1
Making Unicenter talk through a Firewall
Unicenter NSMRevised August 11 2003
Unicenter Architecture
Class
2
Agenda
• Introduction• WorldView Discovery• Destination Port Customization• From Port Selection • DSM Routing • Scenarios
• Different Architecture Reviews• Enterprise Management
• CAM / CAFT , CCI , Event Management• Unicenter Options• ITRM covered separately
Unicenter Architecture
Class
3
Objectives
• Deployment of working through a firewall will vary for different sites
• The architecture will be highly dependent on • Level of risk accepted• Rules dictated by the firewall administration.• Rules governing blocking and unblocking of ports.
• This presentation walks through different scenarios.• Scenarios selected covers most of the requirements
dictated by different security administrations
Unicenter Architecture
Class
4
Firewall Requirements
• Considerations for Firewall• Reduce the number of ports to be
unblocked• Minimize port Contention• Block UDP ports• Minimize the number of hosts that
requires ports to be unblocked• Block traffic initiated from outside
firewall
Unicenter Architecture
Class
5
Need for Firewalls
• Exponential growth on Cyber Crime
• Hackers, cyber criminals, e-terrorists
• Problem caused by recent denial of service attacks, high-lighted the need for a resilient and secure DMZ environment.
• Secure Internet environments requires Firewalls
Unicenter Architecture
Class
6
DoS
• Any software deployed in DMZ requires protection against malicious access or denial of service attacks. This requires review of security solutions to prevent these attacks which is out of scope of this presentation
Unicenter Architecture
Class
7
What is a Firewall?
• In general terms a Firewall stops a fire from spreading• An internet-Firewall acts more like a moat by
preventing dangers from the internet spreading to your internal network
• It serves multiple purposes:-• It restricts people to entering at a carefully controlled point• It prevents attackers from getting close to other defenses• It restricts people to leaving at a carefully controlled point
• The firewall typically sees all data flowing into or out of your network and so has the opportunity to ensure the traffic is acceptable
Unicenter Architecture
Class
8
What can’t a Firewall do?
• Firewalls are not invulnerable• It does not protect against people already inside• It does not protect against connections which do not go
through it• It cannot protect against unknown ‘new’ threats• Cannot provide complete protection against viruses• Even the best defenses may be breached • It works best if combined with other internal defenses (i.e.
TNG Security, SSO etc)
• Considerably expensive (time and effort)• Can cause considerable annoyance to authorized
users
Unicenter Architecture
Class
9
What can a Firewall do?
• A Firewall is a focus for security decisions• a single checkpoint for all access - allows you to concentrate security
measures at this point• more efficient than spreading security measures through-out the
organization • secure (possibly more expensive) software and hardware at a single
point will reduce overall costs
• A Firewall can enforce security policy• Most services across the Internet are insecure - firewalls can see all
access and so can enforce the agreed policies
• A Firewall can log internet activity• misuses internally, attempted unsuccessful accesses, statistics etc
• A Firewall limits your exposure• Firewalls can be used to reduce the impact of security breaches and
by installing firewalls between departments the security risks can be greatly reduced
Unicenter Architecture
Class
10
How do you configure a firewall?
• Firewalls can be configured in many different ways• Firewalls can be viewed as the collection of
techniques (I.e. packet filtering, proxy services, physical architecture etc) which are used to overcome different problems.
• The problems the firewall needs to overcome are dependant on the services which must be supplied, the level of risk which is acceptable and ultimately how much money can be spent.
• Firewall Architectures• Dual Homed Host Architecture• Screened Host Architecture• Screened Subnet Architecture• Combinations ….
