IBM Security
IBM Security SiteProtector SystemConfiguring Firewalls for SiteProtectorTrafficVersion 2.9
���
NoteBefore using this information and the product it supports, read the information in “Notices” on page 13.
This edition applies to Version 2.9 of the IBM Security SiteProtector System and to all subsequent releases andmodifications until otherwise indicated in new editions.
© Copyright IBM Corporation 1994, 2011.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.
Contents
About this publication . . . . . . . . vTechnical support. . . . . . . . . . . . . v
Chapter 1. Firewall Port Information. . . 1Port information for SiteProtector traffic . . . . . 1Port information for Active Directory integration . . 7Port information for Internet access . . . . . . . 7Local-only ports . . . . . . . . . . . . . 8
Chapter 2. Configuring Components forNAT Firewalls . . . . . . . . . . . . 9
Configuring the Application Server forcommunication with NAT firewalls . . . . . . . 9Restarting the Sensor Controller and ApplicationServer services . . . . . . . . . . . . . 10Configuring the Agent Manager for communicationthrough NAT firewalls. . . . . . . . . . . 10
Notices . . . . . . . . . . . . . . 13Trademarks . . . . . . . . . . . . . . 14
© Copyright IBM Corp. 1994, 2011 iii
iv SiteProtector System: Configuring Firewalls for SiteProtector Traffic
About this publication
The IBM Security SiteProtector System cannot function properly if firewalls prevent components fromcommunicating. This guide provides procedures for configuring network devices and SiteProtectorcomponents so that they can communicate through firewalls.
Intended audience
This document assumes that you are familiar with the following:v Procedures for configuring firewallsv Routers, or any other devices that you use to block traffic on your networkv Procedures for modifying system files such as Windows registries and properties files
Topics
Chapter 1, “Firewall Port Information,” on page 1
Chapter 2, “Configuring Components for NAT Firewalls,” on page 9
Technical supportIBM Security provides technical support to customers who are entitled to receive support.
The IBM Support Portal
Before you contact IBM Security about a problem, see the IBM Support Portal at http://www.ibm.com/software/support.
The IBM Software Support Guide
If you need to contact technical support, use the methods described in the IBM Software Support Guideat http://www14.software.ibm.com/webapp/set2/sas/f/handbook/home.html.
The guide provides the following information:v Registration and eligibility requirements for receiving supportv Customer support telephone numbers for the country in which you are locatedv Information you must gather before you call
© Copyright IBM Corp. 1994, 2011 v
vi SiteProtector System: Configuring Firewalls for SiteProtector Traffic
Chapter 1. Firewall Port Information
If SiteProtector components or modules are located behind firewalls, you may need to reconfigure thefirewalls so that the components or modules can communicate with each other. This section includesbackground information and procedures for configuring firewall ports for different types of traffic.
TCP/IP ports
Firewalls commonly filter traffic by IP address and by TCP or UDP ports. Firewalls typically block theseaddresses and ports unless they are explicitly allowed.
Where firewalls are typically located
Firewalls can be placed anywhere on a network but are most commonly located between the following:v Console and the Application Serverv Application Server and the agentsv Agent Manager and IBM Proventia® Desktop Endpoint Security agentsv Event Collector and agentsv Application Server and the Internetv X-Press Update Server and the Internet (IBM Download Center)
Topics
“Port information for SiteProtector traffic”
Port information for Third Party Module traffic
“Port information for Active Directory integration” on page 7
“Port information for Internet access” on page 7
Port information for SiteProtector trafficThis topic provides information that can help you configure firewall rules that allow traffic between allSiteProtector System components.
Requirement
If a firewall is located between the source and destination component, create a firewall rule that allowsincoming traffic to the destination ports that are specified.
Reference: Refer to your firewall documentation for specific instructions about creating and configuring afirewall rule.
