Making Unicenter talk through a Firewall

1
Making Unicenter talk through a Firewall

• Unicenter NSM
• Revised August 11 2003

2
Agenda

• Introduction
• WorldView Discovery
• Destination Port Customization
• From Port Selection
• DSM Routing
• Scenarios
• Different Architecture Reviews
• Enterprise Management
• CAM / CAFT , CCI , Event Management
• Unicenter Options
• ITRM covered separately

3
Objectives

• Deployment of working through a firewall will
  vary for different sites
• The architecture will be highly dependent on
• Level of risk accepted
• Rules dictated by the firewall administration.
• Rules governing blocking and unblocking of ports.
• This presentation walks through different
  scenarios.
• Scenarios selected covers most of the
  requirements dictated by different security
  administrations

4
Firewall Requirements

• Considerations for Firewall
• Reduce the number of ports to be unblocked
• Minimize port Contention
• Block UDP ports
• Minimize the number of hosts that requires ports
  to be unblocked
• Block traffic initiated from outside firewall

5
Need for Firewalls

• Exponential growth on Cyber Crime
• Hackers, cyber criminals, e-terrorists
• Problem caused by recent denial of service
  attacks, high-lighted the need for a resilient
  and secure DMZ environment.
• Secure Internet environments requires Firewalls

6
DoS

• Any software deployed in DMZ requires protection
  against malicious access or denial of service
  attacks. This requires review of security
  solutions to prevent these attacks which is out
  of scope of this presentation

7
What is a Firewall?

• In general terms a Firewall stops a fire from
  spreading
• An internet-Firewall acts more like a moat by
  preventing dangers from the internet spreading to
  your internal network
• It serves multiple purposes-
• It restricts people to entering at a carefully
  controlled point
• It prevents attackers from getting close to other
  defenses
• It restricts people to leaving at a carefully
  controlled point
• The firewall typically sees all data flowing into
  or out of your network and so has the opportunity
  to ensure the traffic is acceptable

8
What cant a Firewall do?

• Firewalls are not invulnerable
• It does not protect against people already inside
• It does not protect against connections which do
  not go through it
• It cannot protect against unknown new threats
• Cannot provide complete protection against
  viruses
• Even the best defenses may be breached
• It works best if combined with other internal
  defenses (i.e. TNG Security, SSO etc)
• Considerably expensive (time and effort)
• Can cause considerable annoyance to authorized
  users

9
What can a Firewall do?

• A Firewall is a focus for security decisions
• a single checkpoint for all access - allows you
  to concentrate security measures at this point
• more efficient than spreading security measures
  through-out the organization
• secure (possibly more expensive) software and
  hardware at a single point will reduce overall
  costs
• A Firewall can enforce security policy
• Most services across the Internet are insecure -
  firewalls can see all access and so can enforce
  the agreed policies
• A Firewall can log internet activity
• misuses internally, attempted unsuccessful
  accesses, statistics etc
• A Firewall limits your exposure
• Firewalls can be used to reduce the impact of
  security breaches and by installing firewalls
  between departments the security risks can be
  greatly reduced

10
How do you configure a firewall?

• Firewalls can be configured in many different
  ways
• Firewalls can be viewed as the collection of
  techniques (I.e. packet filtering, proxy
  services, physical architecture etc) which are
  used to overcome different problems.
• The problems the firewall needs to overcome are
  dependant on the services which must be supplied,
  the level of risk which is acceptable and
  ultimately how much money can be spent.
• Firewall Architectures
• Dual Homed Host Architecture
• Screened Host Architecture
• Screened Subnet Architecture
• Combinations .

