HPE GreenLake Administration
- Community Home
- >
- Servers and Operating Systems
- >
- HPE ProLiant
- >
- Server Management - Systems Insight Manager
- >
- Re: Version Control through firewalls ?
Server Management - Systems Insight Manager
1825766
Members
1968
Online
109687
Solutions
Forums
Categories
Company
Local Language
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-13-2005 07:01 PM
01-13-2005 07:01 PM
Version Control through firewalls ?
I have been trying to set up Version Control through one of our internal firewalls.
The manual states :
"Version Control. This discussion is based on the assumption that the Version Control Repository (VCR) is behind the firewall with CMS, and likely on the CMS. Discovering the software available on the managed system requires SNMP over port 161. After receiving a command to update some component, the system must retrieve the component from the VCR, which it does using HTTPS over port 2381 to the VCR. To communicate its update status back to the CMS, the agent uses HTTP over port 80"
I have been allowed these ports opened between the specific nodes and the CMS with VC repository, and after that status works perfect on the nodes, in addition SIM detects and displays status fine, except that you cannot click on its links to be taken to the server homepage. Seems natural in a secure environment.
However, from neither place can I get downloads to work, i.e. if a server status is that several components are outdated I am still unable to retrieve the update as the downloads don't seem to be permitted.
I have asked our firewall team for a trace of this, but I wanted to ask if anyone's done this setup yet and already know what ports are missing from the documentation ?
The manual states :
"Version Control. This discussion is based on the assumption that the Version Control Repository (VCR) is behind the firewall with CMS, and likely on the CMS. Discovering the software available on the managed system requires SNMP over port 161. After receiving a command to update some component, the system must retrieve the component from the VCR, which it does using HTTPS over port 2381 to the VCR. To communicate its update status back to the CMS, the agent uses HTTP over port 80"
I have been allowed these ports opened between the specific nodes and the CMS with VC repository, and after that status works perfect on the nodes, in addition SIM detects and displays status fine, except that you cannot click on its links to be taken to the server homepage. Seems natural in a secure environment.
However, from neither place can I get downloads to work, i.e. if a server status is that several components are outdated I am still unable to retrieve the update as the downloads don't seem to be permitted.
I have asked our firewall team for a trace of this, but I wanted to ask if anyone's done this setup yet and already know what ports are missing from the documentation ?
7 REPLIES 7
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-20-2005 02:09 AM
01-20-2005 02:09 AM
Re: Version Control through firewalls ?
I think I have found out the problem, the documentation states that all communication takes place over https port 2381, while in fact only the initial communication goes that way, once connection is established (I assume user/password auth.) the agent switches over to http port 2301, i.e. the settings from the "old" vcagent, before it started to use https some versions ago... :)
I have requested our firewall team to approve opening this port for me for a test machine and if accepted I will then have confirmation of this. Just thought I'd make a note of it in case anyone else should be trying to do the same thing with firewalls.
I have requested our firewall team to approve opening this port for me for a test machine and if accepted I will then have confirmation of this. Just thought I'd make a note of it in case anyone else should be trying to do the same thing with firewalls.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-20-2005 08:02 AM
01-20-2005 08:02 AM
Re: Version Control through firewalls ?
This document is exactly what you need. It has all the issues with working thru firewalls with HP System Insight Manager.
http://h200001.www2.hp.com/bc/docs/support/SupportManual/c00210041/c00210041.pdf
http://h200001.www2.hp.com/bc/docs/support/SupportManual/c00210041/c00210041.pdf
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-20-2005 07:27 PM
01-20-2005 07:27 PM
Re: Version Control through firewalls ?
Thanks, but that is actually the document I was referring to, in its previous version it stated (see page 9)
"Discovering the software available on the managed system requires SNMP over port 161. After receiving a command to update some component, the system must retrieve the component from the VCR, which it does using HTTPS over port 2381 to the VCR. To communicate its update status back to the CMS, the agent uses HTTP over port 80. Additionally, the CMS polls the system for its status every 15 minutes for up to 2 hours."
