Home > Articles > Software Development & Management

  • Print
  • + Share This
This chapter is from the book

Communications

As you can see in Figure 3.4, MOM uses a variety of communications methods that are optimized for security and efficiency. Notice that the communications between the management server and the agent are different depending on the direction of the communication. This has important ramifications for firewall support and security, which we will discuss later in this section.

Figure 3.4

Figure 3.4 Component communications protocols and ports.

For the Remote Procedure Calls (RPC)/Distributed Component Object Model (DCOM) protocols, RPC uses Transmission Control Protocol (TCP) port 135, and DCOM uses a nightmarish combination of TCP, User Data Protocol (UDP), ports, and connections.

DCOM is particularly troublesome for firewall access because it dynamically assigns ports to processes. By default, it freely assigns TCP and UDP ports ranging from 1024 to 65535, making it difficult to function securely across a firewall. In addition, new connections are established when responding to a client, meaning that the port the client used for the request is not the same as the port used for the response. Also, DCOM does not support Network Address Translation (NAT), which is among the more common methods of configuring a firewall. You can configure DCOM to only use TCP, restrict the ports the client and server use, and open up the firewall just enough to get the communications through. However, the bottom line is these actions seriously compromise the security of your firewall and the communications across it.

In keeping with its commitment to the Trustworthy Computing Initiative, Microsoft does not support communications requiring RPC/DCOM across a firewall. Communications are supported which use a standard TCP port that can be secured properly across a firewall, such as the agent-to-management server communications. Table 3.1 lists the various connections, their communications method, and their firewall supportability.

Table 3.1. Communications and Firewall Compatibility

From

To

Firewall?

Port, Protocol, or Remark

Agent

Management server

YES

TCP/UDP port 12701

Management server

Agent

NO

RPC (TCP Port 135) and DCOM Ports (TCP/UDP 1024-65535)

Management server

Agentless

NO

RPC (TCP Port 135) and DCOM Ports (TCP/UDP 1024-65535)

Administrator console

Management server

NO

RPC (TCP Port 135) and DCOM Ports (TCP/UDP 1024-65535)

Operator console

Management server

NO

RPC (TCP Port 135) and DCOM Ports (TCP/UDP 1024-65535)

Reporting console

Reporting database

YES

HTTP Port 80 or HTTPS Port 443

Web console

Management server

YES

TCP port 1272

Management server

Operations database

YES

OLEDB Tunneling, port 14332

MOM-to-MOM connector

MOM-to-MOM connector

YES

TCP Port 1271

Connector

Third-party application

YES

TCP Port 1271

Operations database

Reporting database

NO

DTS (TCP Port 1433)

Notice that the agent-to-management server communication method is supported over a firewall, but the management server-to-agent communication method is not. The process of "push" installing agents on managed computers requires RPC and DCOM, whereas the monitoring and rules distribution use a secure TCP port. The downside of this is that if you want to manage an agent on the other side of a firewall, you will have to manually install the agent. Thereafter, the agent will securely initiate the communications. Also, note that managing agentless computers across a firewall is not supported, due to the RPC/DCOM requirements.

The port used by the management server for communicating with agents (12701 by default) is easily configurable on a management server by management server basis. This is also true for the connector port (1271) and the Web console port (1272). You can change the other ports with varying degrees of difficulty.

As Table 3.1 attests, most of the key MOM 2005 communications such as agents and connectors are supported across a firewall, making MOM 2005 a flexible product that can centrally manage your entire enterprise.

  • + Share This
  • 🔖 Save To Your Account