HPE Community
Server Management (Insight Manager 7)
1823370 Members
2755 Online
109654 Solutions
New Discussion юеВ

CIM Agent Behind Firewall

 
SOLVED
Go to solution
Ran Deri
Occasional Advisor

тАО12-09-2003 07:44 PM

тАО12-09-2003 07:44 PM

CIM Agent Behind Firewall

Hi!
Is there a way to activate a CIM agent (version 6.4) to work with CIM Centre version 5.5, while:
1. The agent is behind a firewall(DMZ), and
2: I want to open only outbound ports from the agent to the centre, and
3: I care only about error messages from the agent to the centre (I don't really care about seeing the server with "green light". I want to see "red light" when a problem occurs with the appropriate message)?

Best regards,
Ran.
0 Kudos
14 REPLIES 14
Jadrice Toussaint
Honored Contributor

тАО12-10-2003 02:08 AM

тАО12-10-2003 02:08 AM

Re: CIM Agent Behind Firewall

Ran -

I'm assuming that your IM server is in the trusted portion of your network. If that is the case your trusted firewall interface should have full security access to your DMZ interface since of course it is a trusted segment. What that translate into, IM server will be able to ping, gather data from your device on the DMZ segment. For you to receive SNMP trap from an agent on the DMZ segment to your internal IM server, open port 162 from DMZ to your IM server ip address or host.

Keep in mind that you will only allow snmp trap messages to be sent to just the IM server and not the whole internal segment.


To recap:

Open port 162 DMZ --> internal interface/IM server.
Jadrice Toussaint
Honored Contributor

тАО12-10-2003 02:10 AM

тАО12-10-2003 02:10 AM

Re: CIM Agent Behind Firewall

I forgot to mention that you will still have a functional setup where you will still be able to see device status and so on.
0 Kudos
Ran Deri
Occasional Advisor

тАО12-10-2003 02:26 AM

тАО12-10-2003 02:26 AM

Re: CIM Agent Behind Firewall

Hi Jadrice!

First, Thanks about the answer.
The problem is that the situation is exactly the opposite: The CIM Server is in the untrusted side of the network and the agent is in the internal network (Maybe i didn't explaind it very well).
Therefore - I cant open ports from the server to the agents, but only from the agent to the server (outbound).

What do you think?
0 Kudos
Jadrice Toussaint
Honored Contributor

тАО12-10-2003 03:46 AM

тАО12-10-2003 03:46 AM

Solution

Re: CIM Agent Behind Firewall

ok, I understand now.

Open the following ports for only the IM server host located on your untrusted side to your internal side:

Ports 7 and 161.

The ports above are crutial since IM will need them to perform the discovery of devices.

Depends on which firewall you are using, you should not need a rule to allow access from the trusted to untrusted
David Claypool
Honored Contributor

тАО12-10-2003 08:21 AM

тАО12-10-2003 08:21 AM

Re: CIM Agent Behind Firewall

Please also note that the 6.4 agents contain a re-architected MIB for disk events that is not supported by Insight Manager (Win32) 5.5. That means that you will not be able to receive any disk-related traps from agents 6.4 or later.
Ran Deri
Occasional Advisor

тАО12-13-2003 06:44 PM

тАО12-13-2003 06:44 PM

Re: CIM Agent Behind Firewall

Ok, I get the idea.
to make it clear:
If I open only port 162 from the agent to the CIM server (without ports 161 and 7 opened inbound) - Will the IM Server be able to get traps from the agent? (I care only about traps when problem occurs).

Thanks again,
Ran.
0 Kudos
Jadrice Toussaint
Honored Contributor

тАО12-15-2003 02:15 AM

тАО12-15-2003 02:15 AM

Re: CIM Agent Behind Firewall

Ran -

There is no need to open port 162 from the client side since they are on the trusted network. They can send traps to the IM7 on the dmz zone. Remember trusted side has the highest security priority. in my case I'm using a cisco PIX, and I'm not denying any traffic on the dmz. So my internal network can talk freely with the devices on the dmz. First of all, for IM7 to be able to receive traps properly, the devices will need to be added or discovered. This is where port 7 and port 161 comes into play. port allows the IM7 server to reach and add the devices into the database. Port 161 is used to collect device information. The least you would need to do is to definetly open port 7 from DMZ -> trusted for only one host in that case the IM7 server.

My advice to you, security wise I would move the IM7 server internally instead of having it on the DMZ side. But the choise is yours.
Ran Deri
Occasional Advisor

тАО12-15-2003 02:27 AM

тАО12-15-2003 02:27 AM

Re: CIM Agent Behind Firewall

Is this the same if working with Im Server ver. 5.5? (port 161 and 7)?
Again, thanks, you are helping me a lot.

Ran.
0 Kudos
Jadrice Toussaint
Honored Contributor

тАО12-15-2003 02:49 AM

тАО12-15-2003 02:49 AM

Re: CIM Agent Behind Firewall

port 7 was not needed in 5.5. This was implemented in IM7 to reduce unnecessary snmp request to devices that are considered unreachable.
Jadrice Toussaint
Honored Contributor

тАО12-15-2003 02:55 AM

тАО12-15-2003 02:55 AM

Re: CIM Agent Behind Firewall

Ran let me ask you a question, do you have all of your servers in the IM database?

are the servers already showing in IM?

The reason I ask, is taht you will need some way of discovering and identifying the devices for IM to work properly or better for you to receive snmp traps from those devices.

At the least, I would suggest keeping ports 7 and 161 open. As I said before the two ports are crutial for IM to work properly.
Ran Deri
Occasional Advisor

тАО12-15-2003 03:22 AM

тАО12-15-2003 03:22 AM

Re: CIM Agent Behind Firewall

Of Course.
The network architecture I described to you is not the exact situation. What I called DMZ is actually our inside network (Intranet), and most of the servers and workstations are located whithin that network. We have another network, which is Top-secret. There is a firewall between the 2 networks , and the default policy is to enable outgoing traffice from the top-secret to the Intranet.
I dont like the idea of enabling inbound traffic from the Intranet to the top-secret with port 161, especially since its SNMP.
But with port 162 I don't have any problem (since it's outbound).
So what I am actually trying is to find a way of activating partially the IM without port 161 inbound...
Sorry if I'm confusing you :(
Thats the situation.
Ran.
0 Kudos
Jadrice Toussaint
Honored Contributor

тАО12-15-2003 03:43 AM

тАО12-15-2003 03:43 AM

Re: CIM Agent Behind Firewall

Ran -

ok, then there is nothing that you really need to setup on the firewalls sides.

What you will need to do in that case is to disable the SNMP status polls in IM under Tasks.
Jadrice Toussaint
Honored Contributor

тАО12-15-2003 04:02 AM

тАО12-15-2003 04:02 AM

Re: CIM Agent Behind Firewall

Oh and I forgot to mention this, when you need to add a new device in, you will need to add it in manually as Im will be unable to discover it.
Ran Deri
Occasional Advisor

тАО12-15-2003 06:34 PM

тАО12-15-2003 06:34 PM

Re: CIM Agent Behind Firewall

Thats sounds fair :)
I'll try to disable the status polling task.

Have a nice day!
Best regards,
Ran.

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.