BMC PATROL for Amazon Web Services (BMC PATROL for AWS) connects directly to your production databases. Therefore, BMC recommends that communication between tiers of a product, especially if any tier lies outside your internal network, be handled through virtual private networking (VPN) connections for the strongest security. This section provides information about setting up those communications in your environment as discussed in the following topics.
A VPN allows two or more private networks (protected by various security mechanisms such as encryption and authentication) to be connected over a publicly accessed network such as the Internet. While a VPN can support the same intranet and extranet services as a Wide Area Network (WAN), VPNs can also support secure remote access services. Employees working remotely can then call into a local service provider to access their company’s internal intranet.
BMC PATROL provides some VPN functionality within the product by providing the capability of configuring the Security Socket Layer (SSL) protocol for connections between clients and servers. SSL uses several network security techniques including public and private cryptographic keys and trusted authority certificates. See the PATROL Security User Guide for a further discussion of the security techniques that BMC PATROL uses.
If your environment requires communication between product tiers through a firewall or port-forwarding device, the following list describes some basic considerations. If you require more detailed assistance, contact BMC Customer Support.
While it is common to have both the PATROL Agent and BMC PATROL for AWS components on the database server host, the PATROL console can reside on a client host for system administrator tasks. In this scenario, the PATROL console could reside outside the firewall (yet protected by another firewall) while the PATROL Agents are behind the firewall. After a database connection has been established between the PATROL console and the PATROL Agent, all port requirements have been met (unless you want to deploy the product to other servers).
To deploy Knowledge Modules (KMs), ensure that the following ports are open:
For details about configuring a firewall for communication between the PATROL Agents and the PATROL console, see the PATROL Installation Utility Reference Manual.
The following table lists the protocols, ports, and connection directions required for each major feature. Note that day-to-day operations involving only Distribution Manager and executing distributions require only one connection protocol and port: HTTP:80 or HTTPS:443, depending on the security level.
Feature | Protocol | Default port | Connection |
---|---|---|---|
Distribution Manager (web interface) | HTTP/HTTPS (TCP) | 80 / 443 | Web browser > Web Server |
Distribution Server command-line interface | COS (TCP, RT) | 2059 | CLI > Distribution Server |
Distribution Server command-line interface | PATROL (pexec) | 3181 | Distribution Server > target system |
WIN MAP (SMB) | 135 - 139 | ||
WIN Remote Reg | 135 - 139 | ||
FTP | 21 | ||
Telnet | 23 | ||
SFTP | 115 | ||
SSH | 22 | ||
Distribution (pull files) | HTTP / HTTPS | 80 / 443 | Distribution Client > Distribution Server |
Distribution (pull files) | HTTP / HTTPS | 80 / 443 | |
Distribution (wake up) | TCP | 50005 |
Add Comment