11
Standard Firewall Configuration
External Server
External Network
Bastion Host (with Firewall software)
Exterior Router
Perimeter Network (Not Secure)
Interior Router
Interior Network (Secure)
NT Workstation
NT Workstation
NT Server
Workstation
NT Server
12
Testing Environment
13
Typical Client Requirements

• Minimize ports
• Restrict hosts for which ports are opened
• Only allow initial access from within firewall to
  outside firewall
• Allow port access only after another
  communication has occurred
• Can overcome restriction number 3
• Requires you to know more about how Unicenter
  works and makes you dependant upon details

14
Standard TNG Operation

• Unicenter will operate out-of-the-box through a
  firewall
• Details of the actual ports required are
  available most of these can be configured -
  these ports must be opened through the firewall
• The standard out-of-the-box configuration does
  not aim to minimize the number of ports
• Components can be configured/deployed to minimize
  ports used
• Browsers can be directed to use minimum ports
• Options can be deployed to minimize ports used
• Use TCP/IP for SQL not default of named pipes

15
Unicenter Component Placement

• Unicenter Components can be placed anywhere
• Where is the firewall and what is it protecting -
  client issue?
• Following examples
• Agents only outside firewall
• Agents and DSM outside Firewall
• Monitor Through Firewall Discovery , EM and DSM

16
Component Placement 1 - Agents outside FIREWALL
CORE Host
Admin Host
TCP 1433 (SQL)
DSM
WV Gateway
3 Ports Open but one is SNMP (UDP 162)
Common Services
UDP 161, ICMP Ping
UDP 162 - Traps
UDP 6665
FIREWALL
Host A
Common Services
17
Component Placement 2 - Agents DSM outside
FIREWALL
CORE Host
TCP 1433 (SQL)
TCP 7774
FIREWALL
DSM
WV Gateway
2 Ports Open .. one is SQL
Common Services
UDP 162 - Traps
UDP 161, ICMP Ping
18
Component Placement 3 - Monitoring Through a
Firewall - Discovery, EM DSM
Auto- Discovery
ABROWSER
Enterprise Management
CORE Host
CCI
Common Services
SQL 1433
ICMP, UDP, Telnet, FTP
TCP 7774
FIREWALL
TCP 7001
Enterprise Management
DSM
WV Gateway
Common Services
CCI
UDP 162 - Traps
UDP 161, ICMP Ping
Host A
CCI
Common Services
EM Agent
19
World View Discovery
20
WV Discovery

• Discovery Considerations
• Initiate discovery from inside firewall
• Initiate discovery from outside firewall but CORE
  inside Firewall
• Temporary Unblock Ports for AutoDiscovery
• NAT implication

21
WV DiscoveryInitiated within Firewall
dscvrbe r ..
CORE
22
WV DiscoveryInitiated within Firewall

• Ping Sweep

23
WV DiscoveryPing Sweep

• Discovery initiated within Firewall
• Pingsweep

24
WV DiscoveryClassification

• SNMP (161) Required for Classification

25
WV DiscoveryClassification

• Additional Ports may be required if Check
  Additional Ports selected

26
WV DiscoveryUnicenter NSM
27
WV DiscoveryInitiated Outside Firewall
No UDP through Firewall
CORE
SQL 1433
dscvrbe r ..
28
WV Discovery Limited Unblocking

• During the auto-discovery process objects are
  classified using SNMP therefore the SNMP port
  should be opened.
• Once auto-discovery is complete the port can be
  closed.
• It is also possible to run discovery outside the
  firewall then move the data via trix inside the
  firewall this is not best practice and the
  customization is more difficult than is apparent

29
DestinationPORT Customization
30
aws_orb Port Selection
aws_orb binds to 7774 for 2.4 and above. 7770 for
release 2.1
31
aws_orb 2.1 System

• If 7774 is blocked, retries the connection with
  7770 incase the managed host is 2.1 system

32
orb to orb Connectivity

• Update quick.cfg to select orb port
• tng\services\config\aws_orb\quick.cfg
• defaults to 7774
• No customization available for FROM port
• Selects first available TCP source port

