Managing HP Servers through Firewalls with
Insight Management 7.0 White Paper
Table of Contents
Abstract .............................................................................................................................................. 3
Acronyms in text .................................................................................................................................. 3
Introduction ......................................................................................................................................... 5
HP management products ..................................................................................................................... 6
Case 1: Management protocols banned from DMZ ................................................................................. 6
Asset management ........................................................................................................................... 6
Fault management ............................................................................................................................ 7
Deployment and Migration ................................................................................................................ 7
Integrate ......................................................................................................................................... 7
Control ........................................................................................................................................... 7
Case 2: Separate management network ................................................................................................. 7
Asset Management........................................................................................................................... 9
Fault Management ........................................................................................................................... 9
Deployment and Migration ................................................................................................................ 9
Integrate ......................................................................................................................................... 9
Control ........................................................................................................................................... 9
Case 3: Managing through a firewall using a single network .................................................................. 10
Asset Management......................................................................................................................... 10
SNMP ....................................................................................................................................... 11
DMI .......................................................................................................................................... 12
WBEM ...................................................................................................................................... 12
WMI ......................................................................................................................................... 12
WS-MAN .................................................................................................................................. 13
SSH .......................................................................................................................................... 13
Fault management .......................................................................................................................... 13
Deployment and Migration .............................................................................................................. 14
Control ......................................................................................................................................... 14
Integrate ....................................................................................................................................... 14
Control ......................................................................................................................................... 14
Configuration Management............................................................................................................. 15
Version Control .......................................................................................................................... 17
Replicate Agent Settings .............................................................................................................. 17
SSH .......................................................................................................................................... 17
Best Practices ................................................................................................................................. 17
HP Insight Management Installer ...................................................................................................... 18
HP Systems Insight Manager ........................................................................................................ 18
HP Insight Control....................................................................................................................... 18
HP Matrix Operating Environment ................................................................................................ 18
HP Insight Management Installer Ports............................................................................................... 18
HP Smart Update Manager Ports ..................................................................................................... 21
HP Insight Control for VCenter Ports ................................................................................................. 23
HP Onboard Administrator Ports ...................................................................................................... 24
HP Virtual Connect Manager Ports ................................................................................................... 24
Policies required for IM DVD Installation ........................................................................................... 25
Additional policies required for proper operations of the system .......................................................... 25
Conclusion ........................................................................................................................................ 26
Appendix A: Configuring a separate management network .................................................................... 27
Appendix B: Modifying default ports .................................................................................................... 28
For more information .......................................................................................................................... 29
Call to action .................................................................................................................................... 29
Abstract
This paper identifies possible ways of managing HP servers with HP Insight Management deployed in
the area of the network that is considered more secure than the standard production network. This is
not a best practices document. This document provides information that can enable system
administrators to create management solutions appropriate for specific computing environments.
Insight Control is a product in the HP Insight Management family of products that can be downloaded
from the Internet. Insight Control is installed through the HP Insight Management Installer wizard,
which integrates the installation and upgrade of all Insight Management products.
Acronyms in text
The following acronyms are used in the text of this document.
Acronym
Acronym expansion
CLP
Command Line Protocol
CMS
Central Management Server
CIM
Common Information Model
DIMM
Dual inline memory module
DCOM
Distributed Component Object Model
DMTF
Distributed Management Task Force
HP SIM
HP Systems Insight Manager
HTTP
Hyper Text Transport Protocol
HTTPS
Hypertext Transfer Protocol over Secure Socket Layer
ICMP
Internet Control Message Protocol.
IETF
Internet Engineering Task Force
iLO 2
Integrated Lights-Out 2
IPMI
Intelligent Platform Management Interface
MIB
Management Information Base
OS
Operating System
RMCP
Remote Management Control Protocol
RPC
Remote procedure call
SSH
Secure Shell
SSL
Secure Socket Layer
SM CLP
Server Management Command Line Protocol
SMASH
Systems Management Architecture for Server Hardware
SMI-S
Server Management Initiative – Specification
SMTP
Simple Mail Transfer Protocol
3
SNMP
Simple Network Management Protocol
TCP/IP
Transmission Control Protocol / Internet Protocol
UDP
User Datagram Protocol
WBEM
Web-Based Enterprise Management
WMI
Windows Management Instrumentation
WS-Management
Web Services for Management
XML
Extensible Markup Language
4
Introduction
Managing systems in a secure environment is a challenge that most system administrators face. It
requires a careful balance between critical security requirements and the need to effectively manage
and maintain the systems.
Within Internet connected architecture, there is typically a more secure zone, commonly referred to as
the demilitarized zone (DMZ). This zone is positioned between the corporate servers and the Internet,
usually separated from both by firewalls that restrict traffic flow. With this architecture, servers that
provide publicly available Internet services can be accessed through a firewall, but these services are
inaccessible on the internal network. This more secure zone provides an area that is isolated from the
internal network and is hardened against external attack (Figure 1). The security challenges in the
DMZ are similar to those in other areas of a network that require special security attention.
Figure 1 Block diagram of a generic corporate computing environment
Through three sample case studies, this paper explores options for managing HP systems in the DMZ.
It explains the benefits and risks associated with each option. Information in this paper should allow
system administrators to tailor solutions for their own computing environments, based on the levels of
management they need and the security risk level they are willing to take.
In Case 1, the majority of management protocols are prohibited from the secure network, and the
management solution will not be allowed to violate any security restrictions. This solution is not
recommended, as the administrator is incapable of managing the hardware in the DMZ. It completely
eliminates the use of HP management tools such as HP Insight Control.
In Case 2, a completely separate network is used for management. This solution has the benefit of
completely segregating management traffic from the primary network and allowing a full spectrum of
management capabilities (because management protocols can enter through the firewall). However, it
is the most expensive option in terms of hardware and infrastructure costs. While it does increase cost
due to additional hardware and infrastructure, this option allows the use of iLO 2 to securely manage
hardware in the DMZ. Of the two options providing management capabilities in the DMZ (case 2
and 3), this one has the least risk of hackers or security breaches.
In Case 3, management protocols are allowed and management traffic is permitted to travel through
the firewall to HP Insight Control. This results in a fully featured management solution at a measured
risk. Because the infrastructure uses a single network for both management and production traffic, this
option does increase the risk from hackers or security breaches.
