bastion Host (with Firewall software)

NT ServerNT Workstation NT Workstation


Class

12

Testing Environment


Class

13

Typical Client Requirements

1. Minimize ports

2. Restrict hosts for which ports are opened

3. Only allow initial access from within firewall to outside firewall

4. Allow port access only after another communication has occurred

– Can overcome restriction number 3– Requires you to know more about how Unicenter works and

makes you dependant upon details


Class

14

Standard TNG Operation

• Unicenter will operate out-of-the-box through a firewall • Details of the actual ports required are available –

most of these can be configured - these ports must be opened through the firewall

• The standard “out-of-the-box” configuration does not aim to minimize the number of ports

• Components can be configured/deployed to minimize ports used

• Browsers can be directed to use minimum ports• Options can be deployed to minimize ports used• Use TCP/IP for SQL not default of named pipes


Class

15

Unicenter Component Placement

• Unicenter Components can be placed anywhere

• Where is the firewall and what is it protecting - client issue?

• Following examples• Agents only outside firewall• Agents and DSM outside Firewall• Monitor Through Firewall Discovery , EM and

DSM


Class

16

DSM

TCP 1433(SQL)

WV Gateway

Component Placement #1 -

Agents outside FIREWALL

UDP 6665UDP 161, ICMP Ping FIREWALL

Host A

UDP 162 - Traps

ABROWSER

C:\> abrowser-c browser.SysAgtNT -h HostA

ABROWSERC:\> abrowser-c browser.SysAgtNT -h HostA -@ dsmHost

Common Services

Common Services

CORE Host

Admin Host

3 Ports Openbut one is SNMP (UDP 162)

3 Ports Openbut one is SNMP (UDP 162)


Class

17

Admin Host

DSM

TCP 1433(SQL)

WV Gateway


Agents & DSM outside FIREWALL

UDP 161, ICMP Ping

TCP 7774 FIREWALL

UDP 162 - Traps

ABROWSER

ABROWSER C:\> abrowser-r-c browser.SysAgtNT -h HostA -@ dsmHost

Common Services

Host A

Common Services

CORE Host

2 Ports Open….. one is SQL



Class

18

Admin Host

DSM


Monitoring Through a Firewall - Discovery, EM & DSM

UDP 161, ICMP Ping

TCP 7774 FIREWALL

Host A

UDP 162 - Traps

ABROWSER

Common Services

Common Services

CORE Host

WV Gateway

Common Services

ABROWSER Enterprise Management

Enterprise Management

CCI

CCI

CCI

TCP 7001

Auto-Discovery

ICMP, UDP, Telnet, FTP

EM Agent

SQL 1433

19

World View Discovery


Class

20

WV Discovery

• Discovery Considerations• Initiate discovery from inside firewall• Initiate discovery from outside

firewall but CORE inside Firewall• Temporary Unblock Ports for

AutoDiscovery• NAT implication


Class

21

WV DiscoveryInitiated within Firewall

dscvrbe –r ..

CORE


Class

22

WV DiscoveryInitiated within Firewall

• Ping Sweep


Class

23

WV DiscoveryPing Sweep

• Discovery initiated within Firewall• Pingsweep


Class

24

WV DiscoveryClassification

• SNMP (161) Required for Classification


Class

25

WV DiscoveryClassification

• Additional Ports may be required if “Check Additional Ports” selected


Class

26

WV DiscoveryUnicenter NSM


Class

27

WV DiscoveryInitiated Outside Firewall

Firewall

dscvrbe –r ..

CORE

No UDP through Firewall

SQL

1433


Class

28

WV Discovery Limited Unblocking

• During the auto-discovery process objects are classified using SNMP therefore the SNMP port should be opened.

• Once auto-discovery is complete the port can be closed.

