What is the best Solution to install MID in the client network?

Sandeep _1 · ‎01-14-2024

What is the best suggestion to install MID in the client network. Is it behind the firewall or outside the firewall? If there is a firewall between MID server and target host, what ports should be open for Discovery?

AJ-TechTrek · ‎01-15-2024

Hi @Sandeep _1

(1) If Interfacing INFRA is On Prem -- Place Mid Server at On Prem and in Closet or Same VLAN.

(2) If Interfacing INFRA is on some cloud -- Place Mid Server at On same cloud and in Closet or Same network.

Purpose here is to make sure less network hops for packets which will boost the performance.

Details are below.

Best practice around MID Server host selection

The MID server host is the foundation to which your discoveries will be executed from and should be the only task that this host should provide within your environment or environments. As of the Istanbul of Service Now

Best practice around MID Server host selection

Virtual Host
1. 8Gb RAM
2. 40Gb Disk Allocation
3. Multi Core/CPU share
4. Ensure that the virtual environment has capacity to provide for allocation
Operating System
1. Current Windows Server OS (64 bit)
2. Provisioned to customers local policies around patches and security
Network
1. 100MB or greater connection
2. External internet access on port 443 to your service-now instance
3. All ports and protocol access to targets within your environment

It’s all about location

MIDServer host placement is key to any successful discovery deployment. The best practice is summed up in a simple statement. Place your MIDServers as close to the targets that has the most available bandwidth between it and what you are looking to discover. Deploying a MIDServers in Kansas to discover your Datacenter in Singapore is not the best idea. By keeping your MIDServer close to targets helps you get the most out of the local resources.

Items to consider around MIDServer placement include

Available bandwidth
Geographic location
IP access to targets (DMZs)

How many?

There are three simple rules to determining how many midservers you will need to deploy.

The number of targets you are looking to discover and how often you want to discover them
You want to have midservers at minimum the continent level when looking at a global deployment
Being that the mid communicates outbound only it’s a best practice to place midservers inside secure zones other than opening up many security rules to allow access.

Please appreciate the efforts of community contributors by marking appropriate response as Mark my Answer Helpful or Accept Solution this may help other community users to follow correct solution in future.

Thanks

AJ

View solution in original post

Rahul Priyadars · ‎01-15-2024

Hi Sandeep

Long Story Short ...Since Mid Server Needs Internet so i would place my Mid Server in DMZ of My N/W. Many times when you place Mid Server with InterNet Enabled Security team do not like it or Approve it 😞 .

From DMZ to Actual Infrastructure - :Ports needs to be Opened based on Source IP (Mid Server Here) for . Since discovery touches many kind of Infrastructure so here is the comprehensive list here from Discovery Stand point.

This list is Super set and you may need less ports opened based on Discovery needs.

Discovery ports and protocols
Name	Service name	Port	Details	Creates	Protocol
afp	Apple File Protocol	548			TCP
BEA Weblogic		7001		cmdb_ci_app_server	TCP
dns	Domain Name Service	53	To resolve the name of each IP Address		TCP/UDP
epmap	Microsoft RPC (WMI, DCOM)	135	Windows Systems		TCP
ftp		21			TCP
hp-pdl-datastr	Printer PDL Data Stream	9100	HP Printers		TCP
http	HyperText Transfer Protocol	80	Web Servers	cmdb_ci_web_server	TCP
https	HyperText Transfer Protocol over Secure Socket	443	Secure Web Servers	cmdb_ci_web_server	TCP
IBM DB2		50000			TCP
IBM MQSeries		1414			TCP
IBM Web sphere SSL		9443			TCP
IBM Websphere		9080			TCP
IMAPS		993			TCP
LDAP		389			TCP
LDAPs		636			TCP
Microsoft netbios		139			TCP
Microsoft SQL server		1433			TCP
Microsoft-ds		445			TCP
ms-nb-ns		137			UDP
MySQL		3306			TCP
Nagios NRPE		5666			TCP
nfs		2049			TCP/UDP
Oracle TNS		1521			TCP
pip (Internet Print Protocol)	IP Phone/ Session Initiation Protocol	5060			TCP
POP3		110			TCP
postgresql		5432		cmdb_ci_database	TCP
printer	Printer	515	Printers		TCP
sip	SIP (Session Initiation Protocol)	5060			TCP
slp	Service Location Protocol (SLP)	427			TCP/UDP
smtp	TCP	25
smux (SNMP multiplexing)		199
snmp	Simple Network Management Protocol	161	Network Devices		UDP
snmptrap		162			UDP
ssh	Secure Shell Service	22	Unix Systems		TCP
sunrpc		111			TCP
telnet		23			TCP
TIBCO Rendezvous		7500			TCP
Tomcat HTTP		8080			TCP
vmapp6_https		9443			TCP
vmapp_https	vCenter Server Appliance Web Interface using https	5480			TCP
wbem_https	CIM-XML via HTTPS(WBEM)	5989	CIM Classification		TCP
wins	Windows Internet Name Service	137	NetBIOS Name Resolver		UDP

One Special PORT Needs for Windows WMI Discovery-- WMI discovery Start at Port 135 but later communications happened on higher ports and those also needs to be Opened.

49152-65535 for both TCP and UDP.

Regards

RP

View solution in original post

Danish Bhairag2 · ‎01-14-2024

Hi @Sandeep _1 ,

The placement of the MID Server depends on your specific network and security requirements. However, a common practice is to install the MID Server within the client network, behind the firewall. This ensures secure communication between the MID Server and internal systems.