The intended audience for this paper is engineers and system administrators familiar with existing HP
technology and servers. The paper does not attempt to define and explain all the security concepts
and topics mentioned. Instead, it refers readers to resources containing that information.
5
HP management products
The following HP products are possible management options for HP servers deployed in the DMZ:
• HP Insight Control Environment (ICE)-Linux
• HP System Management Homepage (SMH)
• HP Insight Management Agents (Agents)
• HP Insight Management WBEM Providers for Windows (Insight Providers)
• HP Infrastructure Orchestration (HPIO)
• HP Insight Control Power Management (ICPM)
• HP Smart Update Manager (HP SUM)
• HP Systems Insight Manager (HP SIM)
• HP WEBM Services for HP-UX
• HP Insight Control performance management
• HP Insight Control Server Deployment (ICSD)
• HP Insight Control server migration
• HP Version Control Agent (VCA)
• HP Version Control Repository Manager (VCRM)
• HP Insight Control virtual machine management
• HP Virtual Server Environment (VSE)
• HP Vulnerability and Patch Management Pack (VPM)
• HP Management processors such as Integrated Lights-Out 2 (iLO 2)
• HP Insight Control for VMware vCenter Server
• HP Onboard Administrator (OA)
• HP Virtual Connect Manager (VCM)
For information about these HP management products, see the “For more information” section at the
end of this paper. Appendix A: Configuring a separate management network gives port information
related to these products.
Case 1: Management protocols banned from DMZ
In some computing environments, IT security policies restrict management protocols in the secure
environment. Security policies may or may not permit other protocols (such as email or file sharing) in
the DMZ. An acceptable management solution must conform to security restrictions of the
environment.
Even if active management is not possible, some management information can flow from managed
devices in such an environment. Either SNMP or WBEM/WMI can be used to manage ProLiant
servers. These can be configured to prevent access from off the platform. For information on how to
configure SNMP or WBEM, see the documentation for your operating system.
Asset management
In this type of computing environment, administrators can collect system asset information from a
ProLiant server in the DMZ as long as the Agents or WBEM providers are running and an application
is running that can get the data locally. For example, Microsoft Systems Management Server can
get asset information from the Agents and transfer that information to its central server through the
6
operating system file share. As a second option, administrators can browse to the web-based System
Management Homepage (https://servername:2381/) and manually view the asset information.
Fault management
Administrators can configure ProLiant servers to send an email (through SMTP) when a hardware
problem occurs. In Microsoft Windows operating systems, the Agent Event Notifier provides this
optional feature. Administrators can set up and configure the Agent Event Notifier during the agent
deployment. In Linux operating systems, if a hardware problem occurs, emails are automatically
sent to the root email on the managed system.
The Insight Agents for Microsoft Windows also create Windows Event Log entries. A management
tool such as HP OpenView Operations or Microsoft Operations Manager operating in the same
environment can then collect the log entries and send them back to a centralized server. The Insight
Agents for Linux also create entries in the syslog. Administrators can write a script to look for these
entries and take appropriate action.
Deployment and Migration
With HP Insight Control installed managing, deploying Hardware and migration will be a difficult
task for the administrators. As, the protocols inside the secure area (DMZ) are banned, we need to
disable or allow the protocols within the Intranet, which is not suggestible.
Integrate
Create templates with detailed requirements (server, storage, networks) for simple or complex
infrastructure needs using visual drag-and-drop design tool. Users select from a catalog of published
infrastructure templates in the self-service portal, which routes the requests through a configurable
approval process. The network resource has to be available to the administrator and protocols have
to work fine in order to establish communication. Here security will be primary concern if we want to
integrate, as the firewall rules have to loosen.
Control
HP Insight Control gives you more from every dollar, hour, and watt invested in your ProLiant servers.
With Insight Control and related services, you can deploy new ProLiant servers quickly and reliably,
catalog your environment accurately, proactively monitor server health to pinpoint failures before they
result in unplanned downtime, manage ProLiant servers remotely from any location, and optimize
power usage confidently. As a result, you can reduce unplanned downtime and deliver stable IT
services to your line-of-business (LOB) users. In this case, we need to disable or allow the protocols
within the Intranet and Internet or VPN.
entries and take appropriate action
Case 2: Separate management network
In some computing environments, system administrators create a separate, secondary network parallel
to the primary or production network (Figure 2). The chief benefit to this approach is that
management traffic flows through the secondary network, while the limited access from the production
7
(primary) network maintains security. Configuring a separate management network using HP Systems
Insight Manager allows secure access to the systems in the DMZ.
The secondary network can also be used for other operations that would be inappropriate for the
primary network, such as tape backups, deployments using Insight Control Server Deployment, or
application maintenance.
Note:
Do not connect the management network to the corporate (internal)
network. Compromising one of the systems in the DMZ could allow a
hacker to get onto the management network. However, it may be beneficial
to allow VPN access to the management network.
Figure 2 Parallel primary (production) and secondary (management) networks
Servers inside the DMZ and on the internal network can use iLO 2 processors. Because the network
connection to iLO 2 is completely isolated from the network ports on the server, there is no possibility
for data to flow from the DMZ network to the iLO management network, or vice-versa. Therefore, if
anyone compromises the DMZ network, he or she cannot compromise the iLO network. This
architecture permits administrators to use iLO on servers located in the DMZ, or in the internal
network, without the risk of compromising sensitive data. This separation is accomplished through the
use of a dedicated NIC or the iLO 2 Shared Network Port with its Virtual Local Area Network. For
more information, see the paper titled HP Integrated Lights-Out security technology available at
http://h20000.www2.hp.com/bc/docs/support/SupportManual/c00212796/c00212796.pdf.
For best protection of the servers operating inside the DMZ, administrators should set the SNMP trap
destinations to the loop back address and enable the SNMP pass-through in iLO 2 so that SNMP
traps are routed onto the iLO management network. While this SNMP pass-through option does not
enable all management functions, it allows for passing status, inventory, and fault information to HP
Systems Insight Manager or another SNMP-capable management application. This option has the
benefit of being very secure because the host operating system does not recognize the Lights-Out
product as a NIC.
8
Asset Management
With HP Systems Insight Manager installed on the secondary management network, system
administrators can collect system asset information from a ProLiant server on that management
network through the iLO 2 pass-through. As a second option, administrators can browse to the System
Management Homepage (https://servername:2381/) and manually view the asset information.