33
Orb and Named Pipes

• By Default orb uses named pipes

34
Named pipes

• Remove Named pipe usage
• comment plugin awm_qikpipe_dll aws_orb22

35
orb to orb Connectivity

• abrowser -_at_ -r -c browser.SysAgtNT
  -h DAWYA01 -s admin

Connects to Remote Orb
36
orb to orb Connectivity

• Orb to Orb introduces Heartbeat
• Can disable Heartbeat if required
• Can change frequency if required

37
aws_sadmin Port Selection
aws_dsm aws_snmp
6665
162
CORE
Manager issues SNMP requests to managed host.
aws_sadmin binds to 6665 by default. Can be
configured to use to different port
Traps from managed hosts , defaults to port 162
38
Aws_sadminPort Configuration

• Configure the port that aws_sadmin binds for
  incoming SNMP requests
• Defaults to 6665
• To change the default port, update aws_sadmin.cfg
  and add line
• SNMP_PORT xxxx
• where xxxx is the port aws_sadmin binds.

39
Aws_sadminPort Configuration
40
aws_sadmin.cfg

• If aws_sadmin is changed to bind to a different
  port, ensure pollset reflects correct port

41
pollset

• pollset port must match aws_sadmin.cfg port

42
abrowser

• If aws_sadmin port changed, Agent view needs to
  be customized to use correct port

43
From PORT Customization
44
aws_snmpFrom Port Selection

• SNMP gateway sends its request on 6665 port and
  binds with the random source port.
• The agent then responds back on the random source
  port
• If random source port is not acceptable, then
  customize aws_snmp.cfg
• Specify from source port for aws_snmp
• Consider range to avoid port contention

45
aws_snmpFrom Port Selection

• AgentWorks_Dir\services\config\aws_snmp\aws_snmp
  .cfg
• Aws_snmp defaults to random source port

46
aws_snmp From Port Selection
Aws_snmp customized to use port 8001-8002
47
aws_snmpFrom Port Selection

• aws_snmp sends request over 6665 (UDP)
• Agent responds back on 8001

48
Agentview (abrowser)From Port Selection

• Agentview sends its request on 6665 port and
  binds with the random source port.
• The agent then responds back on the random source
  port
• If random source port is not acceptable, then
  customize aws_snmp.cfg
• Specify from source port for abrowser
• Consider range to avoid port contention

49
Abrowser From Port Selection
abrowser customized to use port 8011-8020
50
AgentView (abrowser)From Port Selection

• abrowser -c browser.SysAgtNT -h -s
  admin
• abrowser sends request over UDP port 6665
• Agent Responds back on 8011

51
aws_sadminFrom Port Selection
For aws_sadmin (SNMP Administrator) you specify a
single "from" port which is used when
aws_sadmin sends traps to a manager
aws_sadmin from port set to port 8000
52
DSM Routing
53
DSM Routing -r

• Abrowser sends request on TCP port 7774 to Remote
  DSM on managed system
• Remote DSM talks to agent on UDP Port 6665
• Configurable port (aws_sadmin.cfg)
• Agent replies back to Remote DSM on UDP port 8001
• Configurable in aws_snmp.cfg
• SNMP_PORTS aws_sadmin 8000
• SNMP_PORTS aws_snmp 8001-8002
• SNMP_PORTS mibbrowse 8003-8010
• SNMP_PORTS abrowser 8011-8020
• SNMP_PORTS utilities 8021-8030
• Remote DSM on managed system replies back to
  abrowser via TCP port 7774
• Customer only has to open TCP port 7774 (Uni 3.0
  fix needed to not require port 9990)