• It is also possible to run discovery outside the firewall then move the data via trix inside the firewall – this is not best practice and the customization is “more difficult than is apparent”

29

DestinationPORT Customization


Class

30

aws_orb Port Selection

aws_orb binds to 7774 for 2.4 and above. 7770 for release 2.1

aws_orb binds to 7774 for 2.4 and above. 7770 for release 2.1


Class

31

aws_orb 2.1 System

• If 7774 is blocked, retries the connection with 7770 incase the managed host is 2.1 system


Class

32

orb to orb Connectivity

• Update quick.cfg to select orb port• tng\services\config\aws_orb\quick.cfg• defaults to 7774• No customization available for FROM port

• Selects first available TCP source port


Class

33

Orb and Named Pipes

• By Default orb uses named pipes


Class

34

Named pipes

• Remove Named pipe usage• comment plugin awm_qikpipe_dll aws_orb22


Class

35


• abrowser -@ <remotedsm> -r -c browser.SysAgtNT -h DAWYA01 -s admin

Connects to Remote Orb


Class

36


• Orb to Orb introduces Heartbeat

• Can disable Heartbeat if required

• Can change frequency if required


Class

37

aws_sadmin Port Selection

CORE

aws_dsm

aws_snmp Managed host

Aws_sadmin

Traps from managed hosts , defaults to port 162

Manager issues SNMP requests to managed host. aws_sadmin binds to 6665 by default. Can be configured to use to different port

162

6665

Firewall


Class

38

Aws_sadminPort Configuration

• Configure the port that aws_sadmin binds for incoming SNMP requests• Defaults to 6665• To change the default port, update

aws_sadmin.cfg and add line

SNMP_PORT xxxx

where xxxx is the port aws_sadmin binds.


Class

39

Aws_sadminPort Configuration


Class

40

aws_sadmin.cfg

• If aws_sadmin is changed to bind to a different port, ensure pollset reflects correct port


Class

41

pollset

• pollset port must match aws_sadmin.cfg port


Class

42

abrowser

• If aws_sadmin port changed, Agent view needs to be customized to use correct port

43

From PORT Customization


Class

44

aws_snmpFrom Port Selection

• SNMP gateway sends it’s request on 6665 port and binds with the random source port.

• The agent then responds back on the random source port

• If random source port is not acceptable, then customize aws_snmp.cfg

• Specify from source port for aws_snmp• Consider range to avoid port contention


Class

45


%AgentWorks_Dir%\services\config\aws_snmp\aws_snmp.cfg

• Aws_snmp defaults to random source port


Class

46

aws_snmp From Port Selection

Aws_snmp customized to use port 8001-8002

Aws_snmp customized to use port 8001-8002


Class

47


• aws_snmp sends request over 6665 (UDP)• Agent responds back on 8001


Class

48

Agentview (abrowser)From Port Selection

• Agentview sends it’s request on 6665 port and binds with the random source port.

• The agent then responds back on the random source port

• If random source port is not acceptable, then customize aws_snmp.cfg

• Specify from source port for abrowser• Consider range to avoid port contention


Class

49

Abrowser From Port Selection

abrowser customized to use port 8011-8020

abrowser customized to use port 8011-8020


Class

50

AgentView (abrowser)From Port Selection

• abrowser -c browser.SysAgtNT -h <agenthost> -s admin• abrowser sends request over UDP port 6665• Agent Responds back on 8011


Class

51

aws_sadminFrom Port Selection

aws_sadmin from port set to port 8000

aws_sadmin from port set to port 8000

For aws_sadmin (SNMP Administrator) you specify a single "from" port which is used when aws_sadmin sends traps to a manager

52

DSM Routing


Class

53

DSM Routing -r

• Abrowser sends request on TCP port 7774 to Remote DSM on managed system

• Remote DSM talks to agent on UDP Port 6665 • Configurable port (aws_sadmin.cfg)

• Agent replies back to Remote DSM on UDP port 8001• Configurable in aws_snmp.cfg

SNMP_PORTS aws_sadmin 8000SNMP_PORTS aws_snmp 8001-8002SNMP_PORTS mibbrowse 8003-8010SNMP_PORTS abrowser 8011-8020SNMP_PORTS utilities 8021-8030

• Remote DSM on managed system replies back to abrowser via TCP port 7774

• Customer only has to open TCP port 7774 (Uni 3.0 fix needed to not require port 9990)