Unicenter Architecture
Class
11
Standard Firewall Configuration
Interior Network (Secure)
Perimeter Network (Not Secure)
NT ServerWorkstation
External Server
External Network
Exterior Router
Interior Router
Bastion Host (with Firewall software)
NT ServerNT Workstation NT Workstation
Unicenter Architecture
Class
12
Testing Environment
Unicenter Architecture
Class
13
Typical Client Requirements
1. Minimize ports
2. Restrict hosts for which ports are opened
3. Only allow initial access from within firewall to outside firewall
4. Allow port access only after another communication has occurred
– Can overcome restriction number 3– Requires you to know more about how Unicenter works and
makes you dependant upon details
Unicenter Architecture
Class
14
Standard TNG Operation
• Unicenter will operate out-of-the-box through a firewall • Details of the actual ports required are available –
most of these can be configured - these ports must be opened through the firewall
• The standard “out-of-the-box” configuration does not aim to minimize the number of ports
• Components can be configured/deployed to minimize ports used
• Browsers can be directed to use minimum ports• Options can be deployed to minimize ports used• Use TCP/IP for SQL not default of named pipes
Unicenter Architecture
Class
15
Unicenter Component Placement
• Unicenter Components can be placed anywhere
• Where is the firewall and what is it protecting - client issue?
• Following examples• Agents only outside firewall• Agents and DSM outside Firewall• Monitor Through Firewall Discovery , EM and
DSM
Unicenter Architecture
Class
16
DSM
TCP 1433(SQL)
WV Gateway
Component Placement #1 -
Agents outside FIREWALL
UDP 6665UDP 161, ICMP Ping FIREWALL
Host A
UDP 162 - Traps
ABROWSER
C:\> abrowser-c browser.SysAgtNT -h HostA
ABROWSERC:\> abrowser-c browser.SysAgtNT -h HostA -@ dsmHost
Common Services
Common Services
CORE Host
Admin Host
3 Ports Openbut one is SNMP (UDP 162)
3 Ports Openbut one is SNMP (UDP 162)
Unicenter Architecture
Class
17
Admin Host
DSM
TCP 1433(SQL)
WV Gateway
Component Placement #2 -
Agents & DSM outside FIREWALL
UDP 161, ICMP Ping
TCP 7774 FIREWALL
UDP 162 - Traps
ABROWSER
ABROWSER C:\> abrowser-r-c browser.SysAgtNT -h HostA -@ dsmHost
Common Services
Host A
Common Services
CORE Host
2 Ports Open….. one is SQL
2 Ports Open….. one is SQL
Unicenter Architecture
Class
18
Admin Host
DSM
Component Placement #3 -
Monitoring Through a Firewall - Discovery, EM & DSM
UDP 161, ICMP Ping
TCP 7774 FIREWALL
Host A
UDP 162 - Traps
ABROWSER
Common Services
Common Services
CORE Host
WV Gateway
Common Services
ABROWSER Enterprise Management
Enterprise Management
CCI
CCI
CCI
TCP 7001
Auto-Discovery
ICMP, UDP, Telnet, FTP
EM Agent
SQL 1433
19
World View Discovery
Unicenter Architecture
Class
20
WV Discovery
• Discovery Considerations• Initiate discovery from inside firewall• Initiate discovery from outside
firewall but CORE inside Firewall• Temporary Unblock Ports for
AutoDiscovery• NAT implication
Unicenter Architecture
Class
21
WV DiscoveryInitiated within Firewall
dscvrbe –r ..
CORE
Unicenter Architecture
Class
22
WV DiscoveryInitiated within Firewall
• Ping Sweep
Unicenter Architecture
Class
23
WV DiscoveryPing Sweep
• Discovery initiated within Firewall• Pingsweep
Unicenter Architecture
Class
24
WV DiscoveryClassification
• SNMP (161) Required for Classification
Unicenter Architecture
Class
25
WV DiscoveryClassification
• Additional Ports may be required if “Check Additional Ports” selected
Unicenter Architecture
Class
26
WV DiscoveryUnicenter NSM
Unicenter Architecture
Class
27
WV DiscoveryInitiated Outside Firewall
Firewall
dscvrbe –r ..
CORE
No UDP through Firewall
SQL
1433
Unicenter Architecture
Class
28
WV Discovery Limited Unblocking
• During the auto-discovery process objects are classified using SNMP therefore the SNMP port should be opened.
• Once auto-discovery is complete the port can be closed.