Destination ports that must be open
Destination ports use the TCP protocol unless otherwise indicated. The following table lists thedestination ports that must be open to allow communication between each pair of SiteProtectorcomponents.
© Copyright IBM Corp. 1994, 2011 1
Source ComponentDestinationComponent Wire Protocol Encryption Destination Ports
SiteProtector Console SP Server HTTP / HTTPS /RMI / JRMP / JMS
Yes 3988, 3989, 3994, 3996,3997, 3998, 3999, 8093
Event Viewer N/A Yes 3993
ADS Appliance HTTPS Yes 443
IBM® Security websitehttp://www-03.ibm.com/security/
HTTP None 80
2 SiteProtector System: Configuring Firewalls for SiteProtector Traffic
Source ComponentDestinationComponent Wire Protocol Encryption Destination Ports
SP Server Databridges L/S 1 Yes 2998
Active DirectoryServer
LDAP None 389, 32682
Event Collector HTTPS / L/S Yes 2998, 8996
SecurityFusion™
moduleL/S Yes 2998
Agent Manager L/S / HTTPS Yes 2998, 3995
Deployment Manager L/S Yes 2998
X-Press UpdateServer
HTTPS Yes 3994
Event Archiver HTTPS Yes 8998
Site DB JDBC / TDS / RPC /Named Pipe
Yes 1433, 445, 135, 1434(UDP port notencrypted)
IBM ProventiaNetworkMulti-FunctionSecurity (MFS)Appliance
HTTPS Yes 443, 8001
IBM ProventiaNetwork IntrusionDetection System(IDS) prior tofirmware release 1.0
L/S Yes 2998
IBM ProventiaNetwork IntrusionDetection System(IDS) and IBMSecurity NetworkIntrusion PreventionSystem (IPS) withfirmware release 1.0or later
HTTPS Yes 443
IBM ProventiaNetwork EnterpriseScanner
HTTPS Yes 443
External TicketingServer
Vendor Proprietary3 Yes 1058, 10694
SNMP Server SNMP None 162
SMTP Server SMTP None 25
IBM InternetScanner®
L/S Yes 2998
RealSecure NetworkSensor
L/S Yes 2998
IBM Security ServerProtection
L/S Yes 2998
Remote Host Windows RPC None 135
Deployment Manager Site DB JDBC / TDS / RPC /Named Pipe
Configurable 1433, 135, 445, 1434
Chapter 1. Firewall Port Information 3
Source ComponentDestinationComponent Wire Protocol Encryption Destination Ports
Desktop Agents (7.0and earlier)
Agent Manager HTTPS Yes 8082
Agent Manager Desktop Agent N/A None ICMP
SP Server HTTPS Yes 3994, 8093, 8443
Site DB OLE DB / RPC /Named Pipe
Configurable 1433, 135, 445, 1434
IBM Security ServerProtection forWindows
Proventia Server forLinux
Event Archiver
N/A None ICMP
IBM SecurityNetwork IPSappliances (G, GX,and GV)
IBM Security VirtualServer Protection
IBM ProventiaNetwork EnterpriseScanner
HTTPS Yes 443
IBM ProventiaNetworkMulti-FunctionSecurity (MFS)
HTTPS Yes 443, 8001
SNMP Server SNMP None 162
SMTP Server SMTP None 25
X-Press UpdateServer
HTTPS YES 3994
4 SiteProtector System: Configuring Firewalls for SiteProtector Traffic
Source ComponentDestinationComponent Wire Protocol Encryption Destination Ports
Event Collector Databridge L/S Yes 901-930
Agent Manager L/S Yes 914
Event Archiver HTTPS Yes 8997
Event Collector L/S Yes 912
SP Server HTTPS Yes 3994
IBM Internet Scanner L/S Yes 60155
RealSecure NetworkSensor
L/S Yes 901, 904, 907, 910
IBM ProventiaNetwork IntrusionDetection System(IDS)
L/S Yes 901-9305
SNMP Server SNMP None 162
SMTP Server SMTP None 25
RealSecure ServerSensor (IBM SecurityServer Protection)
L/S Yes 902
SecurityFusionmodule
L/S Yes 901
Site DB ODBC / RPC /Named Pipe
Configurable 1433, 135, 445, 1434