Appendix A: Configuring a separate management network describes the procedure for configuring a
separate management network. When using SNMP management protocols, SNMP should be
configured to accept packets only from the IP addresses used on the management network, or SNMP
should be bound to the secondary network interface (if the operating system allows this). The HP
Insight Management Agents should be configured to allow access only from IP addresses on the
management network. HP Systems Insight Manager should be configured to discover the systems on
the secondary network. WMI and WBEM can be disabled on the primary network by configuring a
firewall on the system to disable each of the protocols on the primary NIC.
Fault Management
SNMP traps can be forwarded through the Lights-Out interface on ProLiant servers. This allows full
fault management data to flow into HP Systems Insight Manager or another management product
(such as HP OpenView Network Node Manager).
entries and take appropriate action.
In this type of computing environment, administrators can collect network resource information from a
gateway which is connected to the intranet in the DMZ through bypassing it from the firewall.
Managing, deploying Hardware and migration will be a smooth task for the administrators.
Integrate
Key integrations are provided through HP Insight Control for Microsoft System Center and HP Insight
Control for VMware vCenter Server. The Insight control Agents for Microsoft Windows also create
Windows Event Log entries. The Microsoft System Center integration supports OS deployment and
updates, HP ProLiant and Blade System management and alerting, proactive virtual machine
management, and enhanced inventory reporting. The integration happens with the secondary network
which is connected to the network resources.
Control
Insight Control provides single-console integration with the leading management applications. Insight
Control for VMware vCenter Server delivers powerful HP hardware management capabilities to
virtualization administrators without ever having to leave the vCenter console. The benefit to this
approach is that management traffic flows through the secondary network, while the limited access
from the production (primary) network maintains security. We doesn’t require the need of disabling
the firewall rules
9
Case 3: Managing through a firewall using a single
network
In other computing environments, a firewall commonly separates the central management server
(CMS) and the managed server. In such an environment (Figure 3), two networks are given different
levels of trust. For example, the managed server may be in a DMZ, while the CMS resides in a more
trusted portion of the intranet. The firewall is used to control traffic between these two networks. The
firewall permits the exchange of only specific types of traffic between specific systems.
In some situations, the firewall may simply restrict communication between specific IP addresses. For
example, the firewall may allow the exchange of any IP packets between the managed system and
the CMS. However, because host names and IP addresses can be spoofed, a higher level of
restriction can be imposed through the firewall; that is, the firewall can permit only non-spoofable
protocols.
In this case study, we assume that the firewall is configured to allow only requests from the CMS to
the managed server and returned responses. Typically, this means the firewall will not permit UDP
traffic, as connectionless protocols cannot easily be configured to block incoming packets. Only
specific TCP ports will be opened, and they will possibly be filtered for certain types of traffic.
Figure 3 Firewall separating central management server from managed server
Asset Management
HP Insight Management provides asset management services by first discovering and identifying the
managed systems, gathering data from instrumentation running on each managed system, storing this
data in a SQL database, and finally providing reporting capabilities on this gathered data. These
steps require communication between the CMS and managed system as described in the following
paragraphs.
First the managed systems and the instrumentation running on them must be identified. HP Insight
Management offers an automatic discovery mechanism using IP ping sweep, or administrators can
manually add systems by name or address. In either case, the CMS will attempt to contact the
managed system using a ping; if this fails, then no further requests will be sent to the system.
HP Insight Management normally uses an ICMP echo to ping a system; however, some network
administrators turn off ICMP through firewalls. In this situation, the administrator can configure HP
Insight Management to use a TCP port to ping systems. Port 80 is used by default, but an alternative
port may be specified in a configuration file. The target system need not be actively listening to the
chosen port, but the firewall must be configured to allow these requests to pass.
10
Next, the CMS will attempt to identify a number of management protocols such as SNMP, HTTP, and
WBEM. The protocols used for asset management depend on the types of systems being managed
(Table 1):
• ProLiant servers provide management data through SNMP, giving complete coverage of the
hardware instrumentation. Integrity servers running Windows also provide this SNMP
instrumentation.
• ProLiant and Integrity servers running Microsoft Windows 2003 or 2008 also expose much data
through the Insight Providers and WMI. The HP Insight Providers include server providers
(information about processors, memory, peripheral devices, computer system information, and
sensor information); network providers (network controller information and indications); and storage
providers (storage controller information and indications). WMI on Integrity currently does not cover
detailed hardware information such as controllers, DIMMs, and physical disks.
• ProLiant and Integrity servers running Linux may also provide management data through WBEM.
While that data is not currently as rich as the SNMP information, WBEM provides basic hardware
and operating system information today. WEBM will be expanded to provide full instrumentation in
future.
• HP 9000 and Integrity servers running HP-UX provide management data with WBEM. HP
recommends WBEM for asset management and makes it available on 11.x versions of HP-UX.
(These systems also support SNMP, but SNMP is not required for asset management.)
Table 1 Protocols used for asset management of industry-standard servers
Server
OS
ProLiant
SNMP
WBEM
WMI
Windows
Y
Y1
Y
ProLiant
Linux
Y
Y
HP 9000
HP-UX
Y2
Y (11.x)
HP Integrity
HP-UX
Y2
Y
HP Integrity
Linux
Y
Y
HP Integrity
Windows
Y
Y1
Other devices
1
When WMI mapper is installed
2
Not required for asset management
Y
SSH
WS-MAN
Y
Y
Y
Y
Selecting the protocols that must be enabled through the firewall depends on the types of system to be
managed. Issues associated with each protocol are discussed in the following paragraphs. Ideally,
WBEM will be used to manage servers located through a firewall.
SNMP
SNMP gives the best management coverage but at the highest risk. While no “set” operations are
required for asset management, SNMP is UDP-based; therefore, in many environments it is not
considered a suitable protocol to pass through the firewall. Because SNMPv1 has a simple, clear-text
“community,” it provides a low level of security. However, SNMP may be suitable for some
environments in which the network containing the managed systems is relatively controlled. The
community string is not suggestible be a “default, Public or Private.” It should be customized
accordingly.