• It is also possible to run discovery outside the firewall then move the data via trix inside the firewall – this is not best practice and the customization is “more difficult than is apparent”
29
DestinationPORT Customization
Unicenter Architecture
Class
30
aws_orb Port Selection
aws_orb binds to 7774 for 2.4 and above. 7770 for release 2.1
aws_orb binds to 7774 for 2.4 and above. 7770 for release 2.1
Unicenter Architecture
Class
31
aws_orb 2.1 System
• If 7774 is blocked, retries the connection with 7770 incase the managed host is 2.1 system
Unicenter Architecture
Class
32
orb to orb Connectivity
• Update quick.cfg to select orb port• tng\services\config\aws_orb\quick.cfg• defaults to 7774• No customization available for FROM port
• Selects first available TCP source port
Unicenter Architecture
Class
33
Orb and Named Pipes
• By Default orb uses named pipes
Unicenter Architecture
Class
34
Named pipes
• Remove Named pipe usage• comment plugin awm_qikpipe_dll aws_orb22
Unicenter Architecture
Class
35
orb to orb Connectivity
• abrowser -@ <remotedsm> -r -c browser.SysAgtNT -h DAWYA01 -s admin
Connects to Remote Orb
Unicenter Architecture
Class
36
orb to orb Connectivity
• Orb to Orb introduces Heartbeat
• Can disable Heartbeat if required
• Can change frequency if required
Unicenter Architecture
Class
37
aws_sadmin Port Selection
CORE
aws_dsm
aws_snmp Managed host
Aws_sadmin
Traps from managed hosts , defaults to port 162
Manager issues SNMP requests to managed host. aws_sadmin binds to 6665 by default. Can be configured to use to different port
162
6665
Firewall
Unicenter Architecture
Class
38
Aws_sadminPort Configuration
• Configure the port that aws_sadmin binds for incoming SNMP requests• Defaults to 6665• To change the default port, update
aws_sadmin.cfg and add line
SNMP_PORT xxxx
where xxxx is the port aws_sadmin binds.
Unicenter Architecture
Class
39
Aws_sadminPort Configuration
Unicenter Architecture
Class
40
aws_sadmin.cfg
• If aws_sadmin is changed to bind to a different port, ensure pollset reflects correct port
Unicenter Architecture
Class
41
pollset
• pollset port must match aws_sadmin.cfg port
Unicenter Architecture
Class
42
abrowser
• If aws_sadmin port changed, Agent view needs to be customized to use correct port
43
From PORT Customization
Unicenter Architecture
Class
44
aws_snmpFrom Port Selection
• SNMP gateway sends it’s request on 6665 port and binds with the random source port.
• The agent then responds back on the random source port
• If random source port is not acceptable, then customize aws_snmp.cfg
• Specify from source port for aws_snmp• Consider range to avoid port contention
Unicenter Architecture
Class
45
aws_snmpFrom Port Selection
%AgentWorks_Dir%\services\config\aws_snmp\aws_snmp.cfg
• Aws_snmp defaults to random source port
Unicenter Architecture
Class
46
aws_snmp From Port Selection
Aws_snmp customized to use port 8001-8002
Aws_snmp customized to use port 8001-8002
Unicenter Architecture
Class
47
aws_snmpFrom Port Selection
• aws_snmp sends request over 6665 (UDP)• Agent responds back on 8001
Unicenter Architecture
Class
48
Agentview (abrowser)From Port Selection
• Agentview sends it’s request on 6665 port and binds with the random source port.