Class

54

Managed SystemManaged System

COREDSM

OS

7774

Firewall

Worldview EM

ObrowserAbrowser

DSM

OS7774

Responds back on source port

Agentviewwithout DSM Routing

Agentviewwithout DSM Routing

Binds to first available port

6665UDP

6665



Class

55

AgentViewwithout DSM Routing

AgentViewwithout DSM Routing

UDP call from abrowser machine to managed Host


Class

56

COR


DSM

OS

7774

Firewall

Worldview EM

ObrowseAbrowse

DSM

OS7774


Agentviewwith DSM Routing

Agentviewwith DSM Routing


UDP

6665


Class

57

abrowser -@ Outside_DSMip -c browser.SysAgtUnix -h agenthost -s public

abrowser –r -@ Outside_DSMip -c browser.SysAgtUnix -h agenthost -s public -r for dsm routinge.gabrowser -r -@ RMTDSM -c browser.SysAgtNT -h ukslsag02 -s admin

where RMTDSM - remote dsm ukslsag02 - Agent managed by RMTDSM abrowser issued from dawya01 which is inside the firewall

nodeview -@ Outside_DSM_host -target agenthost@dsmhost

Remote DSM

Remote DSM

Nodeview / Agentview syntax for Remote DSM


Class

58

AgentView MenusAgentView Menus

Update Policy to default –r for dsm routing


Class

59

ViewAgent WorldView MenuViewAgent WorldView Menu

Add -r for dsm routing

60

Architecture Reviews


Class

61

Client has a requirement to deploy agent technology in DMZ environment but wish to customize the port numbers that are to be unblocked?

Scenario #1Scenario #1


Class

62

Scenario #1 Solution

• Customize ports by updating• %agentworks_dir\services\config\aws_snmp\

aws_snmp.cfg• %agentworks_dir\services\config\aws_sadmin\

aws_sadmin.cfg• %agentworks_dir\services\config\aws_orb\aws_orb.cfg


Class

63

Client has a requirement to deploy agent technology in DMZ environment but has concerns of opening UDP ports.

How can Agent Technology be deployed in DMZ environment without the requirement to unblock UDP ports?



Class

64

Standard Deployment

• What are the UDP issues with the standard deployment?

• DSM discovers Agents by sending UDP requests to SNMP or 6665 port

• Agents send the alerts over UDP port• Agentview (abrowser) will send it’s request on 6665

port and with the pre selected TCP source ports. The agent then responds back on the source port


Class

65

Standard Deployment

• Standard Deployment• Agent send traps over UDP port 162• Requires 162 to be unblocked


Class

66

Standard Deployment

SNMP Trap


Class

67

Standard DeploymentAgentView

• abrowser -c browser.SysAgtNT -h <agenthost> -s admin• Destination UDP port = 6665• Source Port = 8011


Class

68

Solution

• Set up a Remote DSM to control the DMZ Agents and funnel all of their UDP traffic through the DSM via TCP Port 7774.• Devices in the DMZ managed by the remote dsm. • Agents send the SNMP traps to remote dsm• All UDP traffic within the DMZ environment • aws_dsm and aws_wvgate require access to CORE

thus SQL port must also be opened

• Benefits• 1 TCP Port• + SQL Port


Class

69

Admin Host

DSM

TCP 1433(SQL)

WV Gateway

Solution #2

UDP 161, ICMP Ping

TCP 7774 FIREWALL

Host A

UDP 162 - Traps

ABROWSER

ABROWSER C:\> abrowser-@ dsmHost-r-c browser.SysAgtNT -h HostA

Common Services

Common Services

CORE Host




Class

70

OS

COR

Worldview EMObrowse &

Abrowse

Managed System

Inside DMZ

DSM

DSM

Firewall

Server BServer A

CORE

Remote DSM need access to CORE

Running remote aws_wvgate does not eliminate the need for SQL Port. DSM still requires access to CORE


Class

71

Scenario #3

Client has a requirement to deploy agent technology DSM outside the firewall but wants to use a Central Core which resides inside the firewall. Firewall administration has concerns about SQL intrusion and will not open up SQL port. How can aws_wvgate be configured to use a Central CORE without opening a SQL port?


Class

72

Solution #3

• Install wvdbt where the CORE resides

• Remote aws_dsm accesses CORE via ORB (port 7774)

• aws_wvgate accesses CORE via ORB

• Check for inform remote option to optimize heartbeat

• Benefit• No requirement to open up SQL port


Class

73

Firewall

NT NT

CommonObject

Repository

Aws_orb

aws_store

aws_snmp

aws_dsm

Aws_wvgate

Aws_orb

wvdbt

Note: Multiple DSMs can connect to the same remote wvdbt instance running against a single CORE. aws_dsm uses wvplugin may take about 8 RCBs on CORE server. This restricts, approx maximum of about 120 Remote DSM connection.