If there is a firewall between the MID Server and the target hosts, you'll need to open specific ports to allow communication. For ServiceNow Discovery, the following ports are typically used:

1. **SSH (Secure Shell):** Used for communication with UNIX-based servers. Port 22 is the default for SSH.

2. **WMI (Windows Management Instrumentation):** Used for communication with Windows servers. Port 135 is the default for WMI, and dynamic ports in the range 1024-65535 might also be used.

3. **WinRM (Windows Remote Management):** Used for communication with Windows servers. Port 5985 (HTTP) or 5986 (HTTPS) are common ports for WinRM.

Ensure that these ports are open in the firewall to allow the MID Server to communicate with the target hosts for Discovery. Always follow your organization's security policies and best practices to configure the firewall appropriately.

Thanks,

Danish

Harish Bainsla · ‎01-14-2024

When deploying a Management, Instrumentation, and Discovery (MID) server in a client network, the decision to place it behind or outside the firewall depends on various factors, including security policies, network architecture, and specific use cases. Here are some considerations for both options:

Behind the Firewall:

Security: Placing the MID server behind the firewall adds an extra layer of security as it is not directly exposed to the internet. This can be beneficial for protecting sensitive information and reducing the attack surface.
Network Segmentation: If there are strict network segmentation requirements or the client network has multiple zones with different security levels, placing the MID server behind the firewall may align with those policies.
Internal Resources: If the MID server needs to interact with internal resources that are not accessible from outside the firewall, placing it behind the firewall is necessary.

Outside the Firewall:

Accessibility: Placing the MID server outside the firewall allows it to be more easily accessible by external systems and services. This can be advantageous for scenarios where the MID server needs to communicate with cloud services or external devices.
Ease of Deployment: External deployment can simplify deployment and maintenance, as it eliminates the need to navigate complex internal network configurations.
Scalability: If the MID server is part of a larger infrastructure that spans across multiple locations, placing it outside the firewall might be more scalable and aligned with a distributed architecture.

Firewall Ports for Discovery:

If there is a firewall between the MID server and the target host, you need to ensure that the required ports are open for Discovery. The specific ports may vary based on the tools and technologies you are using, but commonly used ports for Discovery include:

TCP Port 135: Microsoft RPC (Remote Procedure Call) port.
TCP Ports 139 and 445: NetBIOS and SMB ports used for Windows Management Instrumentation (WMI) and CIFS (Common Internet File System) communication.
UDP Port 161-162: SNMP (Simple Network Management Protocol) ports for network devices.

Please note that these are general recommendations, and you should refer to the documentation of the specific Discovery tools and systems you are using for accurate and up-to-date information on port requirements. Additionally, always follow best practices for security and consult with your organization's IT security team to ensure compliance with security policies.

Maik Skoddow · ‎01-14-2024

Text looks like taken from ChatGPT. Do you want to see another ChatGPT answer? Here it is:

ServiceNow MID Servers play a crucial role in facilitating communication and data transfer between the ServiceNow instance in the cloud and on-premises systems. Installing a MID Server behind a firewall involves ensuring secure connectivity and proper configuration. Here are the general options for installing a ServiceNow MID Server, whether behind a firewall or not:

Installing a MID Server Behind a Firewall:

Standard MID Server Installation:
- Follow the standard MID Server installation process provided by ServiceNow.
- Ensure that the MID Server is installed on a machine within the network behind the firewall.
- Open the necessary inbound and outbound ports on the firewall to allow communication between the MID Server and the ServiceNow instance.
Proxy Configuration:
- If the MID Server needs to communicate with the ServiceNow instance over the internet, configure the MID Server to use a proxy server located behind the firewall.
- This allows the MID Server to establish a secure connection to the ServiceNow instance without direct exposure to the internet.
Firewall Configuration:
- Adjust firewall rules to permit communication between the MID Server and the ServiceNow instance.
- Typically, the MID Server communicates with the ServiceNow instance over HTTP/HTTPS (port 80/443). Ensure that these ports are open.
Secure Socket Layer (SSL) Configuration:
- For enhanced security, configure SSL between the MID Server and ServiceNow instance. This involves obtaining an SSL certificate for the MID Server and configuring SSL settings on both ends.

Installing a MID Server Without a Firewall:

Direct Connection:
- In scenarios where there is no firewall between the MID Server and the ServiceNow instance, the MID Server can be installed without specific considerations for firewall rules.
- Directly install the MID Server on a machine with network access to the ServiceNow instance.
Public IP Configuration:
- If the MID Server is installed on a machine with a public IP address and there is no firewall, ensure that the ServiceNow instance is configured to allow communication from the public IP of the MID Server.
Security Best Practices:
- Even without a firewall, follow security best practices when installing a MID Server. This includes configuring secure communication protocols, such as SSL, and ensuring that the MID Server is up-to-date with the latest security patches.
Network Configuration:
- Verify that the network configuration allows the MID Server to establish a reliable connection with the ServiceNow instance without encountering network-related issues.

It's important to note that specific network and security policies may vary among organizations, and the installation steps may need to be adjusted accordingly. Always refer to the latest ServiceNow documentation for detailed and up-to-date instructions on MID Server installation and configuration.

Harish Bainsla · ‎01-14-2024

Hi if you get answer please accept solution