Security/Firewall Requirements


This section explains how the Applications Manager can be accessed behind a firewall. Fire walls act as barriers preventing unauthorized access to a network. They act as entrance through which authorized people may pass and others not. You need to configure the firewall so that the host on which Applications Manager runs, can access the monitor at the relevant port.

Note: It is important to know that all ports must be opened for bi-directional communication to take place.

Ports to be opened when Monitors are behind the firewall:

MonitorsPort Details
APPLICATION SERVERS
Glassfish Glassfish JMX port (default : 8686)
JBoss Two-way communication between JBoss web server port (default : 8080) and Applications Manager web server port (default : 9090).
Applications Manager hostname should be accessible from JBoss server.
JBoss RMI object port (default : 4444).
Jetty Enable JMX for monitoring. The JMX Port for default installations of Jetty is 9999.
Microsoft .Net

Windows Management Instrumentation (WMI) -- Port: 445

Remote Procedure Call (RPC) (default : 135)

Know more about the  ports required for WMI Mode of monitoring.
Oracle Application Server Oracle Application Server port (default : 7200)
Tomcat Tomcat web server port (default : 8080)
VMware vFabric tc Server JMX port of VMware vFabric tc Server (default : 6969)
WebLogic Two-way communication between WebLogic listening port (default : 7001) and Applications Manager web server port (default : 9090)

WebSphere

WebSphere application port (default : 9080)

CUSTOM MONITORS
Database Query monitor Corresponding database server port
File/Directory, Script (Telnet/SSH mode)

Telnet Port: 23 (if mode of monitoring is Telnet)

SSH Port: 22 (if mode of monitoring is SSH)

File/Directory, WMI Performance counter (WMI mode)

Windows Management Instrumentation (WMI) -- Port: 445

Remote Procedure Call (RPC) -- Port: 135

Know more about the  ports required for WMI Mode of monitoring.
DATABASE SERVERS
DB2 The port in which DB2 is running (default: 50000)
Memcached The port in which Memcached server is running (default : 11211)
MySQL The port in which MySQL is running (default : 3306)
Oracle The port in which Oracle is running (default : 1521)
PostgreSQL The port in which PostgreSQL is running (default : 5432)
Microsoft SQL Server The port in which SQL Server is running (default : 1433). UDP port 1434 might be required for the SQL Server Browser Service when you are using named instances.
Sybase The port in which Sybase is running (default : 5000)
SAP HANA SAP HANA's IndexServer port (default: 30015)
Apache HBase The port in which Hbase is running. For default installations of HBase, the JMX port number is 10101 for Master and 10102 for RegionServer.
NoSQL
Cassandra Enable JMX for monitoring. The JMX Port for default installations of Cassandra is 7199.
ERP
Oracle EBS Oracle EBS webserver port (default:7200)
Microsoft Dynamic CRM/365 (On-Premise)

To monitor a Microsoft Dynamics CRM/365 application, use Administrator user account which has the permission to excute WMI queries on 'root\CIMV2' namespace of the Dynamics CRM/365 Server.

Firewall access for monitoring:

Ports required for monitoring via WMI.

  • Windows Management Instrumentation (WMI) (default : TCP 445)
  • Remote Procedure Call (RPC) (default :TCP 135)
  • Target server uses random port above 1024 by default to respond back for remote communication (DCOM) (default : TCP 1025 to 1030)

Powershell access for monitoring:

Click here to see powershell prerequisites.

MAIL SERVERS
Exchange Server

The port in which Exchange Server is running (default : 25)

Windows Management Instrumentation (WMI) (default : 445)
Remote Procedure Call (RPC) (default : 135)
Know more about the  ports required for WMI Mode of monitoring.

Mail Server SMTP server port (default : 25) to send mails from Applications Manager.
POP port (default : 110 ) to fetch mails using the POP server.
MIDDLEWARE/PORTAL
IBM WebSphere MQ The MQ Listener Port (default:1414)
Microsoft MSMQ/SharePoint Server

Windows Management Instrumentation (WMI) -- Port: 445

Remote Procedure Call (RPC) -- Port: 135

Know more about the  ports required for WMI Mode of monitoring.
VMware vFabric RabbitMQ Server The Port ID where the management plugin is configured (default : 55672)
WebLogic Integration Server WebLogic Integration port (default : 7001)
Oracle Tuxedo The SNMP port number , on which the Tuxedo SNMP agent is running. The default port number is 161.
Apache ActiveMQ The port in which ActiveMQ is running.
Apache Kafka

The default JMX port is 9999.