7774


Class

74

Client is using DSM routing but does not wish to open port 7774 for all hosts that are required to respond to abrowser requests?

How can this be minimized?



Class

75

Requirements

• To restrict 7774 to be unblocked just for local DSM

• Placing abrowser directly on remote DSM requires 7774 to be opened for the host that issues abrowser requests


Class

76

COR


localDSM

OS

7774

Firewall

ObrowserAbrowser

remoteDSM

OS7774


Agentview RemoteDSM orb

Agentview RemoteDSM orb


UDP

6665

abrowser -@ DAWYA01S -r -c browser.SysAgtNT -h RGT40.ca.com-s admin

7774 to be opened for all hosts that issues abrowser.

RGT40

EWB_NTS_03dawya01s

adminhost


Class

77

Agentview From adminhost


Class

78

CORE

Managed SystemlocalDSM

OS

7774

Firewall

Windows

TERMINAL SERVER obrowserAbrowser

remteDSM

OS7774

UDP

6665

7774

7774

abrowser -@ EWB_NTS_03 -r -c browser.SysAgtNT -h RGT40.ca.com@DAWYA01S -s admin

7774 to be unblocked for local dsm and WTS

Windows Terminal ServerStreamline Requests from Terminal Server

Windows Terminal ServerStreamline Requests from Terminal Server

Terminal Client


Class

79

How to walk through Firewall for a typical FM site?

What are the considerations?



Class

80

Scenario #5

ClientFirewall

FMFirewall

FMFirewall

Client siteDMZ siteService Center

CORECORE

Router

Windows Terminal Server

DSM

NAT

Terminal Client

BridgeCriticalObjects


Class

81

Scenario #5• Windows Terminal Server

eliminates the need to open Visualizing / browser ports for many hosts• Nodeview / Agent View / 2d Maps

all accessed via Terminal Server• Requires Terminal Services Client

3389 port to be opened• Critical Objects Bridged from Client

site to DMZ environment


Class

82

Scenario #5• Critical Events forwarded from

Client site to FM site. Requires CCI port to be unblocked• Event Console launched via

Terminal Services Client


Class

83

Scenario #5• To avoid NAT issues, run world

view discovery from client site.• This will have pre Natted address• Avoids conflict with gwipflt.dat

• Use name melding option to distinguish bridge objects


Class

84

Firewall Administrator insists on single directional unblocking of ports. All outbound ports opened but block all inbound ports. All network requests should be initiated from within the firewall zone.

No network traffic should be initiated from DMZ zone

How can this be accomplished?



Class

85

Single Directional Unblocking

CORE

PRIVATE DSM DMZ DSM

SQL Port must be bi directional


Class

86

Single Directional UnblockingFirewall Rules

Unblock SQL for bi directional


Class

87

Obrowser / Abrowser Private DMZ zone

• Nodeview / Agentview works fine if initiated from inside firewall


Class

88

Obrowser / Abrowser DMZ Private zone

Nodeview / AgentView requests denied if initiated from DMZ zone.

7774 and 7770 Denied


Class

89

Single Directional Unblocking

• If unblocking SQL port is not accepted then review “Bridge Through Firewall” presentation


Class

90

Clients wish to minimize the number of ports to be un-blocked to 1?

How can VPN tunneling feature be used to accomplish this?



Class

91

VPN Tunnelling

• Main concept is to tunnel all DMZ requests via tunnel


Class

92

Scenario 7#Working with VPN

DMZ Server

encrypted

un

en

cryp

ted

encrypted

Firewall

Unicenter Server

Port xxx

Route DMZ Server traffic via VPN tunnel

Host A

Common Services


Class

93

We wish to deploy Windows Terminal Server outside firewall and wish to connect via Terminal Services Client from inside the firewall.

This is to reduce different ports to be opened for visualization?

How can we configure this?



Class

94

Scenario 8#wvdbt

• Remote DSM and Remote aws_wvgate connects to central core using wvdbt

• Agent Views and NodeViews issued from Terminal Services Client.