Event Archiver SP Server HTTPS Yes 3994
Agent Manager HTTPS Yes 3995
Event ArchiverImporter
Agent Manager HTTPS Yes 3995
Web Console SP Server HTTPS Yes 3994
Web Browser Deployment Manager HTTPS Yes 3994
Agent Manager HTTP Yes 8085
IBM ProventiaNetwork EnterpriseScanner
Agent Manager HTTPS Yes 3995
IBM ProventiaNetwork IntrusionDetection System(IDS)
IBM SecurityNetwork IntrusionPrevention System(IPS)
IBM ProventiaNetworkMulti-FunctionSecurity (MFS)
IBM Security ServerProtection forWindows
Agent Manager6 HTTPS Yes 3995
Chapter 1. Firewall Port Information 5
Source ComponentDestinationComponent Wire Protocol Encryption Destination Ports
IBM SecurityNetwork IPSappliances (G, GX,and GV)
IBM ProventiaNetworkMulti-FunctionSecurity (MFS)
IBM Security VirtualServer Protection
IBM ProventiaNetwork EnterpriseScanner
IBM Security ServerProtection forWindows
Proventia Server forLinux
IBM ProventiaDesktop EndpointSecurity
X-Press UpdateServer7
HTTPS Yes 3994
SecurityFusionmodule
Event Collector L/S Yes 950
Site DB ODBC / RPC /Named Pipe
Configurable 1433, 135, 445, 1434
IBM Security ServerProtection
Agent Manager HTTPS Yes 3995
IBM ProventiaDesktop EndpointSecurity
Agent Manager HTTPS Yes 3995
Event Viewer Service SP Server RMI / JRMP Yes 3989, 3988
X-Press UpdateServer
Agent Manager HTTPS Yes 3995
IBM Security web sitehttp://www-03.ibm.com/security/
HTTP Yes 80, 443
X-Press UpdateServer
HTTPS Yes 3994
www.iss.net
xpu.iss.net
download.iss.net
download-1.sg.iss.net
update.iss.net
HTTPS Yes 443
1. The Wire Protocol abbreviation L/S refers to Leap/Score.2. Port 3268 is referenced from the Global Catalog.3. Vendor Proprietary means this is specific only to the vendor.
6 SiteProtector System: Configuring Firewalls for SiteProtector Traffic
4. Port 1069 is based upon the Remedy web Site.5. Proventia Network Intrusion Detection System firmware releases earlier than 1.0 use destination ports
901 through 903.6. All Proventia Agents and Desktop Agent release 7 or earlier communicating with the Agent Manager
have the Command & Control option.7. Use these settings if you want all agents to download updates directly from the X-Press Update
Server.
Port information for Active Directory integrationTo integrate Active Directory with SiteProtector, the Sensor Controller must be able to communicate withActive Directory over certain ports.
Destination ports that must be open
The following table lists the destination ports that must be open to allow communication betweenSiteProtector components and Active Directory:
Protocol TCP Port
Kerberos Secure Authentication 88
Lightweight Directory Access Protocol (LDAP) 389
Kerberos Passwords 464
LDAP over SSL 636
Microsoft Global Catalog 3268
Microsoft Global Catalog with LDAP/SSL 3269
Port information for Internet accessIf you download SiteProtector System updates from the Internet, then you may need to reconfigure yourfirewall rules to allow this communication. This topic gives a procedure for configuring firewall rules forInternet access.
Reference: Refer to your firewall documentation for specific instructions.
Requirement
If a firewall is located between the source and destination component, create a firewall rule that allowsincoming traffic to the specified destination ports.
