To allow Sentinel Agent Manager to monitor computers in a firewall environment, ensure you open the appropriate ports to allow communication between Sentinel Agent Manager components and monitored computers and within Sentinel Agent Manager itself, as well as the Sentinel server.
The following sections provide information necessary for installing and configuring Sentinel Agent Manager to work properly with firewalls. For more information about configuring firewalls and Sentinel Agent Manager, contact NetIQ Technical Support.
NetIQ Corporation does not support managed agents separated from the central computer by a firewall or other device or configuration that can impede RPC or NetBIOS functionality.
When monitoring computers behind a firewall, NetIQ Corporation recommends manually installing unmanaged agents on your remote computers. For more information about manually installing unmanaged Windows agents, see Section 4.1, Understanding Unmanaged Windows Agent Installation.
To install Sentinel Agent Manager in a firewall environment, you must configure all firewalls to allow the domains in which you want to install Sentinel Agent Manager components to trust one another. For more information about configuring a firewall to allow trust, see the Microsoft Knowledge Base Article 179442.
The ports listed in the following sections are the default ports used for communication between Sentinel Agent Manager components. Ensure that these ports are open on the firewall.
NOTE:
All SQL ports listed are default ports. If you want to use named instances for any Sentinel Agent Manager SQL Server databases or services, configure named instances before installing Sentinel Agent Manager and specify the named instances during installation.
If you want to use a non-default port and have stopped the SQL Server Browser service, you must open the non-default port and create an alias for the port on all central computers and user interface computers.
Sentinel Agent Manager does not support using SQL aliases when installing the database server.
For more information about configuring Microsoft SQL Server ports on the firewall, see the Microsoft SQL Server documentation.
The central computer uses the following ports for communication with other Sentinel Agent Manager components.
|
Port Number |
To Component |
Direction |
Required/Optional |
Purpose |
|---|---|---|---|---|
|
TCP 1433 |
Database server |
Outbound |
Required |
By default, the central computer uses this port to connect to the OnePoint database on the database server. This port is the default port for Microsoft SQL Server. Instances use alternate ports configured during installation. |
|
UDP 1434 |
Database server |
Outbound |
Required |
If using a SQL Server instance, the browser service uses UDP 1434 to identify the port for the named instance. |
|
TCP 135 |
Database server |
Bidirectional |
Required |
The database server uses this port to discover the Microsoft Distributed Transaction Coordinator (MSDTC) listening port on the central computer. |
|
TCP (random) |
Database server |
Inbound |
Optional |
MSDTC on the database server computer uses RPC dynamic port allocation to randomly select a port number ranging from 1024 to 65535 for communication with the central computer. If you use a firewall to separate the database server from the central computer, the database server cannot communicate with the central computer unless you restrict RPC port usage to a specific number of ports higher than 1024 and then open those ports. For more information about configuring MSDTC and RPC port usage, see Microsoft Knowledge Base Articles 250367, 300083, and 826852. |
|
TCP 1590 |
Agent Manager Connector |
Outbound |
Required |
By default, the central computer uses this port to connect to the Agent Manager Connector on the Sentinel server. |
The Sentinel server uses the following ports for communication with other Sentinel Agent Manager components.
|
Port Number |
To Component |
Direction |
Required/Optional |
Purpose |
|---|---|---|---|---|
|
TCP 1433 |
Database server |
Outbound |
Required |
By default, the Sentinel server uses this port to connect to the database server. This port is the default port for Microsoft SQL Server. Instances use alternate ports configured during installation. |
|
UDP 1434 |
Database server |
Outbound |
Required |
If using a SQL Server instance, the browser service uses UDP 1434 to identify the port for the named instance. |
Windows agents use the following ports for communication with other Sentinel Agent Manager components.
|
Port Number |
To Component |
Direction |
Required/Optional |
Purpose |
|---|---|---|---|---|
|
TCP 8270 |
Central computer |
Outbound |
Required |
Agents use this port to connect to the central computer. |
|
TCP 445 (SMB over TCP) |
Central computer |
Inbound |
Required |
The central computer uses the Server Message Block protocol (SMB) over TCP port 445 to manage managed agents. |
Unmanaged Windows agents use the following port for communication with other Sentinel Agent Manager components.
|
Port Number |
To Component |
Direction |
Required/Optional |
Purpose |
|---|---|---|---|---|
|
TCP 8270 |
Central computer |
Outbound |
Required |
The new Windows agent, version 6.5 and later, uses this port to connect to the central computer. |
The Agent Manager console uses the following ports for communication with other Sentinel Agent Manager components.
|
Port Number |
To Component |
Direction |
Required/Optional |
Purpose |
|---|---|---|---|---|
|
TCP 135 |
Central computer |
Bidirectional |
Required |
The Agent Manager Console uses this port to discover the Windows Distributed Component Object Model (DCOM) listening port on the central computer. |
|
TCP (random) |
Central computer |
Outbound |
Optional |
Windows DCOM on the Agent Manager Console computer uses RPC dynamic port allocation to randomly select a port number ranging from 1024 to 65535 for communication with the central computer. If you use a firewall to separate the Agent Manager Console from the central computer, the Agent Manager Console cannot communicate with the central computer unless you restrict RPC port usage to a specific number of ports higher than 1024 and then open those ports. For more information about configuring RPC port usage, see Microsoft Knowledge Base Articles 300083 and 826852. |
|
TCP 1433 |
Database server |
Outbound |
Required |
By default, the Agent Manager Console uses this port to connect to the OnePoint database on the database server. This port is the default port for Microsoft SQL Server. Instances use alternate ports configured during installation. |
|
UDP 1434 |
Database server |
Outbound |
Required |
If using a SQL Server instance, the browser service uses UDP 1434 to identify the port for the named instance. |
If you encounter issues with Sentinel Agent Manager components communicating through a firewall, you may need to verify that you have configured Microsoft Distributed Transaction Coordinator (MSDTC) correctly on all central computers and database servers.
For more information about the MSDTC settings required to install database servers, see Section 2.7, Planning to Install Your Database Server. For more information about the MSDTC settings required to install central computers, see Section 2.8, Planning to Install Your Central Computers.
You can also use the DTCPing tool to verify connectivity between Sentinel Agent Manager computers. DTCPing tests name resolution, RPC communication, and MSDTC communication between two computers that have the tool installed and displays MSDTC settings.
For more information about troubleshooting MSDTC-related issues and using the DTCPing tool, see Microsoft Knowledge Base Articles 250367, 306843, and 918331.