If the Apache Kafka is running on JDK7 Update 4 or above, the port number to which the RMI connector will be bound should be set using the system property "-Dcom.sun.management.jmxremote.rmi.port=9999" in Apache Kafka for connecting from Applications Manager through firewall.

If the Apache Kafka is running on older versions of JDK, refer http://www.netcluesoft.com/rmi-through-a-firewall.html for setting up the port number for RMI connector communication.

SERVERS
AS400/iSeries

To connect AS400/iSeries server from Applications Manager it uses JTOpen package. The JTOpen package uses the following Non-SSL ports 449, 446, 8470, 8471, 8472, 8473, 8474, 8475, 8476. Ensure that the ports mentioned under "Port Non-SSL" column in the link are not blocked in firewall.

https://www-01.ibm.com/support/docview.wss?uid=nas8N1019667

Linux / Solaris / AIX / HPUnix /Tru64 Unix

Telnet Port (default : 23), if mode of monitoring is Telnet.

SSH Port (default : 22), if mode of monitoring is SSH

SNMP Agent Port (default : 161), if mode of monitoring is SNMP

Windows

For WMI Mode of Monitoring:

To monitor a Windows Server the user must have "Administrator" privileges

Ports required -

Windows Management Instrumentation (WMI) (default : 445)
Remote Procedure Call (RPC) (default : 135)
WMI uses DCOM for remote communication.The server to be monitored by applications manager uses a random port number above 1024 by default to respond back. You have to connect to this target server and configure it to use a port within a specified range of ports. Check out this link to know more about restricting the ports in the target server:  https://support.microsoft.com/en-us/help/154596/how-to-configure-rpc-dynamic-port-allocation-to-work-with-firewalls. Note that you must specify at least 5 ports in this range for target server ( you are normally recommended to open at least a 100 ports). This same range of ports must also be opened in the firewall.

In Windows Server 2008 and later versions, and in Windows Vista and later versions,  use the following dynamic port range:

Start port: 49152

End port: 65535

If your computer network environment uses only Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, or Windows Vista, you must enable connectivity over the high port range of 49152 through 65535.

Windows 2000, Windows XP, and Windows Server 2003 use the following dynamic port range:

Start port: 1025

End port: 5000

If your computer network environment uses Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, or Windows Vista together with versions of Windows earlier than Windows Server 2008 and Windows Vista, you must enable connectivity over both the following port ranges:

High port range 49152 through 65535

Low port range 1025 through 5000

SNMP Mode of monitoring:

Ports required - SNMP Agent Port: 161

SERVICES
Active Directory

Windows Management Instrumentation (WMI) -- Port: 445

Remote Procedure Call (RPC) -- Port: 135

Also refer to ports required for WMI Mode of monitoring under Servers
FTP/SFTP

Port in which FTP or SFTP is running (default:21 for FTP, 22 for SFTP)

JMX [ MX4J / JDK 1.5] Port of JMX agent (default:1099)
 

To monitor JMX behind firewall the following changes have to be done.

  • Edit startApplicationsManager.bat/sh file. Add
    -Dmonitor.jmx.rmi.port=<port number for RMI socket communication> to the Java runtime options.
  • Restart Applications Manager server
  • Ensure that you have the RMI Socket port (step1) and JNDI Port (step4) are opened up in the firewall
  • Add the JMX Applications monitor after providing the relevant details.
  • The monitor should be added successfully
LDAP LDAP server port
Service Monitoring The service port that you need to monitor
SNMP SNMP Agent port (default:161)
Telnet Port which you need to telnet
Apache ZooKeeper

The default port of JMX agent is 1099

If the Apache ZooKeeper is running on JDK7 Update 4 or above, the port number to which the RMI connector will be bound should be set using the system property "-Dcom.sun.management.jmxremote.rmi.port=1099" in Apache ZooKeeper for connecting from Applications Manager through firewall.

