Operational Technology Discovery components communications
Summarize
Summary of Operational Technology Discovery components communications
This content outlines the communication requirements and architecture for Operational Technology (OT) Discovery components within a ServiceNow deployment. It explains how various OT Discovery components—such as MID Server, Discovery Console for OT, Service Graph Connector (SGC), Sensors, and Collectors—must connect and communicate across networks to ensure effective data collection and integration with the ServiceNow instance.
Show less
Component Communications
- MID Server to ServiceNow instance: The MID Server pushes discovery data to the ServiceNow instance. If the Discovery Console for OT has direct internet access, the MID Server could be optional.
- Service Graph Connector (SGC): Communicates with the MID Server, Console, and ServiceNow instance to facilitate data flow.
- Console to MID Server: A dedicated MID Server should be deployed per network or segment, with appropriate firewall rules to allow communication across boundaries.
- Console to Sensors and Collectors: The Console communicates with Sensors, Collectors, MID Server, SGC, and the ServiceNow instance. Separate Consoles are deployed per network or segment, also requiring network boundary configurations.
- Sensor to Console and Assets: Sensors communicate with OT assets and the Console, with data pushed to ServiceNow by the SGC. Separate Sensors are deployed per network or segment.
- Collector to Console and Assets: The OT Collector communicates with both the Console and system assets, requiring network communication alignment.
Network Setup and Firewall Configuration
For deployments spanning multiple networks or segments, separate MID Servers, Consoles, and Sensors are recommended to maintain secure and reliable communication. Firewall rules must be configured to enable the necessary communication paths across network boundaries.
Network Port Requirements
The provided network port map details essential ports, directions, and their purposes to configure communication properly:
- Management Console: Uses ports like 8443 (HTTPS) for web interface, 5671 (AMQP) for Sensor communications, and others for optional time synchronization and setup support.
- Sensors: Use port 5671 (AMQP) to send data outbound to the Console and ports 443 and 22 for deployment support.
- MID Server: Communicates bi-directionally with the ServiceNow instance over port 443 (HTTPS) to push discovery data.
Properly configuring these ports ensures that OT Discovery components can communicate securely and efficiently, enabling successful discovery and integration of OT assets into your ServiceNow environment.
This section describes how the OT Discovery components should be connected so they can communicate with each other.
Component communications
- MID Server-to-ServiceNow instance:
- The MID Server needs to communicate with the ServiceNow instance to push the information from Discovery Console for OT.Note:If the Discovery Console for OT can reach the internet, the MID Server might not be needed in your OT configuration.
- This configuration and deployment is the same as with any other MID Server.
- The Service Graph Connector (SGC) needs to communicate with the MID Server, the Console, and the ServiceNow instance.
- The MID Server needs to communicate with the ServiceNow instance to push the information from Discovery Console for OT.
- Console-to-MID Server communication:
- Deploy a separate MID Server for each network or network segment.
- Configure firewall rules to enable communication across networks or network segment boundaries.
- The Console needs to communicate with the Sensors, the Collectors, the MID Server, the SGC, and your ServiceNow instance.
Figure 1. Network communication setup - Sensor-to-Console communication:
- Deploy a separate Console for each network, network segment, or system.
- Configure firewall rules to enable communication across networks or network segment boundaries.
- The Discovery Sensor for OT needs to communicate with OT assets and with the Discovery Console for OT.
- Discovery Sensor for OT data is pushed to the ServiceNow instance by the Service Graph Connector.
- Sensor-to-asset communication:
- Deploy a separate Sensor for each network, network segment, or system.
- Configure firewall rules to enable communication across network, network segment, or system boundaries.
- Discovery OT Collector-to-Console communication:
- Discovery OT Collector needs to communicate with the Console.
- The Collector communicates with the Console and with your system's assets.
Network port map
The following table describes how to set up network ports.
| Source | Destination Port | Direction | Destination | Required/Optional | Description |
|---|---|---|---|---|---|
| Management Console | 8443 (HTTPS) inbound | Bi <-> | Workstation | Required | Console web interface |
| Management Console | 5671 (AMQP) inbound | Uni <- | Sensor | Required | Communications from Sensors to Console |
| Management Console | 123 (NTP) inbound | Uni <- | Time Server /Esxi Host | Optional | Clock synchronization, Not needed it time server or hypervisor will provide time. |
| Management Console | 8443 API | Uni <- | MID Server | Required | Import data from Management Console via the APIs. |
| Management Console | 22 (SSH) inbound | <- | Host Setup Computer | Optional (setup) | Additional support during deployment |
| Sensor | 5671 (AMQP) outbound | Uni <- | Management Console | Required | Communications from Sensors to Console |
| Sensor | 443 (HTTP) inbound | <- | Host Setup Computer | Required | Additional support during deployment |
| Sensor | 22 (SSH) inbound | <- | Host Setup Computer | Required | Additional support during deployment |
| MID Server | 443 | Bi <-> | NOW instance /Web | Required | Communications from the MID Server to the NOW fabric internet facing. |