Using SNMPv3, users can securely collect management information from their SNMP agents without
fear that the data has been tampered with. Also, confidential information, such as SNMP set packets
11
that change a device's configuration, can be encrypted to prevent their contents from being exposed
on the wire. Also, the group-based administrative model allows different users to access the same
SNMP agent with varying access privileges.
DMI
DMI is similar in design to SNMP. Each component to be managed must have a Management
Information Format (MIF) file that specifies the location of the component, name of vendor and model,
firmware revision number, interrupt request line (IRQ), I/O port address, and so on.
DMI is a remote procedure call (RPC-based protocol). To operate, DMI requires opening a number of
ports through a firewall. Therefore, DMI is not recommended for use through firewalls. It is largely
being replaced by WBEM.
Note
DMI is not supported on HP-UX systems running HP-UX 11.23 (11iv2) and
HP-UX 11.31 (11iv3). You must use WBEM for this operating system.
WBEM
Web-Based Enterprise Management (WBEM) is one of the newest management protocols. HP
Management products will communicate to systems either directly using the WBEM protocol, or to the
Windows WMI systems, using the WMI Mapper Proxy.
WBEM uses HTTPS to provide a secure TCP connection from the CMS to the managed system. WBEM
uses its own port (5989 for SSL connections) and is supported through firewalls. The CMS can use
trusted certificates to authenticate the managed system, while the managed system uses user names
and passwords to authenticate the CMS.
Note
Firewalls should be configured to allow the CMS to communicate with
managed systems through default port 5989. If you have modified the
default port setting for your WBEM provider, you must configure your
firewall for the port number your WBEM provider on which it is actually
configured.
WMI
WMI is Microsoft’s implementation of WBEM. WMI runs over DCOM, which in turn, uses RPC. The
WMI Mapper is an application that provides translation from WMI (a DCOM-based interface) to a
standardized WBEM interface (CIM XML/HTTP). This is a two-way translation. The WMI Mapper is
required for HP Insight Control to manage Windows computers, including ProLiant servers running the
Insight Providers for Windows. The WMI Mapper service runs separately from the HP SIM service. For
Windows systems behind a firewall, HP recommends installing the WMI Mapper on a managed
system in the secure network (Figure 4) and disabling direct remote access to WMI. This mapper
allows standard WBEM requests through the firewall, and they are mapped to WMI requests on the
managed system.
12
Figure 4 WMI Mapper on managed Windows system behind firewall
The WMI Mapper is included with the Windows version of HP SIM but can also be used with other
versions. It is available with the HP SIM software or from the HP website at
http://www.hp.com/go/hpsim. The mapper can be installed on a Windows system to allow WBEM
access to that system.
If the mapper is to be used as a proxy to access other systems, as shown in the previous DMZ
example, then HP SIM must be configured to recognize the mapper as a proxy: Use the Options 
Security  WMI Proxy Settings menu item and add the system on which the mapper is installed.
WS-MAN
WS-Management is a public standard SOAP-based protocol for sharing management data among all
operating systems, computers, and devices. WS-MAN depends upon SOAP. As of this writing, it is
used to manage iLO2 and HPOA.
SSH
Secure Shell (SSH) allows logging in to another system over a network and executing commands on
that system. It also enables administrators to move files from one system to another in an encrypted
format. It provides authentication and secure communications over insecure channels, and uses TCP
port 22 to communicate.
Fault management
The HP Agents have two means for communicating faults: SNMP traps and SMTP e-mail (Table 2).
Both originate from the agents in the DMZ to the CMS or to the SMTP mail server. The HP Insight
Management WBEM providers can communicate faults using WMI indications. It is recommended
that the WMI Mapper be installed on the managed system so that these faults can be sent using
WBEM (CIM-XML/HTTP) through the firewall.
Table 2 How HP agents communicate faults
CMS
Managed
System
Port
1
Protocol
Description
13
2
In
Out
In
Y
Y
Y
Y
Y
1
Out
Y
162
SNMP (UDP)
SNMP Trap
25
SMTP
SMTP E-mail
50004
HTTPS/HTTP
WBEM event receiver (configurable)
All ports are for TCP and UDP
The CMS will normally have all managed system ports open, as the CMS is a managed system itself. Firewalls may be
configured to block these ports if the CMS is not to be managed from another system.
2
Increase deployment speeds by 12X (20 minutes versus 4 hours) with consistency and reliability using
ProLiant servers. HP Insight Control Server Deployment will help in conserving the time in the network
through its capabilities. In this case, protocols need to allow between the Management server and
systems.
Control
Staff efficiencies stem from time saved on tasks performed by IT administrators and technicians and
translate into increased productivity benefits in server administration, server deployment, server asset
management, server hardware maintenance, and new application deployment time. With this type of
computing environment, the administrator has to allow the protocols required to communicate
between the systems through the connected firewall.
Integrate
Company uses HP Insight Control to help manage its Microsoft Hyper-V environment, especially to
deploy virtual servers. Integrate Insight Control directly into HP Operations Center or with VMware
and Microsoft for single-console access to virtual and physical resources. The Matrix Operating
Environment can move server profile from one physical blade to another, bringing the flexibility of
virtualization to physical servers. With this type of computing environment, the administrator has to
allow the protocols required to communicate between the systems through the connected firewall.
Control
Staff efficiencies stem from time saved on tasks performed by IT administrators and technicians and
translate into increased productivity benefits in server administration, server deployment, server asset
management, server hardware maintenance, and new application deployment time. With this type of
14
computing environment, the administrator has to allow the protocols required to communicate
between the systems through the connected firewall.
Selecting the protocols that must be enabled through the firewall depends on the types of system to
be managed. Issues associated with each protocol are discussed in the following paragraphs. Ideally,
BEM will be used to manage servers located through a firewall.
Configuration Management
HP web agents on managed systems in a DMZ should first be configured to trust-by-certificate the HP
SIM server. This will authenticate all Version Control (VC) commands and all Replicate Agent Settings
(RAS) commands to the agent as coming from the specified CMS; these commands require HTTPS
over port 2381.
Systems must be discoverable by the CMS. Refer to the Asset Management section for more
information. Systems must also be identifiable, which minimally requires HTTP access over port 2301.
Table 3 identifies the protocols used for configuration management when managing through a
firewall.
Note
HP does not recommended enabling management protocols such as SNMP
or DMI on systems outside the firewall or directly connected to the Internet.
