For efficiency, the appliance uses ICMP ping to locate a device. It is possible to use other ping techniques if ICMP Echo is suppressed in your environment. To do so, on the Administration tab, scroll down to the Discovery section and click Options. Enable the Use TCP ACK "ping" before scanning and Use TCP SYN "ping" before scanning check boxes, and enter the port numbers in the TCP ports to use for initial scan and UDP ports to use for initial scan fields.
If you do not allow ICMP pings through the firewall and do not enable TCP Ack and Syn pings, you might lose performance. This is because Discovery performs a full "Access Method" nmap port scan to determine whether the host is actually present, which causes delays as Discovery waits for requests to timeout. You must alter the "Ping hosts before scanning" setting to "No" in this situation. If there is a limited range if IPs for which ICMP Echo is suppressed, you can disable the ping behavior for these IPs by using the Exclude ranges from ping. For more information, see Configuring discovery settings.
To scan networks that do not permit ICMP ping packets, you may set Use TCP ACK ping before scanning or Use TCP SYN ping before scanning (or both of these) in your discovery settings to Yes. If BMC Atrium Discovery pings an IP address where there is no device and some firewall in your environment is configured to respond for that IP address, it may result in reporting a device which does not exist on the network rather than dark space (NoResponse). To avoid this, it is recommended to either alter such firewall configurations or not to enable TCP ACK ping or TCP SYN ping.
If Discovery cannot connect to an endpoint, it uses heuristic techniques to estimate what sort of device is present. These are controlled by options in Configuring discovery settings.
Port 4 using TCP and UDP is required if using IP Fingerprinting as Discovery must observe the response from a guaranteed closed port on the endpoint.
Port 4 must be closed on the discovery target, but must be open on any firewall between the appliance and discovery target, so that the response is from the target rather than the firewall. Where this is not the case, the heuristic receives a response from two different TCP/IP stacks, leading to unpredictable results including the endpoint being classified as a firewall or an unrecognized device. This can lead BMC Atrium Discovery to skip devices (see UnsupportedDevice in the DiscoveryAccess page).
The ports listed in the following table are used to determine what device is present.
Port Number | Port assignment |
---|---|
4 | Closed Port |
21 | FTP |
22 | SSH |
23 | telnet |
80 | HTTP |
135 | Windows RPC |
161 | SNMP |
443 | HTTPS |
513 | rlogin |
902 | VMware Authentication Daemon |
3940 | Discovery for z/OS Agent |
The only port required for SNMP discovery is 161 UDP.
The minimum port required for successful UNIX discovery is just the port associated with the access methods that you use. For example, if you only use ssh, this will be port 22. The following table details the assignment for each port number.
Port Number | Port assignment |
---|---|
22 | SSH |
23 | telnet |
513 | rlogin |
This section describes the ports that the Windows proxy uses when discovering remote Windows targets. If you intend to discover hosts behind a firewall, you must open these ports in the firewall. The ports given are outgoing (from the Windows proxy) TCP ports.
The appliance scans port 135 to determine whether the port is open and therefore the target is likely to be a Windows host. If the port is open, further discovery is performed using the Windows proxy.
You can disable this behavior. To do so:
The ports that are used by WMI discovery methods and the corresponding assigned ports are described in the following table.
Port Number | Port assignment |
---|---|
135 | DCE RPC Endpoint Manager. |
1024-1030 | Restricted DCOM |
1024-65535 | Unrestricted DCOM |
139 | Netbios Session Service |
445 | Microsoft Directory Services SMB |
All WMI communication from BMC Atrium Discovery is sent with Packet Privacy enabled. If the host being discovered does not support Packet Privacy, the flag is ignored and WMI returns the requested information (for example, if you run a version earlier than Windows Server 2003 with Service Pack 1 (SP1)).
By default, WMI (DCOM) uses a randomly selected TCP port between 1024 and 65535. To simplify configuration of the firewall, you should restrict this usage if you scan through firewalls. See To set the DCOM Port Range for more information.
TCP 139 is required instead of TCP 445 if you discover NT4 or you authenticate on an NT4-style non-AD Domain (such as a domain run using Samba 3.x or earlier).
TCP 139 is the NetBIOS Session Service. Some versions of Windows (particularly 9x/NT4) run SMB on NetBIOS over TCP using port 139. Newer versions default to running SMB directly over TCP on port 445. Windows XP/2003/Vista/2008 and later and Active Directory networks use SMB directly over TCP 445.
WMI queries from a Windows Server 2008 to a Windows NT4 host fail using the default security settings. On the Windows proxy host, turn off the requirement for 128 bit security in the Network security: Minimum session security for NTLM SSP based (including RPC) clients policy to permit this.