If the Apache ZooKeeper is running on older versions of JDK, refer http://www.netcluesoft.com/rmi-through-a-firewall.html for setting up the port number for RMI connector communication.

Oracle Coherence Enable JMX for monitoring. The JMX Port for default installations of Coherence is 1099.
Hadoop Enable JMX for monitoring. The JMX port of the NameNode.
TRANSACTION
APM Insight Applications Manager's Web Server port should be accessible from the APM Insight agent server (default:9090).
VIRTUALIZATION
Hyper-V

Windows Management Instrumentation (WMI) -- Port: 445

Remote Procedure Call (RPC) -- Port: 135

Also refer to the ports required for WMI Mode of monitoring under Servers
VMWare ESX/ESXi VMWare Web Service port (default:443)
Citrix Xenserver The https Port where the XenServer web service runs. The default port is 443.
Docker The Docker socket port. (default port: 4243).
WEB SERVER/SERVICES
Real Browser Monitor (Qengine port) The qeport (default:5001) mentioned in the AppManager_Homeworkingconfqeruntime.properties file should be accessible from the machine where you want to Record RBM webscripts
SSL Certificate Monitor SSL port in which the web server is running (default:443).
Web Server - Apache / IIS / PHP HTTP Port of Web Server (default:80).
Elasticsearch The port on which the ElasticSearch is running (default: 9200).
Apache Solr The port on which the ApacheSolr is running (default: 8983)
Miscellaneous
Trap Listeners Trap Listener port (default:1620) in Applications Manager server should be accessible from the server where you want to send traps. More on receiving SNMP Traps.
Web User Experience Monitoring Make sure you are connected to the internet and can access Site 24X7.

Applications Manager makes sure that data is secure. The internal PGSQL database allows only the localhost to access the database through authenticated users. User Names and Passwords are stored in the PGSQL database that is bundled along with the product. The passwords are encrypted to maintain security.

Privileges required for different monitor types:

MonitorsPrivileges
Active Directory Administrator username/password [WMI mode]
Amazon
  • The AWS Access Key Id for accessing the AWS through the API. The access key has 20 alpha-numeric characters.
  • The Secret Access Key of the AWS. The secret key should be 40 alpha-numeric characters long.
Apache Server Credentials for accessing the server status url for Apache
AS400/iSeries
  • To retrieve data for all modules in AS400/iSeries monitor except 'Disk', an user with *USER user profile is required.
  • To retrieve data for 'Disk' and to perform Admin actions from Applications Manager, an user with *SECOFR user profile is required.
  • If using the *SECOFR user profile is not possible, then for retrieving disk data and to perform the admin actions such as viewing spooled file, job log and performing actions in JOBS, SPOOL, SUBSYSTEM a user profile with special authorities such as *ALLOBJ, *SAVSYS, *JOBCTL, *SPLCTL is required.

  • The user should have permission to access QMPGDATA/QPFRDATA library because Applications Manager uses performance collection service for retrieving disk details from AS400/iSeries server. Note: If the performance data collection is not enabled in AS400/iSeries, you need to start it by using the command STRPFRCOL or GO PERFORM-->COLLECT PERFORMANCE DATA-->START PERFORMANCE COLLECTION. You will also be able to execute the STRPFRCOL command from AS400/iSeries server monitor page in Admin-->Non-Interactive command option.

Database Query Monitor User with privileges for accessing a particular database and execute the query
DB2 User with atleast SYSMON instance level authority
Exchange Server Administrator username/password [WMI mode]
File/Directory User with privileges for accessing the File or Directory to monitor
FTP/SFTP If Authentication is enabled, enter the Username and Password for connecting to the FTP/SFTP server & move to required directory
Glassfish Username and password for connecting to Glassfish Admin console
HP-UX Guest user privilege
HTTP URL If basic authentication is required enter the same in monitor
Hyper-V Administrator privileges to the root OS (Windows 2008 R2 and other supported Hyper-V versions)
IBM AIX Guest user privileges are sufficient but "root" privileges are required for collecting Memory related details. Hence, it is preferable to use a "root" account to view all the details
IBM WebSphere MQ A Channel name with type of "Server Connection Channel"
JBoss Use the JBoss username/password (if Jboss is authenticated). User should be able to access the JBoss JMX console. If not, no username/password is required
JMX/Java Runtime

If Authentication is enabled, enter the Username and password for connecting to the JMX agent.