• The agent then responds back on the random source port
• If random source port is not acceptable, then customize aws_snmp.cfg
• Specify from source port for abrowser• Consider range to avoid port contention
Unicenter Architecture
Class
49
Abrowser From Port Selection
abrowser customized to use port 8011-8020
abrowser customized to use port 8011-8020
Unicenter Architecture
Class
50
AgentView (abrowser)From Port Selection
• abrowser -c browser.SysAgtNT -h <agenthost> -s admin• abrowser sends request over UDP port 6665• Agent Responds back on 8011
Unicenter Architecture
Class
51
aws_sadminFrom Port Selection
aws_sadmin from port set to port 8000
aws_sadmin from port set to port 8000
For aws_sadmin (SNMP Administrator) you specify a single "from" port which is used when aws_sadmin sends traps to a manager
52
DSM Routing
Unicenter Architecture
Class
53
DSM Routing -r
• Abrowser sends request on TCP port 7774 to Remote DSM on managed system
• Remote DSM talks to agent on UDP Port 6665 • Configurable port (aws_sadmin.cfg)
• Agent replies back to Remote DSM on UDP port 8001• Configurable in aws_snmp.cfg
SNMP_PORTS aws_sadmin 8000SNMP_PORTS aws_snmp 8001-8002SNMP_PORTS mibbrowse 8003-8010SNMP_PORTS abrowser 8011-8020SNMP_PORTS utilities 8021-8030
• Remote DSM on managed system replies back to abrowser via TCP port 7774
• Customer only has to open TCP port 7774 (Uni 3.0 fix needed to not require port 9990)
Unicenter Architecture
Class
54
Managed SystemManaged System
COREDSM
OS
7774
Firewall
Worldview EM
ObrowserAbrowser
DSM
OS7774
Responds back on source port
Agentviewwithout DSM Routing
Agentviewwithout DSM Routing
Binds to first available port
6665UDP
6665
Responds back on source port
Unicenter Architecture
Class
55
AgentViewwithout DSM Routing
AgentViewwithout DSM Routing
UDP call from abrowser machine to managed Host
Unicenter Architecture
Class
56
COR
Managed SystemManaged System
DSM
OS
7774
Firewall
Worldview EM
ObrowseAbrowse
DSM
OS7774
Responds back on source port
Agentviewwith DSM Routing
Agentviewwith DSM Routing
Binds to first available port
UDP
6665
Unicenter Architecture
Class
57
abrowser -@ Outside_DSMip -c browser.SysAgtUnix -h agenthost -s public
abrowser –r -@ Outside_DSMip -c browser.SysAgtUnix -h agenthost -s public -r for dsm routinge.gabrowser -r -@ RMTDSM -c browser.SysAgtNT -h ukslsag02 -s admin
where RMTDSM - remote dsm ukslsag02 - Agent managed by RMTDSM abrowser issued from dawya01 which is inside the firewall
nodeview -@ Outside_DSM_host -target agenthost@dsmhost
Remote DSM
Remote DSM
Nodeview / Agentview syntax for Remote DSM
Unicenter Architecture
Class
58
AgentView MenusAgentView Menus
Update Policy to default –r for dsm routing
Unicenter Architecture
Class
59
ViewAgent WorldView MenuViewAgent WorldView Menu
Add -r for dsm routing
60
Architecture Reviews
Unicenter Architecture
Class
61
Client has a requirement to deploy agent technology in DMZ environment but wish to customize the port numbers that are to be unblocked?
Scenario #1Scenario #1
Unicenter Architecture
Class
62
Scenario #1 Solution
• Customize ports by updating• %agentworks_dir\services\config\aws_snmp\
aws_snmp.cfg• %agentworks_dir\services\config\aws_sadmin\
aws_sadmin.cfg• %agentworks_dir\services\config\aws_orb\aws_orb.cfg
Unicenter Architecture
Class
63
Client has a requirement to deploy agent technology in DMZ environment but has concerns of opening UDP ports.
How can Agent Technology be deployed in DMZ environment without the requirement to unblock UDP ports?
Scenario #2Scenario #2
Unicenter Architecture
Class
64
Standard Deployment
• What are the UDP issues with the standard deployment?