• TS Client traffic encrypted and requires 3389 to be unblocked for all TS Clients

• WVDBT requires orb connection and thus 7774 port to be opened for the server where CORE resides


Class

95

Abrowser, NodeView and Event Console issued via WTS

Scenario 8#wvdbt

WTSencrypted

Firewall

Terminal Services ClientTCP

3389

Host A

Common Services

Remote DSM

CORE

Central DSM

TCP 7774

2 Ports OpenRemote DSM access CORE via wvdbt

2 Ports OpenRemote DSM access CORE via wvdbt

Port 7774 to be opened for Central DSM only

wvdbt

access core via wvdbt

6665/7774


Class

96

Encrypted TrafficTS Client Port 3389

Encrypted traffic


Class

97

Scenario 8#SQL

• Remote DSM and Remote aws_wvgate connects to central core using SQL

• Agent View and NodeView issued from Terminal Services Client.

• TS Client traffic encrypted and requires 3389 to be unblocked for all TS Clients

• SQL port 1413 needs to be unblocked for remote dsm server


Class

98

Windows Terminal Services Client

TCP 1433(SQL)

Scenario 8# SQL

UDP 161, ICMP Ping

TCP 3389

FIREWALL

UDP 162 - Traps

ABROWSERNodeView

DSMWV

Gateway

Common Services

Host A

Common Services

CORE DSM

2 Ports Open….. SQL to be opened for just Central DSM

2 Ports Open….. SQL to be opened for just Central DSM

WTS

abrowser and Nodeview issued via WTS


Class

99

Solution #8TS Client Denials

TS Client port 3389 must be unblocked


Class

100

Scenario 8#Local Catalog

• The global catalog resides outside the firewall.

• No CAM port required unless namespace inside firewall is selected


Class

101

Firewall

Solution #8Local Catalog

TS Clients

WTS Global Catalog

3389

DSMWV

Gateway

Common Services

Host A

Common Services

Event Console, Agent View, qbrowser


Class

102

Scenario 8#Global Catalog

• The Global Catalog resides inside firewall.

• When UE is launched from WTS, it syncs catalog and requires CAM port to be unblocked

• TNDREPUPLISH, pings the Global catalog server and may require ICMP to be opened

• CAM should be configured to connect via TCP port


Class

103

Firewall

Solution #8Global Catalog

TS Clients

CORE

WTS LocalCatalog

3389

DSMWV

Gateway

Common Services

Host A

Common Services


CORE

GlobalCatalog

cam 4105


Class

104

CAM DenialUDP Port

CAM not configured to use TCP


Class

105

Solution #8cam.cfg

\TND\CA_APPSW\framework\cam.cfg

This forces specified server to use TCP port and not default

UDP


Class

106

Scenario 8#Namespace inside Firewall

• Access to nodeview, agentview inside Firewall is required; Launched from UE

• Requires TCP 7774 orb port to be unblocked

• Requires UDP 6665 port to be unblocked for host inside firewall


Class

107

Firewall

Solution #8 NameSpace inside Firewall

CORE

WTS LocalCatalog

DSMWV

Gateway

Common ServicesHost A

Common Services


CORE

GlobalCatalog4105

DSMWV

Gateway

Common Services

Host A

Common Services

6665

7774TS Clients


Class

108

Node View from UE

Requires orb port 7774


Class

109

Node View from UE

Requires orb port 7774


Class

110

Unblock Orb 7774


Class

111

Node View from UE7774 Unblocked


Class

112

Agent View from UE


Class

113

Agent View from UE

Agent Technology Service Control Port required. No DSM Routing


Class

114

Agent View from UE

UDP Port to be opened


Class

115

Scenario 8#2dMap inside Firewall

• 2dMap launched from UE accesses CORE inside firewall

• WV Plugin requires CAM port to be unblocked

• No SQL port required for 2dmap accessed via wv plugin


Class

116

Firewall

Solution #82dMap inside Firewall

CORE

WTS LocalCatalog

CORE

GlobalCatalog4105

4105

CORE

localCatalog

wvplugin

TS Clients

SQL Port Not Required

SQL Port Not Required


Class

117

Architecture ReviewsRecap

• Customize from ports by updating aws_snmp.cfg

• If UDP traffic is to be blocked, install remote dsm outside the firewall

• If SQL port is to be blocked, then review wvdbt implementation

• If bi-directional blocking is not accepted then review Scenario #5

• If encryption with minimal number of ports to be unblocked is required, then review Scenario #7


Class

118

Our Firewall Administrator wish to change the orb port 8774 for DMZ server. Orb port for other hosts will remain as default port 7774

Is this possible?



