Discovery communications

This section describes communication between the BMC Atrium Discovery appliance, Windows proxies, and discovery targets.

Base device discovery

For efficiency, the appliance uses ICMP ping to locate a device. It is possible to use other ping techniques if ICMP Echo is suppressed in your environment. To do so, on the Administration tab, scroll down to the Discovery section and click Discovery Configuration. On the Scanning section, enable the Use TCP ACK 'ping' before scanning and Use TCP SYN 'ping' before scanning check boxes, and enter the port numbers in the TCP ports to use for initial scan and UDP ports to use for initial scan fields.

If you do not allow ICMP pings through the firewall and do not enable TCP Ack and Syn pings, you might lose performance. This is because Discovery performs a full "Access Method" nmap port scan to determine whether the host is actually present, which causes delays as Discovery waits for requests to timeout. You must alter the "Ping hosts before scanning" setting to "No" in this situation. If there is a limited range if IPs for which ICMP Echo is suppressed, you can disable the ping behavior for these IPs by using the Exclude ranges from ping. For more information, see Configuring discovery settings.

To scan networks that do not permit ICMP ping packets, you may set Use TCP ACK ping before scanning or Use TCP SYN ping before scanning (or both of these) in your discovery settings to Yes. If BMC Atrium Discovery pings an IP address where there is no device and some firewall in your environment is configured to respond for that IP address, it may result in reporting a device which does not exist on the network rather than dark space (NoResponse). To avoid this, it is recommended to either alter such firewall configurations or not to enable TCP ACK ping or TCP SYN ping.

If Discovery cannot connect to an endpoint, it uses heuristic techniques to estimate what sort of device is present. These are controlled by options in Configuring discovery settings.

Port 4 using TCP and UDP is required if using IP Fingerprinting as Discovery must observe the response from a guaranteed closed port on the endpoint.

Port 4 must be closed on the discovery target, but must be open on any firewall between the appliance and discovery target, so that the response is from the target rather than the firewall. Where this is not the case, the heuristic receives a response from two different TCP/IP stacks, leading to unpredictable results including the endpoint being classified as a firewall or an unrecognized device. This can lead BMC Atrium Discovery to skip devices (see UnsupportedDevice in the DiscoveryAccess page).

The ports listed in the following table are used to determine what device is present.

Port Number

Port assignment

4

Closed Port

21

FTP

22

SSH

23

telnet

80

HTTP

135

Windows RPC

161

SNMP

443HTTPS

513

rlogin

902VMware Authentication Daemon

3940

Discovery for z/OS Agent

5988WBEM HTTP
5989WBEM HTTPS

SNMP: Ports used for discovery

The only port required for SNMP discovery is 161 UDP.

UNIX: Ports used for discovery

The minimum port required for successful UNIX discovery is just the port associated with the access methods that you use. For example, if you only use ssh, this will be port 22. The following table details the assignment for each port number.

Port Number

Port assignment

22

SSH

23

telnet

513

rlogin

Windows: Ports used for discovery

This section describes the ports that the Windows proxy uses when discovering remote Windows targets. If you intend to discover hosts behind a firewall, you must open these ports in the firewall. The ports given are outgoing (from the Windows proxy and the appliance) TCP ports.

Windows targets and port 135

The appliance scans port 135 to determine whether the port is open and therefore the target is likely to be a Windows host. If the port is open, further discovery is performed using the Windows proxy.

You can disable this behavior. To do so:

  1. Choose Administration > Discovery > Discovery Configuration.
  2. Select the No option button in the Check port 135 before using Windows access methods field.
    Discovery does not need to detect port 135 as open; it assumes that the target is a Windows host. When you use this setting, all hosts are assumed to be Windows. A UNIX host is scanned unsuccessfully using a Windows proxy before any UNIX access methods are attempted.

WMI

The ports that are used by WMI discovery methods and the corresponding assigned ports are described in the following table.

Port Number

Port assignment

135

DCE RPC Endpoint Manager.
DCOM Service Control

1024-1030

Restricted DCOM
One of these ports is used after initial negotiation.

1024-65535

Unrestricted DCOM
One of these ports is used after initial negotiation.

139

Netbios Session Service

445

Microsoft Directory Services SMB

All WMI communication from BMC Atrium Discovery is sent with Packet Privacy enabled. If the host being discovered does not support Packet Privacy, the flag is ignored and WMI returns the requested information (for example, if you run a version earlier than Windows Server 2003 with Service Pack 1 (SP1)).

By default, WMI (DCOM) uses a randomly selected TCP port between 1024 and 65535. To simplify configuration of the firewall, you should restrict this usage if you scan through firewalls. See To set the DCOM Port Range for more information.

Windows NT4 and NT4 style domains (WMI)

TCP 139 is required instead of TCP 445 if you discover NT4 or you authenticate on an NT4-style non-AD Domain (such as a domain run using Samba 3.x or earlier).

TCP 139 is the NetBIOS Session Service. Some versions of Windows (particularly 9x/NT4) run SMB on NetBIOS over TCP using port 139. Newer versions default to running SMB directly over TCP on port 445. Windows XP/2003/Vista/2008 and later and Active Directory networks use SMB directly over TCP 445.

