ManageEngine® Applications Manager Chapter 16.5 Security/Firewall Requirements |
||
This section explains how the Applications Manager can be accessed behind a firewall. Fire walls act as barriers preventing unauthorized access to a network. They act as entrance through which authorized people may pass and others not.
You need to configure the firewall so that the host on which Applications Manager runs, can access the monitor at the relevant port.
Ports to be opened when Monitors are behind the firewall:
Monitors |
Port Details |
---|---|
Windows |
WMI Mode of monitoring: Windows Management Instrumentation (WMI) -- Port: 445 Remote Procedure Call (RPC) -- Port: 135 WMI will use DCOM for remote communication and while communicating through DCOM, the target server ( the server which is to be monitored by applications manager ) by default will use any random port above 1024 to respond back. You have to connect to the target server and configure it to use a port with in the specified range of ports. You can follow the steps mentioned in this link : http://support.microsoft.com/kb/300083 for restricting the ports in the target server. Please note that you must specify at least 5 ports in this range for target server ( you are normally recommended to open at least 100 ports - http://support.microsoft.com/kb/217351/EN-US/ ). This same range ports must be also opened in the firewall.
SNMP Mode of monitoring: SNMP Agent Port: 161 |
Linux / Solaris / AIX / HPUnix /Tru64 Unix |
Telnet Port: 23 (if mode of monitoring is Telnet) SSH Port: 22 (if mode of monitoring is SSH) SNMP Agent Port: 161 (if mode of monitoring is SNMP) |
JBoss | Port in which JBoss is running (for eg., 8080) and also, the
Hostname should be accessible. RMI Object port (eg., 4444) |
WebLogic | HTTP Port of WebLogic, for eg., 7001 |
Oracle Application Server | HTTP Port of Oracle Application Server, for eg., 7200 |
Tomcat | HTTP Port of Tomcat, for eg., 8080 |
WebSphere |
HTTP Port of WebSphere (default:9080) |
Oracle | HTTP Port of Oracle (default:1521) |
DB2 | HTTP Port of DB2 (default: 50000) |
SQL Server | HTTP Port of SQL Server (default:1433) |
MySQL | Port on which MySQL is running eg., 3306 |
Mail Server | SMTP Server port: 25 (default), to send mails from Applications Manager |
Exchange Server | HTTP Port of Exchange Server (default:25) |
Web Server - Apache / IIS / PHP | HTTP Port of Web Server (default:80) |
JMX [ MX4J / JDK 1.5] | HTTP Port of JMX agent (default:1099) To monitor JMX behind firewall the following changes have to be done.
|
Service Monitoring | HTTP Port of Services (default:9090) |
SNMP | HTTP Port of SNMP (default:161) |
Telnet | HTTP Port of Telnet (default:23) |
Web Transaction | Port in which the agent is deployed (default: 55555) |
Hyper-V | Ports 135, 443 and 1025 |
When there is a two way communication, and the monitors need to access Applications Manager, then the following ports need to be opened.
Port |
Description |
---|---|
WebServer Port: 9090 |
Should be opened for accessing the Applications Manager WebClient and also for monitoring WebLogic and JBoss.
|
Trap Port: 1620 |
If Traps are configured to be received in Applications Manager, then you need to open up Trap Port: 1620. More |
Apart from this, Applications Manager makes sure that data is secure; internal mysql database allows only localhost to access the database through authenticated users. User Names and Passwords are stored in the MySQL database that is bundled along with the product. The passwords are encrypted to maintain security.
Privileges required for different monitor types:
Monitors |
Privileges |
---|---|
Windows |
Administrator username/password [WMI mode] |
Linux | Guest user privilege |
Solaris |
Guest user privilege |
IBM AIX | Guest user privilege is sufficient but for collecting Memory related details, a user with "root" privilege is required. Hence, it is preferable to use a "root" account to view all details |
HP Unix | Guest user privilege |
MS SQL |
System Administrator/Owner for the "master" database |
MySQL | User name specified should have access to the databases that are to be monitored. MySQL should also be configured to allow the host on which App Manager is running to accesss the MySQL database. |
DB2 | Permission of "sysproc procedure" user of the DB2 database |
Oracle | Permission of "system" user of the Oracle database |
WebSphere | If Global Security is enabled, the username/password for the same. Else no username/password is required. |
WebLogic | If WebLogic is authenticated, the username/password for the same. Else no username/password is required. |
JBoss | If JBoss is authenticated, the username/password for the same. Else no username/password is required |
Tomcat | If 5.x, you need to have username and password to connect to Tomcat Manager Application. Else no username/password is required. The user specified should have 'manager' role. |
SNMP Agent | SNMP Community string with read privileges |
Hyper-V | Administrator privileges to the root OS (Windows 2008 R2 and other supported Hyper-V versions) |
Enterprise Edition
Path |
Ports |
---|---|
Managed Server to Admin | SSL Port (default 8443) |
Admin to Managed Server | SSL Port (default 8443) - for database syncing Webserver (default 9090) |
Note: Production Environment gives you the configuration details that you need to take care of, when moving Applications Manager into Production.
SNMP Agent configuration |
User Management Security |