• DSM discovers Agents by sending UDP requests to SNMP or 6665 port
• Agents send the alerts over UDP port• Agentview (abrowser) will send it’s request on 6665
port and with the pre selected TCP source ports. The agent then responds back on the source port
Unicenter Architecture
Class
65
Standard Deployment
• Standard Deployment• Agent send traps over UDP port 162• Requires 162 to be unblocked
Unicenter Architecture
Class
66
Standard Deployment
SNMP Trap
Unicenter Architecture
Class
67
Standard DeploymentAgentView
• abrowser -c browser.SysAgtNT -h <agenthost> -s admin• Destination UDP port = 6665• Source Port = 8011
Unicenter Architecture
Class
68
Solution
• Set up a Remote DSM to control the DMZ Agents and funnel all of their UDP traffic through the DSM via TCP Port 7774.• Devices in the DMZ managed by the remote dsm. • Agents send the SNMP traps to remote dsm• All UDP traffic within the DMZ environment • aws_dsm and aws_wvgate require access to CORE
thus SQL port must also be opened
• Benefits• 1 TCP Port• + SQL Port
Unicenter Architecture
Class
69
Admin Host
DSM
TCP 1433(SQL)
WV Gateway
Solution #2
UDP 161, ICMP Ping
TCP 7774 FIREWALL
Host A
UDP 162 - Traps
ABROWSER
ABROWSER C:\> abrowser-@ dsmHost-r-c browser.SysAgtNT -h HostA
Common Services
Common Services
CORE Host
2 Ports Open….. one is SQL
2 Ports Open….. one is SQL
Unicenter Architecture
Class
70
OS
COR
Worldview EMObrowse &
Abrowse
Managed System
Inside DMZ
DSM
DSM
Firewall
Server BServer A
CORE
Remote DSM need access to CORE
Running remote aws_wvgate does not eliminate the need for SQL Port. DSM still requires access to CORE
Unicenter Architecture
Class
71
Scenario #3
Client has a requirement to deploy agent technology DSM outside the firewall but wants to use a Central Core which resides inside the firewall. Firewall administration has concerns about SQL intrusion and will not open up SQL port. How can aws_wvgate be configured to use a Central CORE without opening a SQL port?
Unicenter Architecture
Class
72
Solution #3
• Install wvdbt where the CORE resides
• Remote aws_dsm accesses CORE via ORB (port 7774)
• aws_wvgate accesses CORE via ORB
• Check for inform remote option to optimize heartbeat
• Benefit• No requirement to open up SQL port
Unicenter Architecture
Class
73
Firewall
NT NT
CommonObject
Repository
Aws_orb
aws_store
aws_snmp
aws_dsm
Aws_wvgate
Aws_orb
wvdbt
Note: Multiple DSMs can connect to the same remote wvdbt instance running against a single CORE. aws_dsm uses wvplugin may take about 8 RCBs on CORE server. This restricts, approx maximum of about 120 Remote DSM connection.
7774
Unicenter Architecture
Class
74
Client is using DSM routing but does not wish to open port 7774 for all hosts that are required to respond to abrowser requests?
How can this be minimized?
Scenario #4Scenario #4
Unicenter Architecture
Class
75
Requirements
• To restrict 7774 to be unblocked just for local DSM
• Placing abrowser directly on remote DSM requires 7774 to be opened for the host that issues abrowser requests
Unicenter Architecture
Class
76
COR
Managed SystemManaged System
localDSM
OS
7774
Firewall
ObrowserAbrowser
remoteDSM
OS7774
Responds back on source port
Agentview RemoteDSM orb
Agentview RemoteDSM orb
Binds to first available port
UDP
6665
abrowser -@ DAWYA01S -r -c browser.SysAgtNT -h RGT40.ca.com-s admin
7774 to be opened for all hosts that issues abrowser.
RGT40
EWB_NTS_03dawya01s
adminhost
Unicenter Architecture
Class
77
Agentview From adminhost
Unicenter Architecture
Class
78
CORE
Managed SystemlocalDSM
OS
7774
Firewall
Windows
TERMINAL SERVER obrowserAbrowser
remteDSM
OS7774
UDP
6665
7774
7774
abrowser -@ EWB_NTS_03 -r -c browser.SysAgtNT -h RGT40.ca.com@DAWYA01S -s admin
7774 to be unblocked for local dsm and WTS
Windows Terminal ServerStreamline Requests from Terminal Server
Windows Terminal ServerStreamline Requests from Terminal Server
Terminal Client
Unicenter Architecture
Class
79
How to walk through Firewall for a typical FM site?
What are the considerations?