54
Agentviewwithout DSM Routing
Worldview EM Obrowser Abrowser
Binds to first available port
7774
DSM
Responds back on source port
6665 UDP
Managed System
Managed System
Responds back on source port
55
AgentViewwithout DSM Routing
UDP call from abrowser machine to managed Host
56
Agentviewwith DSM Routing
Worldview EM Obrowse Abrowse
Binds to first available port
Responds back on source port
DSM
7774
UDP
6665
Managed System
Managed System
57
Remote DSM
Nodeview / Agentview syntax for Remote DSM
abrowser -_at_ Outside_DSMip -c browser.SysAgtUnix
-h agenthost -s public abrowser r -_at_
Outside_DSMip -c browser.SysAgtUnix -h agenthost
-s public -r for dsm
routing e.g abrowser -r -_at_ RMTDSM -c
browser.SysAgtNT -h ukslsag02 -s admin where
RMTDSM - remote dsm ukslsag02 -
Agent managed by RMTDSM abrowser
issued from dawya01 which is inside the
firewall nodeview -_at_ Outside_DSM_host
-target agenthost_at_dsmhost
58
AgentView Menus
Update Policy to default r for dsm routing
59
ViewAgent WorldView Menu
Add -r for dsm routing
60
Architecture Reviews
61

Scenario 1
Client has a requirement to deploy agent
technology in DMZ environment but wish to
customize the port numbers that are to be
unblocked?

62
Scenario 1 Solution

• Customize ports by updating
• agentworks_dir\services\config\aws_snmp\aws_snmp.
  cfg
• agentworks_dir\services\config\aws_sadmin\aws_sad
  min.cfg
• agentworks_dir\services\config\aws_orb\aws_orb.cf
  g

63

Scenario 2
Client has a requirement to deploy agent
technology in DMZ environment but has concerns
of opening UDP ports. How can Agent Technology
be deployed in DMZ environment without the
requirement to unblock UDP ports?

64
Standard Deployment

• What are the UDP issues with the standard
  deployment?
• DSM discovers Agents by sending UDP requests to
  SNMP or 6665 port
• Agents send the alerts over UDP port
• Agentview (abrowser) will send its request on
  6665 port and with the pre selected TCP source
  ports. The agent then responds back on the source
  port

65
Standard Deployment

• Standard Deployment
• Agent send traps over UDP port 162
• Requires 162 to be unblocked

66
Standard Deployment
SNMP Trap
67
Standard DeploymentAgentView

• abrowser -c browser.SysAgtNT -h -s
  admin
• Destination UDP port 6665
• Source Port 8011

68
Solution

• Set up a Remote DSM to control the DMZ Agents and
  funnel all of their UDP traffic through the DSM
  via TCP Port 7774.
• Devices in the DMZ managed by the remote dsm.
• Agents send the SNMP traps to remote dsm
• All UDP traffic within the DMZ environment
• aws_dsm and aws_wvgate require access to CORE
  thus SQL port must also be opened
• Benefits
• 1 TCP Port
• SQL Port

69
Solution 2
CORE Host
TCP 1433 (SQL)
TCP 7774
FIREWALL
DSM
WV Gateway
2 Ports Open .. one is SQL
Common Services
UDP 162 - Traps
UDP 161, ICMP Ping
Host A
Common Services
70
CORE
Running remote aws_wvgate does not eliminate the
need for SQL Port. DSM still requires access to
CORE
Remote DSM need access to CORE
Server A
Server B
Worldview EM Obrowse Abrowse
COR
DSM
OS
DSM
Managed System
Inside
DMZ
71
Scenario 3
Client has a requirement to deploy agent
technology DSM outside the firewall but wants to
use a Central Core which resides inside the
firewall. Firewall administration has concerns
about SQL intrusion and will not open up SQL
port. How can aws_wvgate be configured to use a
Central CORE without opening a SQL port?

