Monitor servers behind firewalls

All questions related to installations, configurations and maintenance of Advanced Host Monitor (including additional tools such as RMA for Windows, RMA Manager, Web Servie, RCC).
Post Reply
Gerhard
Posts: 26
Joined: Mon Oct 16, 2006 8:25 am

Monitor servers behind firewalls

Post by Gerhard »

Dear KS Soft,

We have been using Hostmonitor 6.82 and RMA agents 3.44. The RMA agents perform the tests within other domains which works fine. We are experiencinng a lot of problems with monitoring servers within our DMZ which have different Vlans and different firewalls. Within the DMZ we Use 2 RMA agents to perform the tests, but when accessing a different Vlan the tests have to go trough a other firewall. Within our DMZ network it is not a option to say open all TCP ports above 1024. Is it possible to give me a overview with test items and used ports?

Regards,

Gerhard
Top
KS-Soft Europe
Posts: 2832
Joined: Tue May 16, 2006 4:41 am
Contact:
Contact KS-Soft Europe

Re: Monitor servers behind firewalls

Post by KS-Soft Europe »

Gerhard wrote:Within our DMZ network it is not a option to say open all TCP ports above 1024. Is it possible to give me a overview with test items and used ports?
Not sure this information helps you. HostMonitor use standard ports and protocols because it checks standard servises and servers. Everything depends on tests those you want to implement. For instance, URL test uses port 80 (HTTP) or 443(HTTPS). SMTP and POP3 tests uses 25 and 110 port accordingly. SNMP test requires 161 port, etc.

Windows RPC calls may use any port above 1023.
HostMonitor uses Windows RPC for the following test methods:
- nt eventlog test
- services test
- performance counter test
- cpu usage
- WMI test

HostMonitor uses Windows calls network client to perform the following tests:
- drive free space
- folder/file size
- count files
- file integrity
- text log
- compare file, etc.
This means port and protocol depends on network client that you are using. E.g. NETBIOS uses ports 137-139

Probably, you have to try to install "Active RMA" into different VLAns. "Active RMA" was introduced in version 7.0 and works sligtly different rather "Passive RMA". Active RMA is not waiting for TCP connection from HostMonitor like regular RMA (now it`s called as Passive RMA). Active RMA itself establishes connection with HostMonitor and RMA Manager. This allows you to install RMA inside private network protected by firewall without necessity to open any TCP port (Passive RMA requires 1 open TCP port). Also Active RMA allows you to monitor system that does not have fixed IP address, e.g. system that is connecting to the network using temporary dial-up connection.
http://www.ks-soft.net/hostmon.eng/rma- ... iverma.htm

Regards,
Max
Top
V Arun
Posts: 52
Joined: Sun Apr 11, 2004 11:17 pm

Post by V Arun »

Normally, in well secured firewall configurations, access-lists within DMZs are very restrictive. Even if they are in same subnet or vlan, traffic flow is denied by default unless explicitly permitted.

If you like to avoid opening multiple ports, the best option would be to install an RMA agent in each monitored host within the DMZs. This might cost u a bit, but worth the hassle.
Top
losisoft
Posts: 43
Joined: Fri Mar 21, 2008 4:02 am

Post by losisoft »

I agree, Install the agent in the DMZ network, and test it from there. That's the easiest. And you only need to open a port to one machine.
Top
Post Reply

Return to “Configuration, Maintenance, Troubleshooting”