Manualshelf

Managing your HP servers through firewalls with HP SIM (481364-002, February 2008)

ManualsBrandsHP ManualsSoftwareHP Systems Insight Manager for HP-UX
11121314151617181920
11
2
Not required for asset management
Selecting the protocols that must be enabled through the firewall depends on the types of system to be
managed. Issues associated with each protocol are discussed below. Ideally, WBEM will be used to
manage servers located through a firewall.
SNMP
SNMP gives the best management coverage but at the highest risk. While no “set” operations are
required for asset management, SNMP is UDP-based; therefore, in many environments it is not
considered a suitable protocol to pass through the firewall. Because SNMPv1 has a simple, clear-text
“community,” it provides a low level of security. However, SNMP may be suitable for some
environments in which the network containing the managed systems is relatively controlled.
DMI
DMI is a remote procedure call (RPC)-based protocol. To operate, DMI requires opening a number of
ports through a firewall. Therefore, DMI is not recommended for use through firewalls. It is largely
being replaced by WBEM.
Note
DMI is not supported on HP-UX systems running HP-UX 11.23 (11iv2) and
HP-UX 11.31 (11iv3). You must use WBEM for this operating system.
WBEM
WBEM uses HTTPS to provide a secure TCP connection from the CMS to the managed system. WBEM
uses its own port (5989 for SSL connections) and is supported through firewalls. The CMS can use
trusted certificates to authenticate the managed system, while the managed system uses user names
and passwords to authenticate the CMS.
Note
Firewalls should be configured to allow the CMS to communicate with
managed systems through default port 5989. If you have modified the
default port setting for your WBEM provider, you must configure your
firewall for the port number your WBEM provider on which it is actually
configured."
WMI
WMI is Microsoft’s implementation of WBEM. WMI runs over DCOM, which in turn, uses RPC.
The WMI Mapper is an application that provides translation from WMI (a DCOM-based interface) to
a standardized WBEM interface (CIM XML/HTTP). This is a two-way translation. The WMI Mapper is
required for HP SIM to manage Windows computers, including ProLiant servers running the Insight
Providers for Windows. The WMI Mapper service runs separately from the HP SIM service. For
Windows systems behind a firewall, HP recommends installing the WMI Mapper on a managed
system in the secure network (Figure 4) and disabling direct remote access to WMI. This mapper
allows standard WBEM requests through the firewall, and they are mapped to WMI requests on the
managed system.