72
Solution 3

• Install wvdbt where the CORE resides
• Remote aws_dsm accesses CORE via ORB (port 7774)
• aws_wvgate accesses CORE via ORB
• Check for inform remote option to optimize
  heartbeat
• Benefit
• No requirement to open up SQL port

73
Firewall
NT
NT
Aws_orb aws_store aws_snmp aws_dsm Aws_wvgate
Aws_orb wvdbt
7774

Note Multiple DSMs can connect to the same
remote wvdbt instance running against a single
CORE. aws_dsm uses wvplugin may take about 8 RCBs
on CORE server. This restricts, approx maximum of
about 120 Remote DSM connection.
74

Scenario 4
Client is using DSM routing but does not wish to
open port 7774 for all hosts that are required to
respond to abrowser requests? How can this be
minimized?

75
Requirements

• To restrict 7774 to be unblocked just for local
  DSM
• Placing abrowser directly on remote DSM requires
  7774 to be opened for the host that issues
  abrowser requests

76
Agentview RemoteDSM orb
abrowser -_at_ DAWYA01S -r -c browser.SysAgtNT -h
RGT40.ca.com-s admin
7774 to be opened for all hosts that issues
abrowser.
Obrowser Abrowser
Binds to first available port
adminhost
Responds back on source port
remoteDSM
7774
EWB_NTS_03
dawya01s
UDP
6665
Managed System
Managed System
RGT40
77
Agentview From adminhost
78
Windows Terminal ServerStreamline Requests from
Terminal Server
abrowser -_at_ EWB_NTS_03 -r -c browser.SysAgtNT
-h RGT40.ca.com_at_DAWYA01S -s admin
7774 to be unblocked for local dsm and WTS
Terminal Client
7774
7774
Windows TERMINAL SERVER obrowser Abrowser
remteDSM
7774
UDP
6665
Managed System
79

Scenario 5
How to walk through Firewall for a typical FM
site? What are the considerations?

80
Scenario 5
Bridge Critical Objects
Client site
DMZ site
Service Center
DSM
Terminal Client
NAT
Windows Terminal Server
81
Scenario 5

• Windows Terminal Server eliminates the need to
  open Visualizing / browser ports for many hosts
• Nodeview / Agent View / 2d Maps all accessed via
  Terminal Server
• Requires Terminal Services Client 3389 port to be
  opened
• Critical Objects Bridged from Client site to DMZ
  environment

82
Scenario 5

• Critical Events forwarded from Client site to FM
  site. Requires CCI port to be unblocked
• Event Console launched via Terminal Services
  Client

83
Scenario 5

• To avoid NAT issues, run world view discovery
  from client site.
• This will have pre Natted address
• Avoids conflict with gwipflt.dat
• Use name melding option to distinguish bridge
  objects

84

Scenario 6
Firewall Administrator insists on single
directional unblocking of ports. All outbound
ports opened but block all inbound ports. All
network requests should be initiated from within
the firewall zone. No network traffic should be
initiated from DMZ zone How can this be
accomplished?

85
Single Directional Unblocking
PRIVATE DSM
DMZ DSM
SQL Port must be bi directional
86
Single Directional UnblockingFirewall Rules
Unblock SQL for bi directional
87
Obrowser / Abrowser Private ? DMZ zone

• Nodeview / Agentview works fine if initiated from
  inside firewall

88
Obrowser / Abrowser DMZ ? Private zone
Nodeview / AgentView requests denied if initiated
from DMZ zone.
7774 and 7770 Denied
89
Single Directional Unblocking

• If unblocking SQL port is not accepted then
  review Bridge Through Firewall presentation

90

Scenario 7
Clients wish to minimize the number of ports to
be un-blocked to 1? How can VPN tunneling
feature be used to accomplish this?

91
VPN Tunnelling

• Main concept is to tunnel all DMZ requests via
  tunnel

92
Scenario 7Working with VPN
Unicenter Server
DMZ Server
encrypted
encrypted
Port xxx
unencrypted
Route DMZ Server traffic via VPN tunnel
93

Scenario 8
We wish to deploy Windows Terminal Server outside
firewall and wish to connect via Terminal
Services Client from inside the firewall. This
is to reduce different ports to be opened for
visualization? How can we configure this?