Class

119

Multiple Orb Binds

• To support TNG 2.1 release, it permits binding to multiple ports, 7774 and 7770.

• If unable to bind first port, it will then bind with other ports specified.

• Do not use this option unless show stopper requirements as the feature was not intended to be exploited in the nature, though it works


Class

120

Firewall

Solution #8Multiple Orb Ports

CORE

Central Server

Aws_orb

CORE

Aws_orb8774

ManagedSystemAws_orb

7774

ManagedSystemAws_orbManagedSystem

Aws_orbManagedSystemAws_orb

7774


Class

121

Multiple Orb Ports

First PLUGIN statement must be the one that is widely used port. If it cannot bind the first port specified, it then attempt to bind to the second port

122

CAM/CAFT


Class

123

Cam/caft

• Default port assignments• cam.cfg

udp_port = numbertcp_port = numbercas_port = numberspx_port = number


Class

124

Cam/caft

• On startup, checks for etc/services for camudp and camtcp• If not found, then defaults to 4104 (UDP)

and 4105 (TCP)• Then checks for cam.cfg for any override• cas_port and spx_port available for certain

platforms• Some api’s do not read config file, thus

etc/services should be changed

125

CCI


Class

126

CCI

• Review “CCI through Firewall” presentation for detailed information

127

Event Management


Class

128

Event Agent

• Can be customized to use DSB without the need for sql database

• Agent Technology provides function to send messages to remote Event Management• This eliminates the need for Event Management running• Not best practice as it limits lot of functionality


Class

129

DSM to Remote Event Management

• Update aws_nsm.cfg• dsm message sent over to remote via orb

130

Options


Class

131

VirusSignature

Downloads

AVOSignatureDownload

Ethernet

WorkstationAVO Client

PCAVO Client



FIR

EW

AL

L

NBSESSIONNBDATAGRAM

WorkstationAVO Domain Server

NT WorkstationAVO Master Download Server

Encryption

Encryption

CA Web Site

FTP

NBSESSIONNBDATAGRAM

Anti Virus Option - AVO


Class

132

Advanced Storage Option - ASO

Unicenter TNG / ASO Manager

Unicenter TNG / ASOReplicator (NT)

Unicenter TNG / ASOBackup Server

Central DB

Mainframebackup

Unicenter TNG / ASO Windows NT Backup

Server

ASO Manager

Client Agents NT, Novell, OS/2

TCP 6050TCP 6051

TCP 6050 TCP 6051

Client Agents UNIX


Class

133

Product Component Port Used

Unicenter TNG WV Tools to CORE TCP 1433 (SQL)DSM to CORE TCP 7774WV Tools to Agents UDP 6665Auto-discovery ICMP (Ping), UDP (161)Enterprise Management TCP 7001Agent to DSM UDP 162

Remote Control Option Manager to Agent TCP 799

Software Delivery Option Admin GUI to Enterprise Database TCP 1433 (SQL)Admin GUI to Local Server TCP 1433 (SQL)Enterprise Database to Local Server DTO (TCP 4101)Local Server and Agent Share

UDP 138 (nbsession)TCP 139 (nbdatagram)

Asset Management Option Admin GUI to AMO Enterprise Data TCP 1433 (SQL)Engine to AMO Enterprise Database TCP 1433 (SQL)Sector to Engine Share or RPCAgent to Client Share or RPC

Summary of Ports by Product


Class

134

continued

Summary of Ports by ProductProduct Component Port Used

Advanced Help Desk Server and Client TCP 2100

Performance Manager to Agent TCP 4101Share

Anti-Virus Option Virus Signature Database Host TCP 21 (FTP)to CA Virus Signature Web Server Agent to Virus Signature Machine FTP(for period signature down-load)Agent Alerts to Alert Manager NetBUI (Over

TCP)

Advanced Storage Option Admin to Backup Manager TCP 6050, 6051Agent(Client) to Backup ManagerNT, Novell, OS/2 TCP 6050Unix TCP 6051Replicator NT TCP 6060Replicator to Backup ManagerNT TCP 6050

Data Transport Option Manager and Agent (CAM) TCP 4104, 4105, 4905

Documents

Making Unicenter talk through a Firewall