- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-26-2017 09:48 AM
We are running istanbul patch 3; and are attempting to set up the firewalls to allow Windows, Linux and network Discovery. For garden variety discovery we thought that the following ports would be sufficient: UDP-161:162 TCP-21 TCP-22 TCP-80 TCP-135 TCP-139 TCP-443 TCP-1433 TCP-1521 TCP-5480 TCP-5989 UDP-137 TCP/UDP-53.
However a look at the Firerwall log indicates it is attempting 5985 and 5986 which are associated with the WinRM (https://docs.servicenow.com/bundle/istanbul-it-operations-management/page/product/mid-server/task/t_...). I don't know if this is a bug or desired behavior, but the
mid.windows.management_protocol parameter is not configured for the mid server so it shouldn't be using WinRM.
Another thing I stumbled across here is the DCOM behavior where it connects over port 135, and then gets told to go use some port in the TCP-49152:65535 range. I stumbled across some guidance (after the failure) about how this works.
So the real question here is: for those locations that are not going to open up the midserver to communicate over any ports when doing discovery; is there a concise bit of guidance on the ports and protocols actually used?
| UDP-161:162 | TCP-49152:65535 | TCP-21 | TCP-22 | TCP-80 | TCP-135 | TCP-139 | TCP-443 | TCP-1433 | TCP-1521 | TCP-5480 | TCP-5985 | TCP-5986 | TCP-5989 | UDP-137 | TCP/UDP-53 |
Solved! Go to Solution.
- Labels:
-
Discovery
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-26-2017 10:03 PM
Hi Duane,
In terms of the WinRM comment, it wouldn't surprise me if it tries it to see if it's available, especially if WMI fails for some reason. You might also want to check in case you have other mid servers that do have the parameter configured and it's using one of those unexpectedly.
I gather with DCOM you figured out what was going on there - essentially that after the initial connection it gets assigned a random port to communicate on, but generally as long as your firewall allows the return connection that should 'just work', will depend on your firewall config though for sure.
In terms of the ports/protocls that are used, this page might help:
That has a pretty good summary of all the ports etc.
Hope that helps,
Stephen
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-26-2017 10:03 PM
Hi Duane,
In terms of the WinRM comment, it wouldn't surprise me if it tries it to see if it's available, especially if WMI fails for some reason. You might also want to check in case you have other mid servers that do have the parameter configured and it's using one of those unexpectedly.
I gather with DCOM you figured out what was going on there - essentially that after the initial connection it gets assigned a random port to communicate on, but generally as long as your firewall allows the return connection that should 'just work', will depend on your firewall config though for sure.
In terms of the ports/protocls that are used, this page might help:
That has a pretty good summary of all the ports etc.
Hope that helps,
Stephen
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-27-2017 05:14 AM
Thanks, I had been using the ports and protocols page you provided the link to. Maybe the thread was a little bit of griping over the fact the WinRM thing was happening, and Microsoft DCE RPC negotiation and the impact on ports was not described.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-27-2017 05:47 AM
Fair enough, it's worth providing that feedback on the docs page then it should get improved with that info.