94
Scenario 8wvdbt

• Remote DSM and Remote aws_wvgate connects to
  central core using wvdbt
• Agent Views and NodeViews issued from Terminal
  Services Client.
• TS Client traffic encrypted and requires 3389 to
  be unblocked for all TS Clients
• WVDBT requires orb connection and thus 7774 port
  to be opened for the server where CORE resides

95
Scenario 8wvdbt
Abrowser, NodeView and Event Console issued via
WTS
WTS
Terminal Services Client
encrypted
TCP 3389
Port 7774 to be opened for Central DSM only
wvdbt
TCP 7774
6665/7774
access core via wvdbt
2 Ports Open Remote DSM access CORE via wvdbt
96
Encrypted TrafficTS Client Port 3389
Encrypted traffic
97
Scenario 8SQL

• Remote DSM and Remote aws_wvgate connects to
  central core using SQL
• Agent View and NodeView issued from Terminal
  Services Client.
• TS Client traffic encrypted and requires 3389 to
  be unblocked for all TS Clients
• SQL port 1413 needs to be unblocked for remote
  dsm server

98
Scenario 8 SQL
abrowser and Nodeview issued via WTS
CORE DSM
TCP 1433 (SQL)
FIREWALL
TCP 3389
2 Ports Open .. SQL to be opened for just
Central DSM
ABROWSER NodeView
UDP 162 - Traps
UDP 161, ICMP Ping
99
Solution 8TS Client Denials
TS Client port 3389 must be unblocked
100
Scenario 8Local Catalog

• The global catalog resides outside the firewall.
• No CAM port required unless namespace inside
  firewall is selected

101
Solution 8Local Catalog
3389
Event Console, Agent View, qbrowser
102
Scenario 8Global Catalog

• The Global Catalog resides inside firewall.
• When UE is launched from WTS, it syncs catalog
  and requires CAM port to be unblocked
• TNDREPUPLISH, pings the Global catalog server and
  may require ICMP to be opened
• CAM should be configured to connect via TCP port

103
Solution 8Global Catalog
3389
cam 4105
Event Console, Agent View, qbrowser
104
CAM DenialUDP Port
CAM not configured to use TCP
105
Solution 8cam.cfg
\TND\CA_APPSW\framework\cam.cfg
This forces specified server to use TCP port and
not default UDP
106
Scenario 8Namespace inside Firewall

• Access to nodeview, agentview inside Firewall is
  required Launched from UE
• Requires TCP 7774 orb port to be unblocked
• Requires UDP 6665 port to be unblocked for host
  inside firewall

107
Solution 8 NameSpace inside Firewall
4105
7774
6665
Event Console, Agent View, qbrowser
108
Node View from UE
Requires orb port 7774
109
Node View from UE
Requires orb port 7774
110
Unblock Orb 7774
111
Node View from UE7774 Unblocked
112
Agent View from UE
113
Agent View from UE
Agent Technology Service Control Port required.
No DSM Routing
114
Agent View from UE
UDP Port to be opened
115
Scenario 82dMap inside Firewall

• 2dMap launched from UE accesses CORE inside
  firewall
• WV Plugin requires CAM port to be unblocked
• No SQL port required for 2dmap accessed via wv
  plugin

116
Solution 82dMap inside Firewall
4105
wvplugin
4105
SQL Port Not Required
117
Architecture ReviewsRecap

• Customize from ports by updating aws_snmp.cfg
• If UDP traffic is to be blocked, install remote
  dsm outside the firewall
• If SQL port is to be blocked, then review wvdbt
  implementation
• If bi-directional blocking is not accepted then
  review Scenario 5
• If encryption with minimal number of ports to be
  unblocked is required, then review Scenario 7

118

Scenario 9
Our Firewall Administrator wish to change the orb
port 8774 for DMZ server. Orb port for other
hosts will remain as default port 7774 Is this
possible?

