×
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')
 
 
  •  
BMC Discovery 8.3 Security

Discovery communications

This section describes communication between the BMC Atrium Discovery appliance, Windows proxies, and discovery targets.

Base device discovery

For efficiency, the appliance will use ICMP ping to locate a device. It is possible to use other ping techniques if ICMP Echo is suppressed in your environment. To do so, on the Administration tab, scroll down to the Discovery section and click Options. Enable the Use TCP ACK "ping" before scanning and Use TCP SYN "ping" before scanning checkboxes, and enter the port numbers in the TCP ports to use for initial scan and UDP ports to use for initial scan fields.

If you do not allow ICMP pings through the firewall and do not enable TCP Ack and Syn pings you may lose performance. This is because Discovery will do a full "Access Method" nmap port scan to determine whether the host is actually there which causes delays as Discovery waits for requests to timeout. You must alter the "Ping hosts before scanning" setting to "No" in this situation. If there is a limited range if IPs for which ICMP Echo is suppressed then you may disable the ping behavior for these IPs by using the Exclude ranges from ping. Further details are in Configuring Discovery.

If Discovery is unable to connect to an endpoint it will use heuristic techniques to offer an estimate of what sort of device is present. These are controlled by options in Configuring Discovery. The ports listed in the table below are used for this.

Port 4 using TCP and UDP is required if using IP Fingerprinting as Discovery needs to observe the response from a guaranteed closed port on the endpoint.

Port 4 must be closed on the discovery target, but must be open on any firewall between the appliance and discovery target, so that the response is from the target rather than the firewall. Where this is not the case, the heuristic would receive a response from two different TCP/IP stacks leading to unpredictable results including the endpoint being classified as a firewall, or an unrecognized device.

This can lead BMC Atrium Discovery to skip devices (see UnsupportedDevice in the DiscoveryAccess page).

Port Number

Port assignment

4

Closed Port

21

FTP

22

SSH

23

telnet

80

HTTP

135

Windows RPC

161

SNMP

513

rlogin

3940

Discovery for z/OS Agent

SNMP - Ports used for discovery

The only port required for SNMP discovery is 161 UDP.

UNIX - Ports used for discovery

The minimum ports required for successful UNIX discovery is simply the port associated with the access methods that you are using. For example, if you are only using ssh this will be port 22. For telnet, port 23 and for rlogin, port 513.

Port Number

Port assignment

22

SSH

23

telnet

513

rlogin

Windows - Ports used for discovery

This section describes the ports that the Windows proxy uses when discovering remote Windows targets. If you intend to discover hosts behind a firewall then you will have to open these ports in the firewall. The ports given are outgoing (from the Windows proxy) TCP ports.

Windows Targets and Port 135

The appliance scans port 135 to determine whether the port is open and therefore the target is likely to be a Windows host. If the port is open then further discovery is undertaken using the Windows proxy.

You can disable this behavior; from the Discovery section of the Administration tab, click Discovery Configuration. Select the No radio button in the Check port 135 before using Windows access methods field. When you do this, Discovery does not need to see port 135 as open, it assumes that the target is a Windows host.

When you use this setting all hosts are assumed to be Windows. A UNIX host would be scanned unsuccessfully using a Windows proxy before any UNIX access methods are attempted.

WMI

The ports that are used by WMI discovery methods are described in the Table below. The port assignments are also noted.

Port Number

Port assignment

135

DCE RPC Endpoint Manager.
DCOM Service Control

1024-1030

Restricted DCOM
One of these ports is used after initial negotiation.

1024-65535

Unrestricted DCOM
One of these ports is used after initial negotiation.

139

Netbios Session Service

445

Microsoft Directory Services SMB

All WMI communication from BMC Atrium Discovery is sent with Packet Privacy enabled. If the host being discovered does not support Packet Privacy, for example if running a version older than Windows Server 2003 with Service Pack 1 (SP1), the flag is ignored and WMI returns the requested information.

By default, WMI (DCOM) uses a randomly selected TCP port between 1024 and 65535. This should ideally be restricted if scanning through firewalls in order to make firewall configuration simple. See #Setting the DCOM Port Range for more information.

Windows NT4 and NT4 Style Domains - WMI

TCP 139 is required instead of TCP 445 if discovering NT4 or authenticating on an NT4-style non-AD Domain, such as a domain run using Samba 3.x or below.

TCP 139 is the NetBIOS Session Service. Some versions of Windows (particularly 9x/NT4) run SMB on NetBIOS over TCP using port 139. Newer versions default to running SMB directly over TCP on port 445. Windows XP/2003/Vista/2008 and above and Active Directory networks use SMB directly over TCP 445.

WMI queries from a Windows Server 2008 to a Windows NT4 host fail using the default security settings. On the Windows proxy host, turn off the requirement for 128 bit security in the "Network security: Minimum session security for NTLM SSP based (including RPC) clients" policy to permit this.

Setting the DCOM Port Range

WMI is based on the Distributed Component Object Model (DCOM) which by default will use a randomly selected TCP port between 1024 and 65535 for communications. To make this more 'firewall-friendly' the range can be restricted by following the following steps on each Target Host.

These settings should be restricted on the target host, not the Windows proxy host.