Destination ports that must be open
The following table lists the destination ports that must be open to allow communication betweenSiteProtector components and the IBM Download Center.
Protocol Destination Address Destination Port
SSL or HTTPS xpu.iss.net 443
SSL or HTTPS www.iss.net 443
SSL or HTTPS download.iss.net 443
SSL or HTTPS update.iss.net 443
Chapter 1. Firewall Port Information 7
Important: IBM Security recommends that you use secure protocols (SSL or HTTPS) to downloadupdates from the Deployment Manager.
Local-only portsCertain local-only ports must be open to allow communication between the Application Server and otherSiteProtector components on the same machine.
Local-only ports are bound to the system's loopback adapter (127.0.0.1) and cannot be accessed remotely.Local-only ports are in a listening state because they only receive internal system communications andare not configured to make use of external calls.
Reference: Refer to your firewall documentation for specific instructions.
Static ports
The following static local-only ports are available for the Application Server:v 1527v 2001v 4201v 6882v 8009v 8080v 9999v 61050v 61613
Dynamic ports
Local-only ports are also assigned dynamically depending on the port availability for that system.Dynamic local-only ports cannot be documented here because they change dynamically depending oncircumstances.
8 SiteProtector System: Configuring Firewalls for SiteProtector Traffic
Chapter 2. Configuring Components for NAT Firewalls
If your SiteProtector components are located behind firewalls that use NAT or other types of addresstranslation, you may be required to perform additional configuration tasks so that SiteProtectorcomponents can communicate.
Problems with using NAT with SiteProtector
By default, some SiteProtector components are configured to use private IP addresses to communicatewith other components. NAT firewalls typically block components that use private IP addresses.
How to enable NAT communication
To correct NAT communication problems, you must configure SiteProtector components to use either apublic IP address or a fully qualified domain name.
Common NAT firewall locations
NAT is typically enabled on external firewalls and not on firewalls that are located on the intranet. Youmay experience communication problems if firewalls are located between the following:v Remote consoles and the Application Serverv Remote IBM Proventia Desktop Endpoint Security agents and the Agent Manager
Topics
“Configuring the Application Server for communication with NAT firewalls”
“Restarting the Sensor Controller and Application Server services” on page 10
“Configuring the Agent Manager for communication through NAT firewalls” on page 10
Configuring the Application Server for communication with NATfirewallsThis topic explains how to configure the Application Server to communicate with NAT firewalls.
About this task
Important: Perform the procedure in this topic only if a NAT firewall is between the Application Serverand the Console.
Reference: For more information on stopping and restarting the application services, see “Restarting theSensor Controller and Application Server services” on page 10.
Procedure1. Stop the Application Server service.2. Click Start on the taskbar, and then select Run.3. In the Open field, type regedit. The Registry Editor appears.4. Navigate to the following path:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\
© Copyright IBM Corp. 1994, 2011 9
5. Use the following table to configure the registry keys:
Folder Entry Change the...
issSPAppService\Parameters JVM Option Number 6 value data from the IP address to theDNS name
issSPSenCtlService\Parameters IPBind value data from the IP address to theDNS name
Example: —Djava.rmi.server.hostname=public_IP_or_FQDN6. Restart the Sensor Controller and Application Server services.
Restarting the Sensor Controller and Application Server servicesThis topic explains how to stop or restart the Sensor Controller and the Application Server services.
About this task
After you have configured the Application Server to communicate with NAT, you must restart the SensorController and Application Server services to put the changes into effect.
Procedure1. Click Start on the taskbar of the computer where the Application Server and Sensor Controller are
installed, and then select Settings > Control Panel.2. Open the Administrative Tools folder, and then double-click Services. The Services window appears.3. In the right pane, scroll until you find SiteProtector Sensor Controller Service, and then select it.4. Do one of the following:
v To stop the Sensor Controller service, click Stop Service (the Stop option) on the toolbar.v To start the Sensor Controller service, click Start Service (the Play option) on the toolbar.