Table 3 Summary of protocols used for configuration management
CMS
2
In
Managed
System
Description
ICMP
Ping
In
Y
Y
22
SSH
SSH server (for DTF)
Y
Y
161
SNMP (UDP)
SNMP Agent
162
SNMP Trap (UDP)
Trap listener
80
HTTP
Management processor and other devices;
standard Web server
280
HTTP
Web server for HP SIM; Web agent autostart port
443
HTTPS
standard Web server
1433
TCP
Microsoft SQL Server database
2301
HTTP
Web agent Web server
2367
RMI
HP SIM RMI connection
2381
HTTPS
Y
Y
4
Y
Y
4
Y
Y
4
Y
Y
Y
Y
Out
Protocol1
Out
Y
Y
Port
Y
3
Y
Y
Y
Y
5432
ProstgreSQL Server database
Y
Y
5988
HTTP
WBEM service
Y
Y
5989
HTTPS
WBEM service
15
40420
VMM
Y
50000
HTTPS
HP SIM Web server (configurable )
Y
50001
HTTPS
HP SIM SOAP
Y
50002
HTTPS
HP SIM SOAP with client certificate
authentication
Y
50003
HTTP
HP SIM SOAP
50004
HTTPS/HTTP
WBEM event receiver (configurable7)
Y
50005
WBEM
WBEM Events
Y
50006
PostgreSQL
PostgreSQL
Y
50008
SIM JMS
JMS port
Y
50009
SIM JNDI
JNDI port
50010
DMI
50013
RMI
Web Services RMI Loader
50014
JRMP
JRMP Invoker
50015
Pooled invoker
Pooled invoker
Y
Y
Y
Y
5
6
DMI
Y
Y
51124
HTTPS
Agent communications and iLO booting
Y
Y
51125
HTTPS
Agent communications and iLO booting
Y
Y
51126
HTTPS
Communication between the migration
agents on servers.
Y
Y
51127
HTTPS
Application station for Insight Control Web
Server
Y
Y
52000
HTTP
ESA
Y
Y
52001
HTTPS
ESA
Y
4
Y
411
HTTP
IBM Director agent
Y
4
Y
1311
HTTPS
Server administrator
Y
4
2069
HTTP
OSEM
Y
4
Y
3202
HTTPS
StorageWorks NAS
Y
4
Y
3257
HTTPS
Rack & Power Manager
Y
4
Y
4095
HTTP
CommandView ESL
Y
4
Y
4096
HTTP
CommandView SDM
Y
4
Y
8000
HTTP
HP Web letAdmin
Y
4
Y
8008
HTTP
Default home page
Y
4
Y
8443
HTTPS
HP Web JetAdmin
Y
4
Y
9990
HTTP
HPOSM Service Application
Y
4
Y
9991
HTTP
OSM Event Viewer
Outbound (out) – Request or response sent from a server is called outbound
16
Inbound (in) – Request or response received by a server is called inbound
1
All ports are for TCP (except ICMP and SNMP).
2
RMI port is used within the CMS for inter-process communication. Connections from outside the CMS are not accepted, and
firewalls may block this port.
3
4
Many CMS outgoing ports are used for discovery.
The exact UDP/TCP ports used by DMI are dynamic and vary from system to system, but they tend to be around 32,780 and
higher.
5
6
50000 port number is configurable in server.xml (see Appendix B: Modifying default ports).
7
50004 port number is configurable in globalsettings.props (see Appendix B: Modifying default ports).
Version Control
This discussion is based on the assumption that the Version Control Repository (VCR) is behind the
firewall with CMS, and likely on the CMS.
Discovering the software available on the managed system requires SNMP over port 161. After
receiving a command to update some component, the system must retrieve the component from the
VCR, which it does using HTTPS over port 2381 to the VCR. To communicate its update status back to
the CMS, the agent uses HTTP over port 280. Additionally, the CMS polls the system for its status
every 15 minutes for up to 2 hours.
Replicate Agent Settings
Replicate Agent Settings require a source system whose configuration is copied and stored at the
CMS for duplicating to other target systems. This function relies on HTTPS traffic via port 2381 and
can operate over the firewall as long as the firewall is configured to pass this traffic.
SSH
SSH is used both locally on the HP SIM central management server and remotely to manage systems
for various tools. Normally, SSH servers listen on TCP port 22. If, for some reason, this must be
changed, the SSH port that HP SIM uses is configurable.
Best Practices
Systems can be made more secure by changing the default settings to the recommended Security
Policies Baselines by ‘Microsoft Security Compliance Manager v. 2.0.20.0’.
Reference:
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=16776
Below are the summary of the steps to be followed:
•
•
•
•
Apply the “Member Server Security Compliance” Baseline Policies for “Windows Server
2008R2Sp1” to the system.
Open the firewall ports as mentioned in Table 3.
Install the pre-requisites required for installing IM DVD.
Install IM DVD.
17
HP Insight Management Installer
The HP Insight Management installer integrates installation of HP management software. The installer
will install or upgrade individual product as well as suites.