  1. Using a registry editor create the key HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet
  2. Within that key create a REG_MULTI_SZ (Multi-String Value) called Ports. Enter in the port(s) or port range you want to use. The Windows proxy will only use one port but if the customer has other DCOM applications in use on that machine you may need to enable a larger range.
  3. Create a REG_SZ (String Value) called PortsInternetAvailable and give it the value Y.
  4. Create a REG_SZ (String Value) called UseInternetPorts and give it the value Y.
  5. Reboot the machine. This must be done for the changes to take effect.

You should also read the relevant Microsoft article about this issue: How to configure RPC dynamic port allocation to work with firewalls

RemQuery

The ports that are used by RemQuery discovery are described in the Table below. The port assignments are also noted.

Port Number

Port assignment

139

Netbios Session Service

445

Microsoft Directory Services SMB

Windows NT4 and NT4 Style Domains - RemQuery

TCP 139 is required instead of TCP 445 if discovering NT4 or authenticating on an NT4-style non-AD Domain, such as a domain run using Samba 3.x or below.

TCP 139 is the NetBIOS Session Service. Some versions of Windows (particularly 9x/NT4) run SMB on NetBIOS over TCP using port 139. Newer versions default to running SMB directly over TCP on port 445. Windows XP/2003/Vista/2008 and above and Active Directory networks use SMB directly over TCP 445.

Communication between Appliance and Windows proxies

The BMC Atrium Discovery appliance and the Windows proxies use CORBA to communicate. CORBA is used as a messaging system which enables the appliance to invoke methods on the Windows proxy. For example, the Discovery Engine finds a Windows host, or one that appears to be a Windows host after IP fingerprinting. The appliance makes a CORBA call passing information, say the IP address and an instruction to invoke the "Discover Windows host" method. The method is invoked on the Windows proxy, and the host is discovered. The discovered information is returned by another CORBA call.

You should be aware that communication takes place between the appliance and the Windows proxy, using the following TCP ports:

  • 4321 - Active Directory Windows proxy.
  • 4322 - Workgroup Windows proxy
  • 4323 - Credential Windows proxy.

Proxy port changes in 8.3 SP2

In BMC Atrium Discovery 8.3 SP2, proxies are not limited to the default ports. It is also possible to install multiple proxies of each type on a single host. Consequently, in BMC Atrium Discovery 8.3 SP2 you must check the proxy manager to determine which ports the proxies are using. The defaults are the same as previous releases, but installations of additional proxies use incremental ports. You can also use the proxy manager to modify the port that each proxy uses.

Workgroup Windows proxy support is only for pre-8.2 Windows proxies, as they no longer exist in the current release. All of their functionality has been moved into Active Directory Windows proxies.

Mainframe - Ports used for discovery

The only port required for mainframe discovery is 3940 TCP by default, though this is configurable. See Discovery Configuration for more information.

Ports Used for Consolidation

Consolidated appliances use port 25032 to communicate. The scanning appliance must be able to connect to port 25032 on the consolidation appliance. You must configure any firewalls between scanning appliances and consolidation appliances to allow this traffic. The connection is always initiated from the scanning appliance as it is assumed to be on the secure side of the firewall.

Ports required for extended discovery

J2EE Discovery

The port information used for J2EE discovery is determined in the patterns used to discover the particular J2EE Application Server, if no port information is discovered, then the default port is used. In addition, for full extended discovery, the port for the database that the J2EE Application Server is using is also required. This is dependent on the way that these servers are configured in your organization.

The default port is listed below.

Port Number

Port Assignment

Use

7001

JMX

WebLogic

SQL discovery

The port information used for SQL discovery is derived in the patterns used to discover the particular database. This is dependent on the way that databases are configured in your organization.

Default ports are listed below.

Port Number

Port Assignment

Use

1521

SQL

Oracle

1433

SQL

MS SQL

4100

SQL

Sybase ASE

3306

SQL

MySQL

VMware ESX/ESXi discovery using vCenter

The ports required for discovery of VMware ESX/ESXi hosts using vCenter are listed below:

Port Number

Port Assignment

Use

443

HTTPS

VMware ESX/ESXi (also on vCenter host)

902

vSphere API

VMware ESX/ESXi

Discovery of vCenter

Discovery of vCenter uses standard host discovery with the creation of a vCenter SI triggered on a discovered vCenter process.

VMware ESX/ESXi discovery using vSphere

The ports required for discovery of VMware ESX/ESXi hosts are listed below:

Port Number

Port Assignment

Use

443

HTTPS

VMware ESX/ESXi

902

vSphere API

VMware ESX/ESXi
Was this page helpful? Yes No Submitting... Thank you
Last modified by Duncan Tweed on Oct 05, 2012

Comments

  1. Adam Bentley

    How do you troubleshoot the "Windows Proxy is not active" condition in the ADDM Manage Windows Active Directory Proxy page? From the appliance side, our proxy status is "Unreachable", but the proxy itself reports online, and has network connectivity to the appliance.

    Apr 21, 2014 06:37

Log in or register to comment.

System communications
Firewall Port Summary
© Copyright 2004 - 2018 BMC Software, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2023 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.