5. Repeat Steps 1 through 4 for the Application Server.
Configuring the Agent Manager for communication through NATfirewallsPerform the procedure in this topic only if a NAT firewall is between the Agent Manager and IBMProventia Desktop Endpoint Security agents. This procedure configures the Agent Manager so that it cancommunicate with NAT firewalls.
Before you begin
You must perform this procedure before you generate agent builds. Otherwise, agents cannotcommunicate with the Agent Manager, and you will be forced to regenerate agent builds.
Procedure1. On the computer where the Agent Manager is installed, locate the Agent Manager initialization files
at the following path:\Program Files\ISS\SiteProtector\AgentManager\rsspdc.ini
2. Open the file in a text editor.3. Change the dcName to one of the following:
v DNS name (the recommended option)v public IP address
10 SiteProtector System: Configuring Firewalls for SiteProtector Traffic
Note: If you select the DNS name option, ensure that it resolves to an IP address.4. Save the file.5. On the Console, right-click the Agent Manager icon, and then select Stop.6. Right-click the Agent Manager icon, and then select Start.
Chapter 2. Configuring Components for NAT Firewalls 11
12 SiteProtector System: Configuring Firewalls for SiteProtector Traffic
Notices
This information was developed for products and services offered in the U.S.A.
IBM may not offer the products, services, or features discussed in this document in other countries.Consult your local IBM representative for information on the products and services currently available inyour area. Any reference to an IBM product, program, or service is not intended to state or imply thatonly that IBM product, program, or service may be used. Any functionally equivalent product, program,or service that does not infringe any IBM intellectual property right may be used instead. However, it isthe user's responsibility to evaluate and verify the operation of any non-IBM product, program, orservice.
IBM may have patents or pending patent applications covering subject matter described in thisdocument. The furnishing of this document does not grant you any license to these patents. You can sendlicense inquiries, in writing, to:
IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 10504-1785U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual PropertyDepartment in your country or send inquiries, in writing, to:
Intellectual Property LicensingLegal and Intellectual Property LawIBM Japan Ltd.1623-14, Shimotsuruma, Yamato-shiKanagawa 242-8502 Japan
The following paragraph does not apply to the United Kingdom or any other country where suchprovisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATIONPROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS ORIMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OFNON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Somestates do not allow disclaimer of express or implied warranties in certain transactions, therefore, thisstatement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodicallymade to the information herein; these changes will be incorporated in new editions of the publication.IBM may make improvements and/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.
Any references in this information to non-IBM Web sites are provided for convenience only and do not inany manner serve as an endorsement of those Web sites. The materials at those Web sites are not part ofthe materials for this IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate withoutincurring any obligation to you.
© Copyright IBM Corp. 1994, 2011 13
Licensees of this program who wish to have information about it for the purpose of enabling: (i) theexchange of information between independently created programs and other programs (including thisone) and (ii) the mutual use of the information which has been exchanged, should contact:
IBM CorporationSiteProtector Project ManagementC55A/74KB6303 Barfield Rd.,Atlanta, GA 30328U.S.A
Such information may be available, subject to appropriate terms and conditions, including in some cases,payment of a fee.
The licensed program described in this document and all licensed material available for it are providedby IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement orany equivalent agreement between us.
All statements regarding IBM's future direction or intent are subject to change or withdrawal withoutnotice, and represent goals and objectives only.
TrademarksIBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International BusinessMachines Corp., registered in many jurisdictions worldwide. Other product and service names might betrademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at“Copyright and trademark information” at Copyright and trademark information at www.ibm.com/legal/copytrade.shtml.
Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, orboth.
Other company, product, or service names may be trademarks or service marks of others.
14 SiteProtector System: Configuring Firewalls for SiteProtector Traffic
����
Printed in USA