If the Java application is running on JDK7 Update 4 or above, the port number to which the RMI connector will be bound should be set using the system property "-Dcom.sun.management.jmxremote.rmi.port=1099" in that Java application for connecting from Applications Manager through firewall.

If the Java application is running on older versions of JDK, refer http://www.netcluesoft.com/rmi-through-a-firewall.html for setting up the port number for RMI connector communication.

LDAP If Authentication is enabled, enter the Username and Password. If no username and password is provided, then it will connect to LDAP server as an anonymous login.
Linux Guest user privilege
Mail Server If Authentication is enabled, enter the Username and password for connecting to the SMTP and POP
Microsoft .Net Administrator username/password [WMI mode]
Microsoft Office SharePoint Server Administrator username/password [WMI mode]
MS SQL System Administrator/Owner for the "master" database
MSMQ Administrator username/password [WMI mode]
MySQL The User-name specified should have access to the databases to be monitored. MySQL should also be configured. This allows the host on which App Manager is running to access the MySQL database.
Oracle User with CONNECT and SELECT_CATALOG_ROLE roles
SAP/SAP CCMS

You need a SAP user profile with the following authorization objects: S_RFC, S_XMI_LOG and S_XMI_PROD which are the minimum prerequisities for adding a SAP monitor.

We use the SAP Java Connector to connect to the SAP ABAP server. The SAP JCo will communicate from APM to SAP using the SAP Dispatcher. The SAP Dispatcher port to be used is 3200 with the SAP System number.

Script monitor User with privileges for executing the script and accessing the output file.
Server with SNMP mode SNMP Community string with read privileges.
SNMP/Network device

For SNMP Version V1/V2c:

  • SNMP Community string with read only privileges.

For SNMP Version V3:

Select one of the three Security Levels in the drop-down list:

  • NoAuthNoPriv - Messages can be sent unauthenticated and unencrypted. Enter a UserName and Context Name.
  • AuthNoPriv - Messages can be sent authenticated but unencrypted. Enter a UserName, Context Name and an Authentication Password. You can select an Authentication Protocol like MD5 or SHA from the drop-down list.
  • AuthPriv - Messages can be sent authenticated and encrypted. Enter a UserName, Context Name,an Authentication Password and a Privacy Password. You can select an Authentication Protocol like MD5 or SHA from the drop-down list. By default 'DES' encryption technique will be used.
Solaris Guest user privilege.
Sybase The user should have admin privileges or the DB owner for master database.
Tomcat
  • For 5.x and above, a username and password is required to connect to Tomcat Manager Application. If not, no username/password is required.
  • For 5.x the user specified should have a 'manager' role.
  • For 6.x and above, the user specified should have "manager-gui", "manager-script", "manager-jmx" and "manager-status" roles.
VMWare ESX/ESXi

When adding VMWare ESX/ESXi servers for monitoring, we recommend that you use the root account. However, if you are unable to use the root account, you can use a 'view-only' profile to add the servers. This profile has all the privileges required for monitoring. The user you create must be:

  • a member of the group user.
  • based on the profile 'read only'.
VMware vFabric RabbitMQ Server User Name and Password of RabbitMQ server.
WebLogic Use the WebLogic username/password, if WebLogic is authenticated. The user should be an administrator. Otherwise, no username/password is required.
WebLogic Integration Server Use the WebLogic username/password, if WebLogic is authenticated. User should be an administrator. Else no username/password is required.
Webservices Give the User Name and Password, if it is required to invoke the webservice operation.
WebSphere If Global Security is enabled, use the same username/password . If not, no username/password is required.
Windows Administrator username/password [WMI mode].

Enterprise Edition

PathPorts
Admin to Managed Server SSL Port (default 8443) - for database syncing
Webserver (default 9090).
Managed Server to Admin SSL Port (default 8443).

Note: Production Environment gives you the configuration details that you need to take care of, when moving Applications Manager into Production.