White paper Managing HP Servers through Firewalls with Insight Management 7.2 HP Insight Management 7.
White paper| HP Insight Management 7.2 Table of Contents Abstract ........................................................................................................... 4 Acronyms ........................................................................................................ 5 Introduction .................................................................................................... 7 HP management products..............................................................................
White paper| HP Insight Management 7.2 • HP Insight Management Installer ports ............................................................. 22 • HP Systems Insight Manager Dynamic Ports.................................................... 27 • HP Smart Update Manager ports ........................................................................ 29 • HP Insight Control for vCenter ports .................................................................. 32 • HP Onboard Administrator ports ...................
White paper| HP Insight Management 7.2 Abstract This paper identifies possible ways of managing HP servers with HP Insight Management deployed in the area of the network that is considered more secure than the standard production network. This is not a best practices document. This document provides information that can enable system administrators to create management solutions appropriate for specific computing environments.
White paper| HP Insight Management 7.
White paper| HP Insight Management 7.
White paper| HP Insight Management 7.2 Introduction Managing systems in a secure environment is a challenge that most system administrators face. It requires a careful balance between critical security requirements and the need to effectively manage and maintain the systems. Within Internet-connected architecture, there is typically a more secure zone, commonly referred to as the DMZ.
White paper| HP Insight Management 7.
White paper| HP Insight Management 7.2 Case 1: Management protocols banned from the DMZ In some computing environments, IT security policies restrict management protocols in the secure environment. Security policies may or may not permit other protocols (such as email or file sharing) in the DMZ. An acceptable management solution must conform to security restrictions of the environment.
White paper| HP Insight Management 7.2 Control HP Insight Control gives you more for every dollar, hour, and watt invested in your ProLiant servers. With Insight Control and related services, you can deploy new ProLiant servers quickly and reliably, catalog your environment accurately, proactively monitor server health to pinpoint failures before they result in unplanned downtime, manage ProLiant servers remotely from any location, and optimize power usage confidently.
White paper| HP Insight Management 7.2 Case 2: Separate management network In some computing environments, system administrators create a separate, secondary network parallel to the primary or production network (Figure 2). The chief benefit to this approach is that management traffic flows through the secondary network, while the limited access from the production (primary) network maintains security. Configuring a separate management network using HP SIM allows secure access to the systems in the DMZ.
White paper| HP Insight Management 7.2 With HP SIM installed on the secondary management network, collect system asset information from a ProLiant server on that management network through the iLO 2 or iLO 3 pass-through. As a second option, browse to the System Management Homepage (https://:2381/) and manually view the asset information. Appendix A: Configuring a separate management network describes the procedure for configuring a separate management network.
White paper| HP Insight Management 7.2 Case 3: Managing through a firewall using a single network In other computing environments, a firewall commonly separates the central management server (CMS) and the managed server. In such an environment (Figure 3), two networks are given different levels of trust. For example, the managed server may be in a DMZ, while the CMS resides in a more trusted portion of the intranet. The firewall is used to control traffic between these two networks.
White paper| HP Insight Management 7.2 may be specified in a configuration file. The target system need not be actively listening to the chosen port, but the firewall must be configured to allow these requests to pass. Next, the CMS attempts to identify a number of management protocols such as SNMP, HTTP, and WBEM.
White paper| HP Insight Management 7.2 Using SNMPv3, you can securely collect management information from SNMP agents without fear that the data has been tampered with. Also, confidential information, such as SNMP set packets that change a device's configuration, can be encrypted to prevent their contents from being exposed on the wire. Also, the group-based administrative model allows different users to access the same SNMP agent with varying access privileges. DMI DMI is similar in design to SNMP.
White paper| HP Insight Management 7.2 Figure 4: WMI Mapper on a managed Windows system behind firewall The WMI Mapper is included with the Windows version of HP SIM but can also be used with other versions. It is available with the HP SIM software or from the HP website at http://www.hp.com/go/hpsim. The WMI Mapper can be installed on a Windows system to allow WBEM access to that system.
White paper| HP Insight Management 7.2 CMS Y Y Managed system Port Protocol1 Description Y 25 TCP SMTP: used for email transmission across Internet Protocol (IP) networks 50004 HTTPS/HTTP WBEM event receiver (configurable) Y 1 All ports are for TCP and UDP. The CMS normally has all managed system ports open because the CMS is a managed system itself. Firewalls can be configured to block these ports if the CMS is not to be managed from another system.
White paper| HP Insight Management 7.2 Configuration management First configure HP web agents on managed systems in a DMZ to trust-by-certificate the HP SIM server. This authenticates all Version Control commands and all Replicate Agent Setting commands to the agent as coming from the specified CMS; these commands require HTTPS over port 2381. Systems must be discoverable by the CMS. See the Asset management section for more information.
