Managing HP servers through firewalls with Insight Management 7.2

ManualsBrandsHP ManualsSoftwareInsight Software

White paper| HP Insight Management 7.2

27 | March 2013

CMS

Managed

System

Port

Protocol

Description

Y Y 9143 OpenSSL Used by Application

Discovery

Y 9617,

9618

TCP Global Workload

Manager uses on CMS

Y Y Y 280 HTTP Web server for HP SIM;

web agent auto-start

port

Y 50000 HTTPS HPSIM webserver

Y 51001 HTTPS LSA RMI port

Outbound (out) – Request or response sent from a server is called outbound.

Inbound (in) – Request or response received by a server is called inbound.

Axengine.exe should be allowed in the firewall for Insight Control Server Deployment services.

All ports are for TCP and UDP.

The CMS normally has all managed system ports open because the CMS is a managed system

itself. Firewalls can be configured to block these ports if the CMS is not to be managed from

another system. Discovery protocol is configurable between ICMP or TCP and a configurable port;

the default is 80.

Many CMS outgoing ports are used for discovery.

RMI port is used within the CMS for inter-process communication. Connections from outside the

CMS are not accepted, and firewalls may block this port.

50000 port number is configurable in server.xml (see Appendix B: Modifying default ports).

50004 port number is configurable in globalsettings.props (see Appendix B: Modifying default

ports).

Ports for HP Systems Insight Manager

Ports for HP Insight Control

Ports for HP Matrix Operating Environment

HP Systems Insight Manager Dynamic Ports

There are three main processes in SIM: mxdomainmgr, mxdtf, and mxinventory. These processes

communicate with each other using Secure RMI connections (TCP).

SIM doesn’t insist on any specific listener port. Instead, it uses anonymous ports, based on the

underlying Java RMI implementation, which uses the User ports (for example, 1024 – 49151 on

Microsoft Vista, Microsoft 2008 and later operating systems). Therefore, SIM processes listen on

different ports on every restart.

• Though Java RMI is used on various user ports, SIM listens only on “localhost” so that

these services are not exposed for use outside the system that is running SIM. Therefore,

these ranges could be safely blocked in a firewall configuration for incoming requests

from outside hosts.

• The “mxdtf” process listener port could be configured in the configuration file,

mx.properties, by setting MX_PORT to the appropriate value. However, if this value

is missing, SIM defaults to 2367.

• In addition to inter-process communication, these processes perform their regular

activities (for example, data collection using SNMP / WBEM / SSH and so on from a

managed node). In these situations, the processes use any of the dynamic ports (both

TCP and UDP) for outgoing connections.

HPSIM uses various user ports in the range of 1024 through 65535 (using TCP and or UDP) for

inter-process communication among the processes that HPSIM manages. Therefore, this range of

ports could be safely blocked in a firewall configuration for incoming requests from outside hosts.