Scenario #5Scenario #5
Unicenter Architecture
Class
80
Scenario #5
ClientFirewall
FMFirewall
FMFirewall
Client siteDMZ siteService Center
CORECORE
Router
Windows Terminal Server
DSM
NAT
Terminal Client
BridgeCriticalObjects
Unicenter Architecture
Class
81
Scenario #5• Windows Terminal Server
eliminates the need to open Visualizing / browser ports for many hosts• Nodeview / Agent View / 2d Maps
all accessed via Terminal Server• Requires Terminal Services Client
3389 port to be opened• Critical Objects Bridged from Client
site to DMZ environment
Unicenter Architecture
Class
82
Scenario #5• Critical Events forwarded from
Client site to FM site. Requires CCI port to be unblocked• Event Console launched via
Terminal Services Client
Unicenter Architecture
Class
83
Scenario #5• To avoid NAT issues, run world
view discovery from client site.• This will have pre Natted address• Avoids conflict with gwipflt.dat
• Use name melding option to distinguish bridge objects
Unicenter Architecture
Class
84
Firewall Administrator insists on single directional unblocking of ports. All outbound ports opened but block all inbound ports. All network requests should be initiated from within the firewall zone.
No network traffic should be initiated from DMZ zone
How can this be accomplished?
Scenario #6Scenario #6
Unicenter Architecture
Class
85
Single Directional Unblocking
CORE
PRIVATE DSM DMZ DSM
SQL Port must be bi directional
Unicenter Architecture
Class
86
Single Directional UnblockingFirewall Rules
Unblock SQL for bi directional
Unicenter Architecture
Class
87
Obrowser / Abrowser Private DMZ zone
• Nodeview / Agentview works fine if initiated from inside firewall
Unicenter Architecture
Class
88
Obrowser / Abrowser DMZ Private zone
Nodeview / AgentView requests denied if initiated from DMZ zone.
7774 and 7770 Denied
Unicenter Architecture
Class
89
Single Directional Unblocking
• If unblocking SQL port is not accepted then review “Bridge Through Firewall” presentation
Unicenter Architecture
Class
90
Clients wish to minimize the number of ports to be un-blocked to 1?
How can VPN tunneling feature be used to accomplish this?
Scenario #7Scenario #7
Unicenter Architecture
Class
91
VPN Tunnelling
• Main concept is to tunnel all DMZ requests via tunnel
Unicenter Architecture
Class
92
Scenario 7#Working with VPN
DMZ Server
encrypted
un
en
cryp
ted
encrypted
Firewall
Unicenter Server
Port xxx
Route DMZ Server traffic via VPN tunnel
Host A
Common Services
Unicenter Architecture
Class
93
We wish to deploy Windows Terminal Server outside firewall and wish to connect via Terminal Services Client from inside the firewall.
This is to reduce different ports to be opened for visualization?
How can we configure this?
Scenario #8Scenario #8
Unicenter Architecture
Class
94
Scenario 8#wvdbt
• Remote DSM and Remote aws_wvgate connects to central core using wvdbt
• Agent Views and NodeViews issued from Terminal Services Client.
• TS Client traffic encrypted and requires 3389 to be unblocked for all TS Clients
• WVDBT requires orb connection and thus 7774 port to be opened for the server where CORE resides
Unicenter Architecture
Class
95
Abrowser, NodeView and Event Console issued via WTS
Scenario 8#wvdbt
WTSencrypted
Firewall
Terminal Services ClientTCP
3389
Host A
Common Services
Remote DSM
CORE
Central DSM
TCP 7774
2 Ports OpenRemote DSM access CORE via wvdbt
2 Ports OpenRemote DSM access CORE via wvdbt
Port 7774 to be opened for Central DSM only
wvdbt
access core via wvdbt
6665/7774
Unicenter Architecture
Class
96
Encrypted TrafficTS Client Port 3389
Encrypted traffic
Unicenter Architecture
Class
97
Scenario 8#SQL
• Remote DSM and Remote aws_wvgate connects to central core using SQL
• Agent View and NodeView issued from Terminal Services Client.
• TS Client traffic encrypted and requires 3389 to be unblocked for all TS Clients
• SQL port 1413 needs to be unblocked for remote dsm server
Unicenter Architecture
Class
98
Windows Terminal Services Client
TCP 1433(SQL)
Scenario 8# SQL
UDP 161, ICMP Ping
TCP 3389
FIREWALL
UDP 162 - Traps
ABROWSERNodeView
DSMWV
Gateway
Common Services
Host A
Common Services
CORE DSM
2 Ports Open….. SQL to be opened for just Central DSM
2 Ports Open….. SQL to be opened for just Central DSM
WTS
abrowser and Nodeview issued via WTS
Unicenter Architecture
Class
99
Solution #8TS Client Denials
TS Client port 3389 must be unblocked
Unicenter Architecture
Class
100
Scenario 8#Local Catalog
• The global catalog resides outside the firewall.