I.e. no mention of port 2301, only port 2381 and port 80 (incl. snmp port 161)
The version you point me to seems to be slightly updated, as it now says
"Discovering the software available on the managed system requires SNMP over port 161. After receiving a command to update some component, the system must retrieve the component from the VCR, which it does using HTTPS over port 2381 to the VCR. To communicate its update status back to the CMS, the agent uses HTTP over port 280. Additionally, the CMS polls the system for its status every 15 minutes for up to 2 hours."
I.e. the change is from port 80 to port 280, still no use of port 2301, which our firewall logs/traces show us the server is attemtping to use.
Meaning that I'm now only more confused, since we do have traffic on port 2381, port 80 and port 2301, the old document could just have missed port 2301, but now the new one states another port which is not in use and still does not mention the one used.
I guess I'll just wait for our firewall logs for a conclusion instead, since I trust neither of the documented versions to be complete ;-)
"Discovering the software available on the managed system requires SNMP over port 161. After receiving a command to update some component, the system must retrieve the component from the VCR, which it does using HTTPS over port 2381 to the VCR. To communicate its update status back to the CMS, the agent uses HTTP over port 80. Additionally, the CMS polls the system for its status every 15 minutes for up to 2 hours."
I.e. no mention of port 2301, only port 2381 and port 80 (incl. snmp port 161)
The version you point me to seems to be slightly updated, as it now says
"Discovering the software available on the managed system requires SNMP over port 161. After receiving a command to update some component, the system must retrieve the component from the VCR, which it does using HTTPS over port 2381 to the VCR. To communicate its update status back to the CMS, the agent uses HTTP over port 280. Additionally, the CMS polls the system for its status every 15 minutes for up to 2 hours."
I.e. the change is from port 80 to port 280, still no use of port 2301, which our firewall logs/traces show us the server is attemtping to use.
Meaning that I'm now only more confused, since we do have traffic on port 2381, port 80 and port 2301, the old document could just have missed port 2301, but now the new one states another port which is not in use and still does not mention the one used.
I guess I'll just wait for our firewall logs for a conclusion instead, since I trust neither of the documented versions to be complete ;-)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-21-2005 12:59 AM
01-21-2005 12:59 AM
Re: Version Control through firewalls ?
Page 8 shows 2301 as being used for system identification for VC and RAS.
This is the document I used to comunicate with my servers in the DMZ. I am able to do everything i need thru my firewall with the ports listed on page 8.
This is the document I used to comunicate with my servers in the DMZ. I am able to do everything i need thru my firewall with the ports listed on page 8.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-21-2005 01:09 AM
01-21-2005 01:09 AM
Re: Version Control through firewalls ?
Yes, well what I fail to understand in this is that system identification and version control inventory/status seemingly works fine without port 2301, i.e. with only snmp/161 and https/2381, it is only for actual download of new drivers that I really need http/2301.
I may be interpreting this wrong, as English is not my native language (you'd never guess from the non-english characters in my name... ;-P) but the way I read the information on page 8 was that port 2301 was required for identification (especially since id. worked with just 2381), and version control used its own separate port, but I may be wrong there, and either way, since it now works in our test setup using snmp, http/80,2301 and https/2381, I'll just assume I have misinterpreted the manuals intentions.
I may be interpreting this wrong, as English is not my native language (you'd never guess from the non-english characters in my name... ;-P) but the way I read the information on page 8 was that port 2301 was required for identification (especially since id. worked with just 2381), and version control used its own separate port, but I may be wrong there, and either way, since it now works in our test setup using snmp, http/80,2301 and https/2381, I'll just assume I have misinterpreted the manuals intentions.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-21-2005 07:29 AM
01-21-2005 07:29 AM
Re: Version Control through firewalls ?
2301 is a valid discovery port; it was used by earlier agents for Windows that did not support SSL and current versions that also do not support SSL such as agents for NetWare, SCO, OpenVMS, etc.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-25-2005 01:00 AM
01-25-2005 01:00 AM
Re: Version Control through firewalls ?
Yes, I know that, but my point here is that I am using the newest agents, they are configured for trust by name or trust by cert, they contact HP SIM 4.1 (not 4.2 yet...) and they will only get status when using https/2381, they will NOT retrieve any updates, as this still runs on http/2301, and I can find no setting to reconfigure this to only use https/2381 for downloads as well as for status ?
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
Company
Support
Events and news
Customer resources
© Copyright 2025 Hewlett Packard Enterprise Development LP