ManageEngine® Applications Manager


Chapter 16.5 Security/Firewall Requirements

<< Prev

Home

Next >>

 

Security/Firewall Requirements


This section explains how the Applications Manager can be accessed behind a firewall. Fire walls act as barriers preventing unauthorized access to a network. They act as entrance through which authorized people may pass and others not.

You need to configure the firewall so that the host on which Applications Manager runs, can access the monitor at the relevant port.

 

Ports to be opened when Monitors are behind the firewall:


Monitors

Port Details

Windows

WMI Mode of monitoring:

Windows Management Instrumentation (WMI) -- Port: 445

Remote Procedure Call (RPC) -- Port: 135

WMI will use DCOM for remote communication and while communicating through DCOM, the target server ( the server which is to be monitored by applications manager ) by default will use any random port above 1024 to respond back. You have to connect to the target server and configure it to use a port with in the specified range of ports. You can follow the steps mentioned in this link : http://support.microsoft.com/kb/300083 for restricting the ports in the target server. Please note that you must specify at least 5 ports in this range for target server ( you are normally recommended to open at least 100 ports - http://support.microsoft.com/kb/217351/EN-US/ ). This same range ports must be also opened in the firewall.

 

SNMP Mode of monitoring:

SNMP Agent Port: 161

Linux / Solaris / AIX / HPUnix /Tru64 Unix

Telnet Port: 23 (if mode of monitoring is Telnet)

SSH Port: 22 (if mode of monitoring is SSH)

SNMP Agent Port: 161 (if mode of monitoring is SNMP)

JBoss Port in which JBoss is running (for eg., 8080) and also, the Hostname should be accessible.
RMI Object port (eg., 4444)
WebLogic HTTP Port of WebLogic, for eg., 7001
Oracle Application Server HTTP Port of Oracle Application Server, for eg., 7200
Tomcat HTTP Port of Tomcat, for eg., 8080

WebSphere

HTTP Port of WebSphere (default:9080)

Oracle HTTP Port of Oracle (default:1521)
DB2 HTTP Port of DB2 (default: 50000)
SQL Server HTTP Port of SQL Server (default:1433)
MySQL Port on which MySQL is running eg., 3306
Mail Server SMTP Server port: 25 (default), to send mails from Applications Manager
Exchange Server HTTP Port of Exchange Server (default:25)
Web Server - Apache / IIS / PHP HTTP Port of Web Server (default:80)
JMX [ MX4J / JDK 1.5] HTTP Port of JMX agent (default:1099)

To monitor JMX behind firewall the following changes have to be done.

  • Edit startApplicationsManager.bat/sh file. Add
    -Dmonitor.jmx.rmi.port=<port number for RMI socket communication> to the Java runtime options.
  • Restart Application Manager server
  • Ensure that you have the RMI Socket port (step1) and JNDI Port (step4) are opened up in the firewall
  • Add the JMX Applications monitor after providing the relevant details.
  • The monitor should be added successfully
Service Monitoring HTTP Port of Services (default:9090)
SNMP HTTP Port of SNMP (default:161)
Telnet HTTP Port of Telnet (default:23)
Web Transaction Port in which the agent is deployed (default: 55555)
Hyper-V Ports 135, 443 and 1025

 

When there is a two way communication, and the monitors need to access Applications Manager, then the following ports need to be opened.

 

Port

Description

WebServer Port: 9090

Should be opened for accessing the Applications Manager WebClient and also for monitoring WebLogic and JBoss.

 

Trap Port: 1620

If Traps are configured to be received in Applications Manager, then you need to open up Trap Port: 1620. More

Top

Apart from this, Applications Manager makes sure that data is secure; internal mysql database allows only localhost to access the database through authenticated users. User Names and Passwords are stored in the MySQL database that is bundled along with the product. The passwords are encrypted to maintain security.

 

Privileges required for different monitor types:


Monitors

Privileges

Windows

Administrator username/password [WMI mode]

Linux Guest user privilege

Solaris

Guest user privilege

IBM AIX Guest user privilege is sufficient but for collecting Memory related details, a user with "root" privilege is required. Hence, it is preferable to use a "root" account to view all details
HP Unix Guest user privilege

MS SQL

System Administrator/Owner for the "master" database

MySQL User name specified should have access to the databases that are to be monitored. MySQL should also be configured to allow the host on which App Manager is running to accesss the MySQL database.
DB2 Permission of "sysproc procedure" user of the DB2 database
Oracle Permission of "system" user of the Oracle database
WebSphere If Global Security is enabled, the username/password for the same. Else no username/password is required.
WebLogic If WebLogic is authenticated, the username/password for the same. Else no username/password is required.
JBoss If JBoss is authenticated, the username/password for the same. Else no username/password is required
Tomcat If 5.x, you need to have username and password to connect to Tomcat Manager Application. Else no username/password is required. The user specified should have 'manager' role.
SNMP Agent SNMP Community string with read privileges
Hyper-V Administrator privileges to the root OS (Windows 2008 R2 and other supported Hyper-V versions)

Top

Enterprise Edition

Path

Ports

Managed Server to Admin SSL Port (default 8443)
Admin to Managed Server SSL Port (default 8443) - for database syncing
Webserver (default 9090)

 

Note: Production Environment gives you the configuration details that you need to take care of, when moving Applications Manager into Production.

 

<< Prev

Home

Next >>

SNMP Agent configuration

User Management Security