• No CAM port required unless namespace inside firewall is selected
Unicenter Architecture
Class
101
Firewall
Solution #8Local Catalog
TS Clients
WTS Global Catalog
3389
DSMWV
Gateway
Common Services
Host A
Common Services
Event Console, Agent View, qbrowser
Unicenter Architecture
Class
102
Scenario 8#Global Catalog
• The Global Catalog resides inside firewall.
• When UE is launched from WTS, it syncs catalog and requires CAM port to be unblocked
• TNDREPUPLISH, pings the Global catalog server and may require ICMP to be opened
• CAM should be configured to connect via TCP port
Unicenter Architecture
Class
103
Firewall
Solution #8Global Catalog
TS Clients
CORE
WTS LocalCatalog
3389
DSMWV
Gateway
Common Services
Host A
Common Services
Event Console, Agent View, qbrowser
CORE
GlobalCatalog
cam 4105
Unicenter Architecture
Class
104
CAM DenialUDP Port
CAM not configured to use TCP
Unicenter Architecture
Class
105
Solution #8cam.cfg
\TND\CA_APPSW\framework\cam.cfg
This forces specified server to use TCP port and not default
UDP
Unicenter Architecture
Class
106
Scenario 8#Namespace inside Firewall
• Access to nodeview, agentview inside Firewall is required; Launched from UE
• Requires TCP 7774 orb port to be unblocked
• Requires UDP 6665 port to be unblocked for host inside firewall
Unicenter Architecture
Class
107
Firewall
Solution #8 NameSpace inside Firewall
CORE
WTS LocalCatalog
DSMWV
Gateway
Common ServicesHost A
Common Services
Event Console, Agent View, qbrowser
CORE
GlobalCatalog4105
DSMWV
Gateway
Common Services
Host A
Common Services
6665
7774TS Clients
Unicenter Architecture
Class
108
Node View from UE
Requires orb port 7774
Unicenter Architecture
Class
109
Node View from UE
Requires orb port 7774
Unicenter Architecture
Class
110
Unblock Orb 7774
Unicenter Architecture
Class
111
Node View from UE7774 Unblocked
Unicenter Architecture
Class
112
Agent View from UE
Unicenter Architecture
Class
113
Agent View from UE
Agent Technology Service Control Port required. No DSM Routing
Unicenter Architecture
Class
114
Agent View from UE
UDP Port to be opened
Unicenter Architecture
Class
115
Scenario 8#2dMap inside Firewall
• 2dMap launched from UE accesses CORE inside firewall
• WV Plugin requires CAM port to be unblocked
• No SQL port required for 2dmap accessed via wv plugin
Unicenter Architecture
Class
116
Firewall
Solution #82dMap inside Firewall
CORE
WTS LocalCatalog
CORE
GlobalCatalog4105
4105
CORE
localCatalog
wvplugin
TS Clients
SQL Port Not Required
SQL Port Not Required
Unicenter Architecture
Class
117
Architecture ReviewsRecap
• Customize from ports by updating aws_snmp.cfg
• If UDP traffic is to be blocked, install remote dsm outside the firewall
• If SQL port is to be blocked, then review wvdbt implementation
• If bi-directional blocking is not accepted then review Scenario #5
• If encryption with minimal number of ports to be unblocked is required, then review Scenario #7
Unicenter Architecture
Class
118
Our Firewall Administrator wish to change the orb port 8774 for DMZ server. Orb port for other hosts will remain as default port 7774
Is this possible?
Scenario #9Scenario #9
Unicenter Architecture
Class
119
Multiple Orb Binds
• To support TNG 2.1 release, it permits binding to multiple ports, 7774 and 7770.
• If unable to bind first port, it will then bind with other ports specified.
