|
|
|
|
If any component of Traverse is going to be installed behind a firewall, depending on the existing policies, some changes may be necessary to the rules to accommodate the requirements. In the following requirements, "remote" host implies a host that is outside of the firewall while a "local" host is a device on the secure side of the firewall. Also, note that the requirements are not applicable for cases where the two hosts in question are on the same side of the firewall (i.e. packets are not crossing the firewall).
Requirements for the BVE Provisioning Database
The provisioning server stores all device, test, action, threshold, authentication and other provisioning information. This information is retrieved on-demand by both the web servers and DGEs. This is accomplished by creating connections to the database server on specific TCP ports running on the provisioning host. The following firewall rules will need to be applied for a provisioning server which is behind a firewall:
Firewall Rules for a Provisioning Server that is Behind a Firewall
Protocol |
Direction |
Local Port |
Remote Host |
Remote Port |
Reason |
tcp |
incoming |
7651 |
any |
any |
Traverse Provisioning Database |
tcp |
incoming |
7652 |
any |
any |
Traverse Provisioning Database |
tcp |
incoming |
7653 |
any |
any |
Traverse messaging protocol #1 |
tcp |
incoming |
7654 |
any |
any |
Traverse messaging protocol #2 |
tcp |
incoming |
7661 |
any |
any |
Traverse BVE (provisioning) API server |
udp |
incoming |
162 |
any |
any |
snmp traps |
tcp |
outgoing |
any |
any DGE |
7657 |
external data feed API server |
tcp |
outgoing |
any |
any DGE |
7659 |
input stream monitor |
udp |
outgoing |
any |
DNS servers |
53 |
DNS queries for name resolution |
Requirements for Web Servers
The web servers provide an interface for displaying all collected information as well as reports generated from those information. If a location is served by more than one web server, a load balancer is installed to distribute the load and the load balancer will need the same firewall rule changes as the web servers themselves. The load balancer might have additional firewall specific requirements. You must apply the following firewall rules for web servers which are behind a firewall:
Firewall Rules for a Web Server that is Behind a Firewall
Protocol |
Direction |
Local Port |
Remote Host |
Remote Port |
Reason |
tcp |
incoming |
80 |
any |
any |
any access to Web Application |
tcp |
incoming |
443 |
any |
any |
any access to Web Application over ssl |
udp |
outgoing |
any |
DNS servers |
53 |
DNS queries for name resolution |
Requirements for DGE (monitors)
The DGEs perform actual monitoring of all provisioned devices and store the data on a local database. The web servers will need access to this stored data on-demand for report generation. The provisioning server also needs access to the data to fulfill requests made via the BVE socket API. Since the DGE perform monitoring tasks, it will need outbound access via a multitude of ports and protocols. The following firewall rules will need to be applied for a DGE server which is behind a firewall:
Firewall Rules for a DGE that is Behind a Firewall
Protocol |
Direction |
Local Port |
Remote Host |
Remote Port |
Reason |
tcp |
incoming |
7657 |
any |
any |
external data feed API server |
tcp |
incoming |
7659 |
any |
any |
input stream monitor |
tcp |
incoming |
7663 |
web app |
any |
DGE database lookup |
tcp |
incoming |
7655 |
any |
any |
DGE status server |
tcp |
incoming |
9443 |
dge-extensions |
any |
from DGE-extension to upstream DGE |
tcp |
outgoing |
any |
WMI query server |
7667 |
dge connection to WMI query server |
tcp |
incoming |
20 |
any |
any |
FTP servers create incoming connection on port 20 in response to connections on port 21 |
icmp |
outgoing |
any |
any |
"echo" |
packet loss, round trip time tests |
udp |
outgoing |
any |
any |
161 |
SNMP queries |
udp |
outgoing |
any |
any |
53 |
DNS queries, tests |
udp |
outgoing |
any |
any |
123 |
NTP service tests |
udp |
outgoing |
any |
any |
1645 |
radius service tests |
tcp |
outgoing |
any |
any |
21 |
FTP service tests |
tcp |
outgoing |
any |
any |
25 |
SMTP service tests, alerts via email |
tcp |
outgoing |
any |
any |
80 |
HTTP service tests |
tcp |
outgoing |
any |
any |
110 |
POP3 service tests |
tcp |
outgoing |
any |
any |
143 |
IMAP service tests |
tcp |
outgoing |
any |
any |
389 |
LDAP service tests |
tcp |
outgoing |
any |
any |
443 |
HTTP over ssl service tests |
tcp |
outgoing |
any |
any |
993 |
POP3 over ssl service tests |
tcp |
outgoing |
any |
any |
995 |
IMAP over SSL service tests |
tcp |
outgoing |
any |
windows |
135 |
WMI queries to Windows hosts being monitored via DCOM. See Apache Web Monitor. |
Firewall ports for DGE-extensions
The DGE-extensions make all outbound connections to an upstream DGE and BVE, and there are no incoming connections to the DGE-extension. The following TCP ports need to be opened on the upstream DGE location to all the DGE-extensions to connect:
Port |
From |
To |
TCP/7651 |
DGE-x |
BVE |
TCP/7652 |
DGE-x |
BVE |
TCP/7653 |
DGE-x |
BVE |
TCP/7654 |
DGE-x |
BVE |
TCP/9443 |
DGE-x |
DGE |