Enabling OT Discovery device communications
This section describes how the OT Discovery components need to connect to communicate with each other.
Component communications
When determining the environment architecture for your OT Discovery deployment, consider the following communication requirements.
- MID Server-to-ServiceNow instance:
- The MID Server needs to communicate with the ServiceNow instance to push the information from Discovery Console for OT.주:If the Discovery Console for OT can reach the internet, the MID Server might not be needed in the configuration process.
- This configuration is the same configuration and deployment as with any other MID Server.
- The Service Graph Connector needs to communicate with the MID Server, the Console, and the ServiceNow instance.
주:See Operational Technology Native Discovery components for further information. - The MID Server needs to communicate with the ServiceNow instance to push the information from Discovery Console for OT.
- Console-to-MID Server communication:
- Deploy a separate OT MID Server for each network or network segment.
- Configure firewall rules to enable communication across networks or network segment boundaries.
- The Console needs to communicate with the Sensors, the Discovery OT Collectors, with the MID Server, the SGC, and your ServiceNow instance.
그림 1. Network communication setup - Sensor-to-Console communication:
- Deploy a separate Console for each network, network segment, or system.
- Configure firewall rules to enable communication across networks or network segment boundaries.
- The Discovery Sensor for OT needs to communicate with OT assets and with the Discovery Console for OT.
- Discovery Sensor for OT data is pushed to the ServiceNow instance by the Service Graph Connector.
- Sensor-to-asset communication:
- Deploy a separate Sensor for each network, network segment, or system.
- Configure firewall rules to enable communication across network, network segment, or system boundaries.
- Discovery OT Collector-to-Console communication:
- Discovery OT Collector needs to communicate with the Console.
- The Collector communicates with the Discovery Console for OT and with your system's assets.
Network port map
The following table describes how to set up network ports.
| Source | Destination Port | Direction | Destination | Required/Optional | Description |
|---|---|---|---|---|---|
| Management Console | 8443 (HTTPS) inbound | Bi <-> | Workstation | Required | Console web interface |
| Management Console | 5671 (AMQP) inbound | Uni <- | Sensor | Required | Communications from Sensors to Console |
| Management Console | 123 (NTP) inbound | Uni <- | Time Server /Esxi Host | Optional | Clock synchronization, Not needed it time server or hypervisor will provide time. |
| Management Console | 8443 API | Uni <- | MID Server | Required | Import data from Management Console via the APIs. |
| Management Console | 22 (SSH) inbound | <- | Host Setup Computer | Optional (setup) | Additional support during deployment |
| Sensor | 5671 (AMQP) outbound | Uni <- | Management Console | Required | Communications from Sensors to Console |
| Sensor | 443 (HTTP) inbound | <- | Host Setup Computer | Required | Additional support during deployment |
| Sensor | 22 (SSH) inbound | <- | Host Setup Computer | Required | Additional support during deployment |
| MID Server | 443 | Bi <-> | NOW instance /Web | Required | Communications from the MID Server to the NOW fabric internet facing. |