Page tree

Skip to end of metadata
Go to start of metadata
This section describes communication between the BMC Atrium Discovery appliance, Windows proxies, and discovery targets.

Base device discovery

For efficiency, the appliance uses ICMP ping to locate a device. It is possible to use other ping techniques if ICMP Echo is suppressed in your environment. To do so, on the Administration tab, scroll down to the Discovery section and click Options. Enable the Use TCP ACK "ping" before scanning and Use TCP SYN "ping" before scanning check boxes, and enter the port numbers in the TCP ports to use for initial scan and UDP ports to use for initial scan fields.

If you do not allow ICMP pings through the firewall and do not enable TCP Ack and Syn pings, you might lose performance. This is because Discovery performs a full "Access Method" nmap port scan to determine whether the host is actually present, which causes delays as Discovery waits for requests to timeout. You must alter the "Ping hosts before scanning" setting to "No" in this situation. If there is a limited range if IPs for which ICMP Echo is suppressed, you can disable the ping behavior for these IPs by using the Exclude ranges from ping. For more information, see Configuring discovery settings.

To scan networks that do not permit ICMP ping packets, you may set Use TCP ACK ping before scanning or Use TCP SYN ping before scanning (or both of these) in your discovery settings to Yes. If BMC Atrium Discovery pings an IP address where there is no device and some firewall in your environment is configured to respond for that IP address, it may result in reporting a device which does not exist on the network rather than dark space (NoResponse). To avoid this, it is recommended to either alter such firewall configurations or not to enable TCP ACK ping or TCP SYN ping.

If Discovery cannot connect to an endpoint, it uses heuristic techniques to estimate what sort of device is present. These are controlled by options in Configuring discovery settings.

Port 4 using TCP and UDP is required if using IP Fingerprinting as Discovery must observe the response from a guaranteed closed port on the endpoint.

Port 4 must be closed on the discovery target, but must be open on any firewall between the appliance and discovery target, so that the response is from the target rather than the firewall. Where this is not the case, the heuristic receives a response from two different TCP/IP stacks, leading to unpredictable results including the endpoint being classified as a firewall or an unrecognized device. This can lead BMC Atrium Discovery to skip devices (see UnsupportedDevice in the DiscoveryAccess page).

The ports listed in the following table are used to determine what device is present.

Port Number

Port assignment

4

Closed Port

21

FTP

22

SSH

23

telnet

80

HTTP

135

Windows RPC

161

SNMP

443HTTPS

513

rlogin

902VMware Authentication Daemon

3940

Discovery for z/OS Agent

SNMP: Ports used for discovery

The only port required for SNMP discovery is 161 UDP.

UNIX: Ports used for discovery

The minimum port required for successful UNIX discovery is just the port associated with the access methods that you use. For example, if you only use ssh, this will be port 22. The following table details the assignment for each port number.

Port Number

Port assignment

22

SSH

23

telnet

513

rlogin

Windows: Ports used for discovery

This section describes the ports that the Windows proxy uses when discovering remote Windows targets. If you intend to discover hosts behind a firewall, you must open these ports in the firewall. The ports given are outgoing (from the Windows proxy) TCP ports.

Windows targets and port 135

The appliance scans port 135 to determine whether the port is open and therefore the target is likely to be a Windows host. If the port is open, further discovery is performed using the Windows proxy.

You can disable this behavior. To do so:

  1. Choose Administration > Discovery > Discovery Configuration.
  2. Select the No option button in the Check port 135 before using Windows access methods field.
    Discovery does not need to detect port 135 as open; it assumes that the target is a Windows host. When you use this setting, all hosts are assumed to be Windows. A UNIX host is scanned unsuccessfully using a Windows proxy before any UNIX access methods are attempted.

WMI

The ports that are used by WMI discovery methods and the corresponding assigned ports are described in the following table.

Port Number

Port assignment

135

DCE RPC Endpoint Manager.
DCOM Service Control

1024-1030

Restricted DCOM
One of these ports is used after initial negotiation.

1024-65535

Unrestricted DCOM
One of these ports is used after initial negotiation.

139

Netbios Session Service

445

Microsoft Directory Services SMB

All WMI communication from BMC Atrium Discovery is sent with Packet Privacy enabled. If the host being discovered does not support Packet Privacy, the flag is ignored and WMI returns the requested information (for example, if you run a version earlier than Windows Server 2003 with Service Pack 1 (SP1)).

By default, WMI (DCOM) uses a randomly selected TCP port between 1024 and 65535. To simplify configuration of the firewall, you should restrict this usage if you scan through firewalls. See To set the DCOM Port Range for more information.

Windows NT4 and NT4 style domains (WMI)

TCP 139 is required instead of TCP 445 if you discover NT4 or you authenticate on an NT4-style non-AD Domain (such as a domain run using Samba 3.x or earlier).

TCP 139 is the NetBIOS Session Service. Some versions of Windows (particularly 9x/NT4) run SMB on NetBIOS over TCP using port 139. Newer versions default to running SMB directly over TCP on port 445. Windows XP/2003/Vista/2008 and later and Active Directory networks use SMB directly over TCP 445.

WMI queries from a Windows Server 2008 to a Windows NT4 host fail using the default security settings. On the Windows proxy host, turn off the requirement for 128 bit security in the Network security: Minimum session security for NTLM SSP based (including RPC) clients policy to permit this.