119
Multiple Orb Binds

• To support TNG 2.1 release, it permits binding to
  multiple ports, 7774 and 7770.
• If unable to bind first port, it will then bind
  with other ports specified.
• Do not use this option unless show stopper
  requirements as the feature was not intended to
  be exploited in the nature, though it works

120
Solution 8Multiple Orb Ports
8774
7774
7774
Aws_orb
121
Multiple Orb Ports
First PLUGIN statement must be the one that is
widely used port. If it cannot bind the first
port specified, it then attempt to bind to the
second port
122
CAM/CAFT
123
Cam/caft

• Default port assignments
• cam.cfg
• udp_port number
• tcp_port number
• cas_port number
• spx_port number

124
Cam/caft

• On startup, checks for etc/services for camudp
  and camtcp
• If not found, then defaults to 4104 (UDP) and
  4105 (TCP)
• Then checks for cam.cfg for any override
• cas_port and spx_port available for certain
  platforms
• Some apis do not read config file, thus
  etc/services should be changed

125
CCI
126
CCI

• Review CCI through Firewall presentation for
  detailed information

127
Event Management
128
Event Agent

• Can be customized to use DSB without the need for
  sql database
• Agent Technology provides function to send
  messages to remote Event Management
• This eliminates the need for Event Management
  running
• Not best practice as it limits lot of
  functionality

129
DSM to Remote Event Management

• Update aws_nsm.cfg
• dsm message sent over to remote via orb

130
Options
131
Anti Virus Option - AVO
CA Web Site
FTP
Virus
Signature
Downloads
Encryption
Encryption
NT Workstation
AVO Master Download Server
NBSESSION
AVO
NBDATAGRAM
Signature
Download
FIREWALL
Workstation
AVO Domain Server
NBSESSION
NBDATAGRAM
Ethernet
Workstation
PC
Workstation
Workstation
AVO Client
AVO Client
AVO Client
AVO Client
132
Advanced Storage Option - ASO
ASO Manager

• Unicenter TNG / ASO Manager

TCP 6051
TCP 6050
Unicenter TNG / ASO Backup Server Central DB
Unicenter TNG / ASO Windows NT Backup Server
TCP 6051
Unicenter TNG / ASO Replicator (NT)
Mainframe backup
133
Summary of Ports by Product
Product Component Port Used Unicenter TNG WV
Tools to CORE TCP 1433 (SQL) DSM to CORE TCP
7774 WV Tools to Agents UDP 6665 Auto-discover
y ICMP (Ping), UDP (161) Enterprise
Management TCP 7001 Agent to DSM UDP 162 Remote
Control Option Manager to Agent TCP 799 Software
Delivery Option Admin GUI to Enterprise
Database TCP 1433 (SQL) Admin GUI to Local
Server TCP 1433 (SQL) Enterprise Database to
Local Server DTO (TCP 4101) Local Server and
Agent Share UDP 138 (nbsession) TCP 139
(nbdatagram) Asset Management Option Admin GUI
to AMO Enterprise Data TCP 1433 (SQL) Engine to
AMO Enterprise Database TCP 1433 (SQL) Sector to
Engine Share or RPC Agent to Client Share or RPC
134
Summary of Ports by Product
continued
Product Component Port Used Advanced Help
Desk Server and Client TCP 2100 Performance Manag
er to Agent TCP 4101 Share Anti-Virus
Option Virus Signature Database Host TCP 21
(FTP) to CA Virus Signature Web Server Agent
to Virus Signature Machine FTP (for period
signature down-load) Agent Alerts to Alert
Manager NetBUI (Over TCP) Advanced Storage
Option Admin to Backup Manager TCP 6050,
6051 Agent(Client) to Backup Manager NT,
Novell, OS/2 TCP 6050 Unix TCP 6051 Replicator
NT TCP 6060 Replicator to Backup Manager NT TCP
6050 Data Transport Option Manager and Agent
(CAM) TCP 4104, 4105, 4905