•
•
•
•
•
HP Systems Insight Manager Ports
HP System Management Homepage Ports
WMI Mapper
HP Insight Control Licensing and Reports
HP Version Control Repository Manager Ports
HP Insight Control
•
•
•
•
•
•
•
•
HP
HP
HP
HP
HP
HP
HP
HP
Insight Control licensing and reports
Insight Control Performance management Ports
Insight Control Power Management Ports
Insight Control Server Deployment Ports
Insight Control Server Migration Ports
Insight Control Virtual Machine Management Ports
Insight Managed System Setup Wizard
Insight Management Advisor
HP Matrix Operating Environment
•
•
•
•
•
HP Matrix Operating Environment Capacity Planning, Configuration and Workload
Management and HP Insight Capacity Advisor Consolidation Software
HP Matrix Recovery Management Ports
HP Matrix Infrastructure Orchestration Ports
HP Storage Provisioning Manager Ports
HP SPM Storage module
HP Insight Management Installer Ports
Table 4 Ports for HP Insight Management Installer
CMS
2
In
Managed
System
ICMP
Ping
SSH
SSH server (for DTF)
Y
Y
22
Y
Y
161
SNMP (UDP)
SNMP Agent
162
SNMP Trap (UDP)
Trap listener
80
HTTP
standard Web server
280
HTTP
443
HTTPS
standard Web server
1433
TCP
Microsoft SQL Server database
2301
HTTP
2367
RMI
HP SIM RMI connection
Y
Y
4
Y
Y
4
Y
Y
4
Y
Y
3
Description
In
Y
Y
Out
Protocol1
Out
Y
Y
Port
Y
Y
18
Y
Y
2381
Y
HTTPS
5432
ProstgreSQL Server database
Y
Y
5988
HTTP
WBEM service
Y
Y
5989
HTTPS
WBEM service
Y
50000
HTTPS
HP SIM Web server (configurable )
Y
50001
HTTPS
HP SIM SOAP
Y
50002
HTTPS
HP SIM SOAP with client certificate
authentication
Y
50003
HTTP
HP SIM SOAP
50004
HTTPS/HTTP
WBEM event receiver (configurable7)
Y
50005
WBEM
WBEM Events
Y
50006
PostgreSQL
PostgreSQL
Y
50008
SIM JMS
JMS port
Y
50009
SIM JNDI
JNDI port
50010
DMI
50013
RMI
Web Services RMI Loader
50014
JRMP
JRMP Invoker
50015
Pooled invoker
Pooled invoker
Y
Y
Y
Y
5
6
DMI
Y
4
Y
411
HTTP
IBM Director agent
Y
4
Y
1311
HTTPS
Server administrator
Y
4
2069
HTTP
OSEM
Y
4
Y
3202
HTTPS
StorageWorks NAS
Y
4
Y
3257
HTTPS
Rack & Power Manager
Y
4
Y
4095
HTTP
CommandView ESL
Y
4
Y
4096
HTTP
CommandView SDM
Y
4
Y
8000
HTTP
HP Web letAdmin
Y
4
Y
8008
HTTP
Default home page
Y
4
Y
8443
HTTPS
HP Web JetAdmin
Y
4
Y
9990
HTTP
HPOSM Service Application
Y
4
Y
9991
HTTP
OSM Event Viewer
Y
Y
80
TCP
System Discovery1
Y
Y
161
SNMP
PMP/PPA
Y
Y
2381
HTTPS
Y
Y
2301
HTTP
19
Y
Y
443
SSL
1780
Communication with iLO
hpvmmsvc service
Y
Y
69
UDP
PXE Client
Y
Y
1758
UDP
PXE Client
Y
Y
1759
UDP (Multi cast)
PXE Client
Y
Y
67
UDP
PXE Client
Y
Y
68
UDP
PXE Client
Y
Y
4011
UDP
PXE Client
Y
Y
405
TCP
PXEConfig
Y
Y
406
TCP
PXECfg Service
Y
Y
407
TCP
PXE Server and PXE MTFTP
Y
Y
8081
HTTP
DSWeb
Y
Y
8080
HTTP
DSWeb,Console Manager
Y
Y
505
TCP
Win32 console,Axengine,PXEManager
Y
Y
402
TCP/UDP
Agents, PXE Server, Data Manager, PXE
Manager
Y
Y
5001
TCP
Aclient
Y
Y
5002
TCP
Aclient
Y
Y
415
TCP
Remote Client
Y
Y
402
UDP
Deployment Server
Y
Y
401
UDP
Aclient (Wake-on-LAN Proxy)
Y
Y
80
TCP
System Discovery1
Y
Y
161
SNMP
PMP/PPA
162
SNMP (UDP)
SNMP Trap
Y
Y
Y
514
UDP
SYSLOG
Y
16443
HTTPS
XML or SOAP over HTTPS – Operations
Orchestration (OO) GUI to OO Central
Y
50002
HTTPS
SOAP over HTTPS – LSU Controller to HP
SIM and HTTPS HP Systems Insight Manager
SOAP with client certificate
Y
40420
HTTPS
RMI over HTTPS – LSU Controller to VMM
Y
51001
HTTPS
RMI over HTTPS – LSU Controller to LSA
(VSE logical server management)
Y
50000
HTTPS
SOAP over HTTPS – LSU Controller to LSU
Deployment Service connector and HTTPS
HP Systems Insight Manager Web Server
Y
1433
HTTPS
JDBC over TCP – talk via JDBC to SQL
Server and HP Systems Insight Manager
Web Server
50001
HTTPS
HP Systems Insight Manager SOAP
Y
20
Y
Y
Y
Y
Y
Y
HTTPS
HTTPS WBEM, WBEM Service on EVA
Command View Server, BNA port to
connect SPM
5988
HTTP
WBEM service
HTTPS
Used by web agents
2381
Y
20,21
Y
443
Y
Y
Y
Y
Y
Y
2460024616
22
Y
Y
Y
Y
FTP - Used for upload and configuration
backup from CLI
SSL
Graphical User Interface
HTTPS
Used for Web Management Interface
Used by the Distributed Task Facility (DTF)
9143
OpenSSL
Used by Application Discovery
9617,9
618
TCP
Global Workload Manager uses on CMS
280
HTTP
HTTPS
HPSIM Webserver
HTTPS
LSA RMI port
50000
Y
TCP
SSH-2
Y
1
5989
51001
All ports are for TCP and UDP.
configured to block these ports if the CMS is not to be managed from another system. Discovery protocol is configurable
between ICMP or TCP and a configurable port; default is 80.
2
RMI port is used within the CMS for inter-process communication. Connections from outside the CMS are not accepted, and
firewalls may block this port.
3
4
Many CMS outgoing ports are used for discovery.
5
50000 port number is configurable in server.xml (see Appendix B: Modifying default ports).
6
50004 port number is configurable in globalsettings.props (see Appendix B: Modifying default ports).
Ports for HP Systems Insight Manager
Ports for HP Insight Control
Ports for HP Matrix Operating Environment
HP Smart Update Manager Ports
Table 5 HP SUM ports for Windows
CMS
In
2
Managed
System
Port
Protocol1
Description
Out
In
Out
Y
Y
445 and
137/138/1
39
TCP and
UDP
These ports are needed to connect to the remote
ADMIN$ share on target servers (port 137 only if
you are using NetBIOS naming service)
Y
Y
6000060007
SSL
Random ports are used in this range to pass
messages back and forth between the local and
remote systems via SSL
Y
Y
80, 6300063005
HTTPS
Used for passing files to the target and retrieving
the logs via an internal mini-https server. Uses
port 80 if it is available or a random port
between 63000 and 63005 if it is not. Allows
updates of the iLO firmware without the need to
21
access the host server. This will allow servers
running VMWare or other virtualization platforms
to update their iLO without the need to reboot
their server or migrate their VMs to other servers.