WMI is based on the Distributed Component Object Model (DCOM) which, by default, uses a randomly selected TCP port between 1024 and 65535 for communications. To make this more efficient for firewalls, the range can be restricted using the following procedure on each Target Host.
These settings should be restricted on the target host, not the Windows proxy host.
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet
REG_MULTI_SZ
(Multi-String Value) called Ports.REG_SZ
(String Value) called PortsInternetAvailable
and give it the value Y
.REG_SZ
(String Value) called UseInternetPorts
and give it the value Y
.You should also read the relevant Microsoft article about this issue: How to configure RPC dynamic port allocation to work with firewalls
The ports that are used by RemQuery discovery and the corresponding port assignments are described in the following table.
Port Number | Port assignment |
---|---|
139 | Netbios Session Service |
445 | Microsoft Directory Services SMB |
In BMC Atrium Discovery 9.0 SP2, communication between the proxy and RemQuery on the discovery target are encrypted (where supported) using AES with a 256 bit key. If AES is not supported, RC2 encryption is attempted. If RC2 is not supported, then communication is not encrypted.
TCP 139 is required instead of TCP 445 if you discover NT4 or if you authenticate on an NT4-style non-AD Domain, such as a domain run using Samba 3.x or earlier.
TCP 139 is the NetBIOS Session Service. Some versions of Windows (particularly 9x/NT4) run SMB on NetBIOS over TCP using port 139. Newer versions default to running SMB directly over TCP on port 445. Windows XP/2003/Vista/2008 and later and Active Directory networks use SMB directly over TCP 445.
The BMC Atrium Discovery appliance and the Windows proxies use CORBA to communicate. CORBA is used as a messaging system, which enables the appliance to invoke methods on the Windows proxy. For example, the Discovery Engine finds a Windows host, or one that appears to be a Windows host after IP fingerprinting. The appliance makes a CORBA call passing information, say the IP address and an instruction to invoke the "Discover Windows host" method. The method is invoked on the Windows proxy, and the host is discovered. The discovered information is returned by another CORBA call.
You should be aware that communication takes place between the appliance and the Windows proxy, using the following TCP ports:
Proxy port changes in 8.3 SP2
In BMC Atrium Discovery 8.3 SP2, proxies are not limited to the default ports. It is also possible to install multiple proxies of each type on a single host. Consequently, in BMC Atrium Discovery 8.3 SP2 you must check the proxy manager to determine which ports the proxies are using. The defaults are the same as previous releases, but installations of additional proxies use incremental ports. You can also use the proxy manager to modify the port that each proxy uses.
Workgroup Windows proxy support is only for pre-8.2 Windows proxies, as they no longer exist in the current release. All of their functionality has been moved into Active Directory Windows proxies.
The only port required for mainframe discovery is 3940 TCP by default. See Discovery Configuration for more information on how to configure this port.
Consolidated appliances use port 25032 to communicate. The scanning appliance must be able to connect to port 25032 on the consolidation appliance. You must configure any firewalls between scanning appliances and consolidation appliances to allow this traffic. The connection is always initiated from the scanning appliance, because it is assumed to be on the secure side of the firewall.
The following sections detail port information for extended discovery types.
The port information used for J2EE discovery is determined in the patterns used to discover the particular J2EE Application Server. If no port information is discovered, then the default port is used. In addition, for full extended discovery, the port for the database that the J2EE Application Server is using is also required. This is dependent on the way that these servers are configured in your organization.
The following table details the default port.
Port Number | Port Assignment | Use |
---|---|---|
7001 | JMX | WebLogic |
The port information used for SQL discovery is derived in the patterns used to discover the particular database. This is dependent on the way that databases are configured in your organization.
The following table details the default ports.
Port Number | Port Assignment | Use |
---|---|---|
1521 | SQL | Oracle |
1433 | SQL | MS SQL |
4100 | SQL | Sybase ASE |
3306 | SQL | MySQL |
The ports required for discovery of VMware ESX/ESXi hosts using vCenter are listed in the following table.
Port Number | Port Assignment | Use |
---|---|---|
443 | HTTPS | VMware ESX/ESXi (also on vCenter host) |
902 | vSphere API | VMware ESX/ESXi |
Discovery of vCenter
Discovery of vCenter uses standard host discovery with the creation of a vCenter SI triggered on a discovered vCenter process.
The ports required for discovery of VMware ESX/ESXi hosts are listed in the following table.
Port Number | Port Assignment | Use |
---|---|---|
443 | HTTPS | VMware ESX/ESXi |
902 | vSphere API | VMware ESX/ESXi |