White paper| HP Insight Management 7.
White paper| HP Insight Management 7.
White paper| HP Insight Management 7.2 SSH SSH is used both locally on the HP SIM central management server and remotely to manage systems for various tools. Normally, SSH servers listen on TCP port 22. If, for some reason, this must be changed, the SSH port that HP SIM uses is configurable. Best practices Security of the systems can be enhanced by changing the default settings to the recommended Security Policy Baselines using the Microsoft Security Compliance Manager. Reference: http://www.microsoft.
White paper| HP Insight Management 7.2 • HP Matrix Infrastructure Orchestration ports • HP Storage Provisioning Manager ports • HP SPM Storage module HP Insight Management Installer ports Table 4: Ports for HP Insight Management Installer CMS Managed System In2 Out In Out Y Y Y Y Port Protocol1 Description 7, 8 ICMP Ping HP Systems Insight Manager Y Y Y Y 22 TCP SSH: This port establishes a connection through SSH using Command line Interface.
White paper| HP Insight Management 7.2 CMS Managed System Port Protocol1 Description database Y Y 5988 HTTP WBEM service Y Y 5989 HTTPS WBEM service Y 50000 HTTPS HP SIM web server(configurable6) Y 50001 HTTPS HP SIM SOAP Y 50002 HTTPS HP SIM SOAP with client certificate authentication Y 50003 HTTP HP SIM SOAP 50004 HTTPS/HTTP WBEM event receiver (configurable7) Y 50005 WBEM WBEM Events Y 50006 PostgreSQL PostgreSQL Y Y Note: Block it if Oracle DB is installed.
White paper| HP Insight Management 7.
White paper| HP Insight Management 7.
White paper| HP Insight Management 7.
White paper| HP Insight Management 7.2 CMS Managed System Port Protocol1 Description Y 9143 OpenSSL Used by Application Discovery 9617, 9618 TCP Global Workload Manager uses on CMS 280 HTTP Web server for HP SIM; web agent auto-start port Y 50000 HTTPS HPSIM webserver Y 51001 HTTPS LSA RMI port Y Y Y Y Y Outbound (out) – Request or response sent from a server is called outbound. Inbound (in) – Request or response received by a server is called inbound. Axengine.
White paper| HP Insight Management 7.2 • Microsoft Windows 2003 • Microsoft Windows Vista, Microsoft Windows 2008 and later Microsoft Windows 2003 Microsoft Windows 2003 uses a default port range of 1025 through 5000 as the dynamic client port range for outgoing connections. To avoid port conflicts, as part of the installation process, HP SIM installer reserves the following ports, if it detects installation on Microsoft Windows 2003 OS.
White paper| HP Insight Management 7.2 HP Smart Update Manager ports Table 7: HP SUM ports for Windows CMS 29 | March 2013 Managed system Port Protocol1 Description 443, 63006 HTTPS A secure data port used to transfer information. Alternate port is 63006. In2 Out In Out Y Y Y Y Y Y 445 and 137/138/139 TCP and UDP These ports are needed to connect to the remote ADMIN$ share on target servers (port 137 only if you are using NetBIOS naming service).
White paper| HP Insight Management 7.2 CMS Managed system Port Protocol1 Description one NIC, the lowest available one is used by HP Smart Update Manager to pass information between processes on the local workstation where HP Smart Update Manager is executed, and the next available one is used to receive messages from remote servers. Y 62000 and 62001 These ports (or the first two ports available after 62000) are used for internal process communications on the system running HPSUM on each target.
White paper| HP Insight Management 7.2 CMS Managed system Port Protocol1 Description Y Y 80, 63000– 63005 HTTPS Used for passing files to the target and retrieving the logs through an internal mini-HTTPS server. Uses port 80 if it is available or a random port between 63000 and 63005 if it is not available. Allows updates of the iLO firmware without the need to access the host server.
White paper| HP Insight Management 7.2 CMS Managed system Port Protocol1 Description target devices have successfully rebooted. 1 All ports are for TCP and UDP. The CMS normally has all managed system ports open because the CMS is a managed system itself. Firewalls can be configured to block these ports if the CMS is not to be managed from another system.
White paper| HP Insight Management 7.2 2 The CMS normally has all managed system ports open because the CMS is a managed system itself. Firewalls can be configured to block these ports if the CMS is not to be managed from another system. HP Onboard Administrator ports This section is based on the assumption that HP Onboard Administrator is behind the firewall with the CMS.