1
Y
Y
50116
TCP
This is port is used in CMS
Y
Y
51268
TCP
This port is used in target machine
Y
Y
6100061007
These ports are used from the target server back
to the system running HP Smart Update Manager.
The same mechanism is used by the remote
access code as the 60000 ports, with the first
trial port as 61000. There is no guarantee that
the upper limit is 61007 when a conflict occurs.
For the case of ipv4-only and one NIC, the lowest
available one is used by HP Smart Update
Manager to pass information between processes
on the local workstation where HP Smart Update
Manager is executed, and the next available one
is used to receive messages from remote servers.
Y
62000 and
62001
These ports (or the first two ports available after
62000) are used for internal process
communications on the system running HPSUM on
each target
Y
62286
This port is the default for some internal
communications. It is the listening on the remote
side if there is no conflict. If a conflict occurs, the
next available one is used.
2
Table 6 HP SUM ports for Linux
CMS
In
2
Managed
System
Port
Protocol1
Description
Out
In
Out
Y
Y
22
SSH
This port is needed to establish a connection to
the remote Linux server through SSH
Y
Y
6000060007
SSL
Random ports are used in this range to pass
messages back and forth between the local and
remote systems via SSL
Y
Y
80, 6300063005
HTTPS
Used for passing files to the target and retrieving
the logs via an internal mini-https server. Uses
port 80 if it is available or a random port
between 63000 and 63005 if it is not. Allows
updates of the iLO firmware without the need to
access the host server. This will allow servers
running VMWare or other virtualization platforms
to update their iLO without the need to reboot
their server or migrate their VMs to other servers.
Y
Y
6100061007
These ports are used from the target server back
to the system running HP Smart Update Manager.
The same mechanism is used by the remote
access code as the 60000 ports, with the first
trial port as 61000. There is no guarantee that
the upper limit is 61007 when a conflict occurs.
For the case of ipv4-only and one NIC, the lowest
22
available one is used by HP Smart Update
Manager to pass information between processes
on the local workstation where HP Smart Update
Manager is executed, and the next available one
is used to receive messages from remote servers.
Y
1
Y
62000 and
62001
These ports (or the first two ports available after
62000) are used for internal process
communications on the system running HPSUM on
each target
Y
62286
This port is the default for some internal
communications. It is the listening on the remote
side if there is no conflict. If a conflict occurs, the
next available one is used.
Y
7
ICMP
ICMP Echo Reply/Request is used to determine if
target devices have successfully rebooted or not
2
HP Insight Control for VCenter Ports
This section is based on the assumption that HP Insight Control for VCenter is behind the firewall with
the CMS.
Table 7 Ports for HP Insight Control for VCenter
CMS
In
2
Managed
System
Out
In
Y
Y
Y
1
Protocol1
Description
80
TCP
Discovery
Out
Y
161
SNMP (UDP)
SNMP Agent
Y
162
SNMP Trap
(UDP)
Trap listener
Y
Y
Port
443
SSL
Communication with iLO, HPOA, HPVCM
Common Services default WBEM indications
listening port
Y
Y
50028
HTTPS
Y
Y
50025
HTTPS
Y
Y
50026
TCP/Block
Y
Y
50027
Common Services secondary web port
Y
Y
50029
Common Services secondary WBEM
indications listening web port
Y
5989
HTTPS
Y
5990
HTTPS
Common Services default web port
HTTPS WBEM, WBEM Service on EVA
Command View Server
2
23
HP Onboard Administrator Ports
This section is based on the assumption that HP Onboard Administrator is behind the firewall with the
CMS.
Table 8 Ports for HP Onboard Administrator
CMS
In
2
Managed
System
Out
In
Protocol1
Description
443
SSL
Communication with iLO, HPVCM
Out
Y
1
Port
Y
Y
22
SSH
This port is needed to establish a connection
through SSH
Y
Y
80
HTTP
standard Web server
Y
Y
161
SNMP (UDP)
SNMP Agent
2
HP Virtual Connect Manager Ports
This section is based on the assumption that HP Virtual Connect Enterprise Manager is behind the
firewall with the CMS.
Table 9 Ports for HP Virtual Connect Enterprise Manager
CMS
Port
Protocol1
Description
Y
443
SSL
Graphical User Interface
Y
22
SSH
This port is needed to establish a connection
through SSH using Command line Interface
In
Y
1
2
Managed
System
Out
In
Out
Y
161
SNMP (UDP)
SNMP Agent/Poll
Y
162
SNMP Trap
(UDP)
Trap listener
Y
69
UDP
TFTP- Used for upload and configuration
backup from CLI
Y
20,21
TCP
FTP - Used for upload and configuration
backup from CLI
Y
636
TCP
LDAP Authentication
Y
514
UDP
SYSLOG
Y
1812,1813
UDP
RADIUS server if configured
Y
49
TCP
TACACS server if configured
2
24
Policies required for IM DVD Installation
The following security policies are mandatorily to be enabled before proceeding with the DVD
Installation. If the below policies are enabled and proceed with the installation then DVD installation
will complete successfully.
Table 10 Security Policies required for IM DVD Installation
User rights assignments
Security Options
Why it’s required
Bypass traverse checking
Everyone, LOCAL SERVICE, NETWORK
SERVICE,
For to fetch the details from the IIS server
manager.
Administrators, Users, Backup Operators
Access this computer from the
network
Everyone, Administrators, Users, Backup
Operators
To pass the service credentials screen in
installer
Log on as a service
NT SERVICE\ALL SERVICES, Classic
.NET AppPool, DefaultAppPool
To pass the service credentials screen in
installer
Debug Programs
Administrators
SQL Express 2008 R2 installation
Manage auditing and security
logs
Administrators
SQL Express 2008 R2 installation
Back up files and directories
Administrators, Backup Operators
RDP Installation
Load and unload device
drivers
Administrators
RDP Installation
Restore files and directories
Administrators, Backup Operators
RDP Installation
Take ownership of files or
other objects
Administrators
RDP Installation
Additional policies required for proper operations of the system
Below are the additional polices needed to be enabled for the proper functioning of the system.
