Dear KS Soft,
We have been using Hostmonitor 6.82 and RMA agents 3.44. The RMA agents perform the tests within other domains which works fine. We are experiencinng a lot of problems with monitoring servers within our DMZ which have different Vlans and different firewalls. Within the DMZ we Use 2 RMA agents to perform the tests, but when accessing a different Vlan the tests have to go trough a other firewall. Within our DMZ network it is not a option to say open all TCP ports above 1024. Is it possible to give me a overview with test items and used ports?
Regards,
Gerhard
Monitor servers behind firewalls
-
- Posts: 2832
- Joined: Tue May 16, 2006 4:41 am
- Contact:
Re: Monitor servers behind firewalls
Not sure this information helps you. HostMonitor use standard ports and protocols because it checks standard servises and servers. Everything depends on tests those you want to implement. For instance, URL test uses port 80 (HTTP) or 443(HTTPS). SMTP and POP3 tests uses 25 and 110 port accordingly. SNMP test requires 161 port, etc.Gerhard wrote:Within our DMZ network it is not a option to say open all TCP ports above 1024. Is it possible to give me a overview with test items and used ports?
Windows RPC calls may use any port above 1023.
HostMonitor uses Windows RPC for the following test methods:
- nt eventlog test
- services test
- performance counter test
- cpu usage
- WMI test
HostMonitor uses Windows calls network client to perform the following tests:
- drive free space
- folder/file size
- count files
- file integrity
- text log
- compare file, etc.
This means port and protocol depends on network client that you are using. E.g. NETBIOS uses ports 137-139
Probably, you have to try to install "Active RMA" into different VLAns. "Active RMA" was introduced in version 7.0 and works sligtly different rather "Passive RMA". Active RMA is not waiting for TCP connection from HostMonitor like regular RMA (now it`s called as Passive RMA). Active RMA itself establishes connection with HostMonitor and RMA Manager. This allows you to install RMA inside private network protected by firewall without necessity to open any TCP port (Passive RMA requires 1 open TCP port). Also Active RMA allows you to monitor system that does not have fixed IP address, e.g. system that is connecting to the network using temporary dial-up connection.
http://www.ks-soft.net/hostmon.eng/rma- ... iverma.htm
Regards,
Max
Normally, in well secured firewall configurations, access-lists within DMZs are very restrictive. Even if they are in same subnet or vlan, traffic flow is denied by default unless explicitly permitted.
If you like to avoid opening multiple ports, the best option would be to install an RMA agent in each monitored host within the DMZs. This might cost u a bit, but worth the hassle.
If you like to avoid opening multiple ports, the best option would be to install an RMA agent in each monitored host within the DMZs. This might cost u a bit, but worth the hassle.