• Do not use this option unless show stopper requirements as the feature was not intended to be exploited in the nature, though it works
Unicenter Architecture
Class
120
Firewall
Solution #8Multiple Orb Ports
CORE
Central Server
Aws_orb
CORE
Aws_orb8774
ManagedSystemAws_orb
7774
ManagedSystemAws_orbManagedSystem
Aws_orbManagedSystemAws_orb
7774
Unicenter Architecture
Class
121
Multiple Orb Ports
First PLUGIN statement must be the one that is widely used port. If it cannot bind the first port specified, it then attempt to bind to the second port
122
CAM/CAFT
Unicenter Architecture
Class
123
Cam/caft
• Default port assignments• cam.cfg
udp_port = numbertcp_port = numbercas_port = numberspx_port = number
Unicenter Architecture
Class
124
Cam/caft
• On startup, checks for etc/services for camudp and camtcp• If not found, then defaults to 4104 (UDP)
and 4105 (TCP)• Then checks for cam.cfg for any override• cas_port and spx_port available for certain
platforms• Some api’s do not read config file, thus
etc/services should be changed
125
CCI
Unicenter Architecture
Class
126
CCI
• Review “CCI through Firewall” presentation for detailed information
127
Event Management
Unicenter Architecture
Class
128
Event Agent
• Can be customized to use DSB without the need for sql database
• Agent Technology provides function to send messages to remote Event Management• This eliminates the need for Event Management running• Not best practice as it limits lot of functionality
Unicenter Architecture
Class
129
DSM to Remote Event Management
• Update aws_nsm.cfg• dsm message sent over to remote via orb
130
Options
Unicenter Architecture
Class
131
VirusSignature
Downloads
AVOSignatureDownload
Ethernet
WorkstationAVO Client
PCAVO Client
WorkstationAVO Client
WorkstationAVO Client
FIR
EW
AL
L
NBSESSIONNBDATAGRAM
WorkstationAVO Domain Server
NT WorkstationAVO Master Download Server
Encryption
Encryption
CA Web Site
FTP
NBSESSIONNBDATAGRAM
Anti Virus Option - AVO
Unicenter Architecture
Class
132
Advanced Storage Option - ASO
Unicenter TNG / ASO Manager
Unicenter TNG / ASOReplicator (NT)
Unicenter TNG / ASOBackup Server
Central DB
Mainframebackup
Unicenter TNG / ASO Windows NT Backup
Server
ASO Manager
Client Agents NT, Novell, OS/2
TCP 6050TCP 6051
TCP 6050 TCP 6051
Client Agents UNIX
Unicenter Architecture
Class
133
Product Component Port Used
Unicenter TNG WV Tools to CORE TCP 1433 (SQL)DSM to CORE TCP 7774WV Tools to Agents UDP 6665Auto-discovery ICMP (Ping), UDP (161)Enterprise Management TCP 7001Agent to DSM UDP 162
Remote Control Option Manager to Agent TCP 799
Software Delivery Option Admin GUI to Enterprise Database TCP 1433 (SQL)Admin GUI to Local Server TCP 1433 (SQL)Enterprise Database to Local Server DTO (TCP 4101)Local Server and Agent Share
UDP 138 (nbsession)TCP 139 (nbdatagram)
Asset Management Option Admin GUI to AMO Enterprise Data TCP 1433 (SQL)Engine to AMO Enterprise Database TCP 1433 (SQL)Sector to Engine Share or RPCAgent to Client Share or RPC
Summary of Ports by Product
Unicenter Architecture
Class
134
continued
Summary of Ports by ProductProduct Component Port Used
Advanced Help Desk Server and Client TCP 2100
Performance Manager to Agent TCP 4101Share
Anti-Virus Option Virus Signature Database Host TCP 21 (FTP)to CA Virus Signature Web Server Agent to Virus Signature Machine FTP(for period signature down-load)Agent Alerts to Alert Manager NetBUI (Over
TCP)
Advanced Storage Option Admin to Backup Manager TCP 6050, 6051Agent(Client) to Backup ManagerNT, Novell, OS/2 TCP 6050Unix TCP 6051Replicator NT TCP 6060Replicator to Backup ManagerNT TCP 6050
Data Transport Option Manager and Agent (CAM) TCP 4104, 4105, 4905