White paper| HP Insight Management 7.2 Y 162 UDP SNMP Trap listener Y 69 UDP TFTP- Used for upload and configuration backup from CLI Y 20,21 TCP FTP - Used for upload and configuration backup from CLI 1 All ports are for TCP and UDP. The CMS normally has all managed system ports open because the CMS is a managed system itself. Firewalls can be configured to block these ports if the CMS is not to be managed from another system.
White paper| HP Insight Management 7.2 CMS Y Managed system Port Protocol1 Description Y 17990 TCP Remote Console Port 1 All ports are for TCP and UDP. The CMS normally has all managed system ports open because the CMS is a managed system itself. Firewalls can be configured to block these ports if the CMS is not to be managed from another system. 2 HP Integrated Lights-Out 4 ports This section is based on the assumption that HP Integrated Lights-Out 4 is behind the firewall with the CMS.
White paper| HP Insight Management 7.2 CMS Managed system Y Y Port Protocol1 Description 636 TCP LDAP Authentication/ server port (directory integration) Y Y 17988 TCP Virtual Media Port Y Y 17990 TCP Remote Console Port 1 All ports are for TCP and UDP. The CMS normally has all managed system ports open because the CMS is a managed system itself. Firewalls can be configured to block these ports if the CMS is not to be managed from another system.
White paper| HP Insight Management 7.2 CMS Managed system Port Protocol1 Description Y Y 3001 TCP SA agent communications Y Y 8017 TCP, UDP Agent gateway Y Y 8081 TCP Agent cache HP Matrix KVM Private Cloud ports This section is based on the assumption that HP Matrix KVM Private Cloud is behind the firewall.
White paper| HP Insight Management 7.
White paper| HP Insight Management 7.2 Policies required for IM DVD installation The following security policies must be enabled before proceeding with the DVD installation.
White paper| HP Insight Management 7.2 Additional policies required for proper system operations Table 17 lists the additional polices that must be enabled for the correct system functionality.
White paper| HP Insight Management 7.2 Conclusion This paper identified various options available for managing HP systems in a secure environment. The solutions explained here are intended only as a framework for exploring the options. System administrators can and should tailor solutions for their networks based on these options.
White paper| HP Insight Management 7.2 Appendix A: Configuring a separate management network To configure a separate management network using HP SIM, install HP SIM on the secondary network by completing the following steps: 1. Configure SNMP to accept packets only from the IP addresses used on the management network, or bind SNMP to the secondary network interface (if the operating system allows this): • On Windows systems: • a. From the Control Panel, open the Services menu. b.
White paper| HP Insight Management 7.2 Appendix B: Modifying default ports To modify the default port 50000 used by HP SIM to a different port, install HP SIM and complete the following steps: 1. Modify the default port value to the required port value from the following lines in the server.xml file under \jboss\server\hpsim\deploy\jboss-web.deployer: PAGE 44White paper| HP Insight Management 7.2 Appendix C: Configuring Insight Control with minimal SQL user privileges postinstallation Note: Ensure that at least one user with the SYSADMIN (admin) server role is present in SQL server. Otherwise, you will not be able to connect to SQL server. If you have only one user with the SYSADMIN role in SQL server, you must create another user (for example, myuser) with the SYSADMIN role before altering the current user (admin).
White paper| HP Insight Management 7.2 • 7. 45 | March 2013 Under Database role membership for, select db_datareader and db_datawriter. For gWLM, you must select db_owner membership. Update the following database files for each plug-in with the new user created with minimum privileges: • SIM: “\Systems Insight Manager\config” • RDP: “RDP\Deployment Server\default.
White paper| HP Insight Management 7.2 8. • VMM: “\Insight Control virtual machine management\bin\hpvmmdb.conf” • Gwlm: “\Virtual Server Environment\conf\gwlmdb” • HPIO: “\Insight Orchestration\conf\jdbc.props” Enter the following commands at the command prompt: mxpassword -m mxpassword -m mxpassword -m vseinitconfig 9. -x MxDBUserPassword= -x io.db.password= -x oo.admin.password= -a Restart the plug-in services.
White paper| HP Insight Management 7.2 For more information 47 | March 2013 Resource Webpage ProLiant server management http://h18013.www1.hp.com/products/servers/manage ment/index.html HP Systems Insight Manager http://www.hp.com/go/hpsim HP Systems Insight Manager User Guide http://h18004.www1.hp.com/products/servers/manage ment/unified/infolibraryfm.html Understanding HP Systems Insight Manager Security http://www.hp.com/wwsolutions/misc/downloads/mana gement/hpsim/HPSIM_Security_WP.
White paper| HP Insight Management 7.2 Call to action To help us better understand and meet your needs for ISS technology information, send comments about this paper to TechCom@HP.com. Sign up for updates hp.com/go/getupdated Share with colleagues Rate this document © Copyright 2010, 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