To set the DCOM port range

WMI is based on the Distributed Component Object Model (DCOM) which, by default, uses a randomly selected TCP port between 1024 and 65535 for communications. To make this more efficient for firewalls, the range can be restricted using the following procedure on each Target Host.

These settings should be restricted on the target host, not the Windows proxy host.

  1. Using a registry editor, create the key HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet
  2. Within that key create a REG_MULTI_SZ (Multi-String Value) called Ports.
  3. Enter in the port(s) or port range you want to use.
    The Windows proxy uses only one port; however, if the user has other DCOM applications in use on that machine, you might need to enable a larger range.
  4. Create a REG_SZ (String Value) called PortsInternetAvailable and give it the value Y.
  5. Create a REG_SZ (String Value) called UseInternetPorts and give it the value Y.
  6. Restart the computer.

You should also read the relevant Microsoft article about this issue: How to configure RPC dynamic port allocation to work with firewalls

RemQuery

The ports that are used by RemQuery discovery and the corresponding port assignments are described in the following table.

Port Number

Port assignment

139

Netbios Session Service

445

Microsoft Directory Services SMB

Communication between Windows proxy and RemQuery

In BMC Atrium Discovery 9.0 SP2, communication between the proxy and RemQuery on the discovery target are encrypted (where supported) using AES with a 256 bit key. If AES is not supported, RC2 encryption is attempted. If RC2 is not supported, then communication is not encrypted.

Windows NT4 and NT4 style domains (RemQuery)

TCP 139 is required instead of TCP 445 if you discover NT4 or if you authenticate on an NT4-style non-AD Domain, such as a domain run using Samba 3.x or earlier.

TCP 139 is the NetBIOS Session Service. Some versions of Windows (particularly 9x/NT4) run SMB on NetBIOS over TCP using port 139. Newer versions default to running SMB directly over TCP on port 445. Windows XP/2003/Vista/2008 and later and Active Directory networks use SMB directly over TCP 445.

Communication between Appliance and Windows proxies

The BMC Atrium Discovery appliance and the Windows proxies use CORBA to communicate. CORBA is used as a messaging system, which enables the appliance to invoke methods on the Windows proxy. For example, the Discovery Engine finds a Windows host, or one that appears to be a Windows host after IP fingerprinting. The appliance makes a CORBA call passing information, say the IP address and an instruction to invoke the "Discover Windows host" method. The method is invoked on the Windows proxy, and the host is discovered. The discovered information is returned by another CORBA call.

You should be aware that communication takes place between the appliance and the Windows proxy, using the following TCP ports:

  • 4321: Active Directory Windows proxy.
  • 4322: Workgroup Windows proxy
  • 4323: Credential Windows proxy.

Proxy port changes in 8.3 SP2

In BMC Atrium Discovery 8.3 SP2, proxies are not limited to the default ports. It is also possible to install multiple proxies of each type on a single host. Consequently, in BMC Atrium Discovery 8.3 SP2 you must check the proxy manager to determine which ports the proxies are using. The defaults are the same as previous releases, but installations of additional proxies use incremental ports. You can also use the proxy manager to modify the port that each proxy uses.

Workgroup Windows proxy support is only for pre-8.2 Windows proxies, as they no longer exist in the current release. All of their functionality has been moved into Active Directory Windows proxies.

Mainframe: Ports used for discovery

The only port required for mainframe discovery is 3940 TCP by default. See Discovery Configuration for more information on how to configure this port.

Ports used for consolidation

Consolidated appliances use port 25032 to communicate. The scanning appliance must be able to connect to port 25032 on the consolidation appliance. You must configure any firewalls between scanning appliances and consolidation appliances to allow this traffic. The connection is always initiated from the scanning appliance, because it is assumed to be on the secure side of the firewall.

Ports required for extended discovery

The following sections detail port information for extended discovery types.

J2EE Discovery

The port information used for J2EE discovery is determined in the patterns used to discover the particular J2EE Application Server. If no port information is discovered, then the default port is used. In addition, for full extended discovery, the port for the database that the J2EE Application Server is using is also required. This is dependent on the way that these servers are configured in your organization.

The following table details the default port.

Port Number

Port Assignment

Use

7001

JMX

WebLogic

SQL discovery

The port information used for SQL discovery is derived in the patterns used to discover the particular database. This is dependent on the way that databases are configured in your organization.

The following table details the default ports.

Port Number

Port Assignment

Use

1521

SQL

Oracle

1433

SQL

MS SQL

4100

SQL

Sybase ASE

3306

SQL

MySQL

VMware ESX/ESXi discovery using vCenter

The ports required for discovery of VMware ESX/ESXi hosts using vCenter are listed in the following table.

Port Number

Port Assignment

Use

443

HTTPS

VMware ESX/ESXi (also on vCenter host)

902

vSphere API

VMware ESX/ESXi

Discovery of vCenter

Discovery of vCenter uses standard host discovery with the creation of a vCenter SI triggered on a discovered vCenter process.

VMware ESX/ESXi discovery using vSphere

The ports required for discovery of VMware ESX/ESXi hosts are listed in the following table.

Port Number

Port Assignment

Use

443

HTTPS

VMware ESX/ESXi

902

vSphere API

VMware ESX/ESXi

  • No labels