WMI queries from a Windows Server 2008 to a Windows NT4 host fail using the default security settings. On the Windows proxy host, turn off the requirement for 128 bit security in the Network security: Minimum session security for NTLM SSP based (including RPC) clients policy to permit this.

To set the DCOM port range

WMI is based on the Distributed Component Object Model (DCOM) which, by default, uses a randomly selected TCP port between 1024 and 65535 for communications. To make this more effecient for firewalls, the range can be restricted using the following procedure on each Target Host.

These settings should be restricted on the target host, not the Windows proxy host.

  1. Using a registry editor, create the key HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet
  2. Within that key create a REG_MULTI_SZ (Multi-String Value) called Ports.
  3. Enter in the port(s) or port range you want to use.
    The Windows proxy uses only one port; however, if the user has other DCOM applications in use on that machine, you might need to enable a larger range.
  4. Create a REG_SZ (String Value) called PortsInternetAvailable and give it the value Y.
  5. Create a REG_SZ (String Value) called UseInternetPorts and give it the value Y.
  6. Restart the computer.

You should also read the relevant Microsoft article about this issue: How to configure RPC dynamic port allocation to work with firewalls

RemQuery

Although WMI is the standard mechanism for remote system interrogation and management from Microsoft, some operations are not possible using WMI; primarily netstat data in core discovery, and any additional commands run, or file content extraction, via patterns. Without RemQuery we would be unable to determine network connection information for the discovery target, communication between that host and others, and application modelling based on network connections. Additional discovery operations using RemQuery are typically for deeper software discovery, modeling and versioning.

RemQuery is a BMC Atrium Discovery utility that uses the same basic approach as the Microsoft PSExec tool. It operates in the following way. The proxy copies the RemQuery executable to the ADMIN$ share on the target. Windows Administrator access is required to write to the ADMIN$ share and start the RemQuery service. Once the service is started on the target, the proxy sends its public key to the RemQuery service, which generates an encryption key, encrypts it with the received public key, and then sends it back. The proxy then recovers the encryption key using its private key. From that point, all proxy to RemQuery communication is secured using the encryption key and an appropriate algorithm, depending on the target system. RemQuery discovery uses AES encryption with a 256 bit key. AES is not supported in Windows 2000 so RemQuery discovery falls back to DES encryption. Windows NT does not support AES or DES so RemQuery discovery is unencrypted. The proxy communicates to the RemQuery service using a named pipe. This pipe is secured so that only an Administrator user can access it.

At the end of the scan, the service is stopped and uninstalled, but the executable is left in the ADMIN$ share. If a copy already exists, and is the same version, it is not copied again. If the copy is of an older version, it is updated.

The ports that are used by RemQuery discovery and the corresponding port assignments are described in the following table.

Port Number

Port assignment

139

Netbios Session Service

445

Microsoft Directory Services SMB

Windows NT4 and NT4 style domains (RemQuery)

TCP 139 is required instead of TCP 445 if you discover NT4 or if you authenticate on an NT4-style non-AD Domain, such as a domain run using Samba 3.x or earlier.

TCP 139 is the NetBIOS Session Service. Some versions of Windows (particularly 9x/NT4) run SMB on NetBIOS over TCP using port 139. Newer versions default to running SMB directly over TCP on port 445. Windows XP/2003/Vista/2008 and later and Active Directory networks use SMB directly over TCP 445.

Mainframe: Ports used for discovery

The only port required for mainframe discovery is 3940 TCP by default. See Discovery Configuration for more information about how to configure this port.

WBEM: Ports used for discovery

The default ports used for WBEM discovery are:

  • HTTP port: 5988
  • HTTPS ports: 5989

See Discovery Configuration for more information about how to configure these ports.

Ports required for extended discovery

The following sections detail port information for extended discovery types.

J2EE Discovery

The port information used for J2EE discovery is determined in the patterns used to discover the particular J2EE Application Server. If no port information is discovered, then the default port is used. In addition, for full extended discovery, the port for the database that the J2EE Application Server is using is also required. This is dependent on the way that these servers are configured in your organization.

The following table details the default port.

Port Number

Port Assignment

Use

7001

JMX

WebLogic

SQL discovery

The port information used for SQL discovery is derived in the patterns used to discover the particular database. This is dependent on the way that databases are configured in your organization.

The following table details the default ports.

Port Number

Port Assignment

Use

1521

SQL

Oracle

1433

SQL

MS SQL

4100

SQL

Sybase ASE

3306

SQL

MySQL

VMware ESX/ESXi discovery using vCenter

The ports required for discovery of VMware ESX/ESXi hosts using vCenter are listed in the following table.

Port Number

Port Assignment

Use

443

HTTPS

VMware ESX/ESXi (also on vCenter host)

902

vSphere API

VMware ESX/ESXi

Discovery of vCenter

Discovery of vCenter uses standard host discovery with the creation of a vCenter SI triggered on a discovered vCenter process.

VMware ESX/ESXi discovery using vSphere

The ports required for discovery of VMware ESX/ESXi hosts are listed in the following table.

Port Number

Port Assignment

Use

443

HTTPS

VMware ESX/ESXi

902

vSphere API

VMware ESX/ESXi

Was this page helpful? Yes No Submitting... Thank you

Comments