Table 11 Additional Policies need to be enabled
User rights assignments
Security Options
Why it’s required
Allow log on locally
Administrators, Account Operators,
Server Operators, Print Operators,
Backup Operators
Determines which users can log on to the
computer
Allow log on through Remote
Desktop Services
Administrators
This security setting determines which
users or groups have permission to log on
as a Remote Desktop Services client.
Force shutdown from a remote
system
Administrators, Server Operators
Shut down the system
Administrators, Server Operators, Print
Operators, Backup Operators
users are allowed to shut down a
computer from a remote location on the
network. Misuse of this user right can
result in a denial of service.
25
users who are logged on locally to the
computer can shut down the operating
system using the Shut Down command.
Misuse of this user right can result in a
denial of service.
Conclusion
This has paper identified various options available for managing HP systems in a secure environment.
The solutions explained here are intended only as a framework for exploring the options. Each system
administrator can and should tailor a solution for his network based on these options.
26
Appendix A: Configuring a separate management network
To configure a separate management network using HP Systems Insight Manager, install HP Systems
Insight Manger on the secondary network by completing the following steps:
1. Configure SNMP to accept packets only from the IP addresses used on the management network,
or bind SNMP to the secondary network interface (if the operating system allows this):
•
On Windows systems:
From the Control Panel, open the Services menu.
Open the Properties for the SNMP Service.
Under the Security tab, add IP addresses to the list of IP Addresses that can accept SNMP
packets.
•
On systems running Linux or HP-UX:
Modify the configuration file snmpd.conf to accept SNMP packets only from the
desired hosts.
Do the same with any other OS service needed on the network.
2. If a firewall is used on the CMS or managed systems, configure the firewall rules to only allow
SNMP WMI and WBEM requests from address in the management network. Use the ports in
Appendix B: Modifying default ports to determine which rules to configure.
3. Configure the HP Insight Management Agents to allow access only from IP addresses on the
management network:
Log into the agent with administrator privileges.
Go to the Settings/Options page, and modify the IP Restricted Logins settings.
4. Configure HP Systems Insight Manager to discover the systems on the secondary network:
In HP Insight Manager, go to Options  Discovery Automatic Discovery.
Add the IP addresses for the systems on the secondary network.
You can disable WMI, WBEM, and DMI on the primary network by configuring a firewall on the
system to disable each of the protocols on the primary NIC. The method of accomplishing this varies
for each firewall.
27
Appendix B: Modifying default ports
To modify the default port 50000 used by HP System Insight Manger to different port, install HP
System Insight Manger and complete the following steps:
1. Modify the default port value to the required port value from the following lines in server.xml
file under <HPSIM_Installed Dir>\jboss\server\hpsim\deploy\jbossweb.deployer
<Connector port="280" scheme="http" protocol="HTTP/1.1" maxThreads="50"
minSpareThreads="5" maxSpareThreads="15" enableLookups="false"
acceptCount="10" debug="0" redirectPort="50000"
connectionTimeout="60000" />
<Connector port="50000" scheme="https" secure="true"
protocol="HTTP/1.1" SSLEnabled="true" maxThreads="200"
minSpareThreads="10" maxSpareThreads="25" enableLookups="false"
acceptCount="10" debug="5" clientAuth="false" URIEncoding="utf-8"
useBodyEncodingForURI="true" compression="on"
compressableMimeType="text/html,text/xml,text/plain,text/javascript,tex
t/css" keystoreFile="C:\Program Files\HP\Systems Insight
Manager\config\certstor\hp.keystore"
keystorePass="U6sjMQ0JllhXXCeVioBH" />
Example: To modify the value of port 50000 to <Custom_port_no>,
change port="50000" to port="<Custom_port_no>" and redirectPort="50000"
to redirectPort="<Custom_port_no>"
2. Restart HP System Insight Manager service.
To modify the default WBEM event Receiver port 50004 to a different port, install HP System Insight
Manger and complete the following steps:
1. Unsubscribe to WBEM Events for all the managed nodes which are already subscribed using
default WBEM event Receiver port 50004.
2. Modify the default port value to the required port value in the line
WBEM_Indications_Listener_Port=50004 in globalsettings.props file under
<HPSIM_Installed Dir>\config
Example: To modify the value of port 50000 to <Custom_port_no>,
Change WBEM_Indications_Listener_Port=50004 to
WBEM_Indications_Listener_Port=60004
3. Restart HP System Insight Manager service.
4.
Re-subscribe to WBEM Events.
28
For more information
For additional information, refer to the resources listed below.
Source
Hyperlink
ProLiant server management
http://h18013.www1.hp.com/products/servers/management/index.html
http://www.hp.com/go/hpsim
Understanding HP Systems
Insight Manager Security
http://h10018.www1.hp.com/wwsolutions/misc/hpsimhelpfiles/HPSIM_53_Security.pdf
WBEM Providers for HP SIM
www.hp.com/go/hpwbem/
HP Insight Control
performance management
See the HP Insight Control Environnent User Guide located at
HP WEBM Services for HP-UX
http://h18004.www1.hp.com/products/servers/management/hpsim/downl
oad.html
Integrated Lights-Out 2 (iLO)
www.hp.com/go/ilo
HP OpenView
www.openview.hp.com/
http://www.hp.com/go/insight
Call to action
To help us better understand and meet your needs for ISS technology information, send comments
about this paper to: [email protected].
Technology for better business outcomes
© Copyright 2010, 2012 Hewlett-Packard Development Company, L.P. The
information contained herein is subject to change without notice. The only
warranties for HP products and services are set forth in the express warranty
statements accompanying such products and services. Nothing herein should be
construed as constituting an additional warranty. HP shall not be liable for technical
or editorial errors or omissions contained herein.
481364-005, March 2012

Table of Contents

Transcription

Similar documents

Which two heads are better than one?

Cubee 615 - Maquipesa

Flyer - Indu-Sol

Uxport Tools Flyer.indd - Big Brothers Big Sisters of Canada

Network NPRO database server could not be found

Napoleon Container Terminal

how to use artcut in contour cutter.cdr

Subcutaneous Port Catheter (Port, porta

January 17, 2011 - Village of Port Clements

NMAP - CyberSD