5 Replies Latest reply on Apr 13, 2017 3:24 AM by timothyb

    Application Manager Design Considerations

    Rookie

      Looking for the following information:

       

      - Network Ports- TCP / UDP ports required for all appsense components.

       

      -  MS SQL:

          Collation Type – Latin, _CS, _AS etc.

          Instance Type - separate or shared

          Permissions- minimum required permissions for the SQL account.

        • 1. Re: Application Manager Design Considerations
          timothyb SupportEmployee

          For AM, with regards to network ports.  This typically isn't required for day to day usage.  However review the AM Product Manual under Rules Analyzer Prerequisites section for the requirements to enable the RA component.  Also review the AM Web Services Configuration Prerequisites section for ports required by the AM Web Service.  This is a separate server component, so not an agent port/protocol requirement.  Off the top of my head, these are the two components to review.

           

          AM doesn't directly use a MS SQL Server, that is used by the Management Server and the Environment Manager components.  Assuming that you use the Server Configuration Portal, it should setup the correct Collation and Permissions.  The permissions required by the Service Account are very specific, therefore I wouldn't alter them after the SCP has set them up.

          • 2. Re: Application Manager Design Considerations
            Rookie

            Thanks timothyb,

             

            The documentation is not making it easy for us to identify all ports the product and its dependencies utilize.

            short of analyzing the traffic.

             

            For instance, in order for the rules analyzer to function, what ports are required to communicate with the endpoint.

            From what I gathered, it looks like these ports need to be open to the endpoint from the AM server.

            SMB - port 139

            RPC - 135

            Named Pipes - 445

            WINRM - 5986 ?

             

            Also, for Desktop now server components:

            Configuration - port 7750

            Management - port 7751

            Personalization port 7771

             

            correct?

             

            In our environment, all endpoints and server components are zoned, so it should be assumed no port flows are opened between all AM / RM components and the endpoints.

             

            We are looking for something convenient to hand over to the firewall guys to implement.

             

            I appreciate the feedback.

            • 3. Re: Application Manager Design Considerations
              timothyb SupportEmployee

              I found this old post by Landon (a former Senior Solutions Architect) listing ports:

               

              Management Center -> Managed Computers Firewall Ports

               

              However it appears to be missing the Desktop Now server ports you identified above (7750, 7751, 7771).  The above ports can be configured by the administrator during setup.  As you can also have multiple instances of the Management Server and Personalization Server, these port numbers can increment with each instance.  You will be able to see this within the SCP when you configure the new instances.

               

              I'll see if the Pro Services have a predefined list of ports for configuring firewall rules.  If they do I'll generate a knowledge article if one doesn't already exist.

              • 4. Re: Application Manager Design Considerations
                timothyb SupportEmployee

                I've had a quick response back from a couple of members of the Pro Service team.  The following was provided:

                 

                Component

                Version

                Port

                Source

                Destination

                Communication

                AppSense CCA

                1. 8.x

                HTTP(s)

                 

                  80 / 443

                Endpoints

                AppSense Servers

                One way

                1. 10.x

                HTTP(s)

                 

                  80 / 443 / 7751

                AMC Poll Now/Client Deployment

                1. 8.x

                    10.x

                TCP 135

                 

                  TCP 139

                 

                  TCP 445

                AppSense Servers

                Endpoints

                One way

                AMC Transfer (BITS)

                1. 8.x
                2. 10.x

                BITS

                AppSense Servers

                Endpoints

                One way

                EM Agent

                1. 8.x

                HTTP(s)

                 

                  80 / 443

                Endpoints

                AppSense Servers

                One way

                1. 10.x

                HTTP(s)

                 

                  80 / 443 / 7771

                AMC & PS Configuration Portal

                1. 10.x

                HTTP(s)

                 

                  7750

                Administrative Endpoints

                AppSense Servers

                One way

                Insight

                 

                  Client Communication

                1. 10.x

                TCP 80

                TCP 443

                Endpoints

                Insight Appliance

                One Way

                Insight

                 

                  DNS resolution

                1. 10.x

                UDP 53

                Insight Appliance

                DNS

                 

                AM Rules Analyser

                1. 8.x
                2. 10.x

                TCP 139

                TCP 445

                UDP 137

                UDP 138

                ICMP

                AM Console

                Endpoints

                One way

                AMC Server
                  Configuration Portal

                1. 10.x

                HTTP(s)

                 

                  80 / 443 / 7750

                Administrative Endpoints

                AppSense Management
                  Servers

                One way

                SQL Replication

                 

                SQL 1433

                SQL Servers

                SQL Servers

                Bidirectional

                Management Servers

                 

                SQL 1433

                AppSense Servers

                SQL Servers

                One way

                SQL Mirroring

                 

                <DBA Defined>

                SQL Servers

                SQL Servers

                Bidirectional

                DataNow

                 

                  SMTP Relay

                1. 4.x

                TCP 25 (SMTP)

                DataNow Appliance

                Internal SMTP Email

                One way*

                DataNow

                 

                  AD/LDAP Auth

                1. 4.x

                TCP 389 (LDAP)

                DataNow Appliance

                LDAP/AD

                Bidirectional*

                DataNow

                 

                  Datastore Comms

                1. 4.x

                TCP 445 (SMB/CIFS)

                DataNow Appliance

                File Stores

                Bidirectional*

                DataNow

                 

                  Client Communication

                1. 4.x

                TCP 443

                Endpoints

                DataNow Appliance

                Bidirectional*

                DataNow

                 

                  Web Administration

                1. 4.x

                TCP 8443 (SSL)

                Administrative Endpoint

                DataNow Appliance

                One Way *

                DataNow

                 

                  DNS

                1. 4.x

                UDP 53

                DataNow

                 

                  Appliance

                DNS

                 

                DataNow 4.x

                 

                  Additional Ports

                 

                 

                 

                  The following additional ports can be enabled if required.

                UDP 137

                If you enable Windows Internet Name Service
                  (WINS) configuration at the appliance because your infrastructure is
                  dependent upon it, you must open UDP 137 from the DataNow appliance to the
                  configured WINS server.

                TCP 8000

                Open this port if you require the AppSense
                  Support service

                TCP 8001

                Open this port if you require the Network Load
                  Balancing health check.

                TCP/UDP 88

                If the DataNow appliance is located in a secured DMZ, you must open
                  port 88 in order for Kerberos Authentication to work.

                • 5. Re: Application Manager Design Considerations
                  timothyb SupportEmployee

                  I've generated several documents for DesktopNow firewall rules.  The Application Control document can be found here and links to the other products.  These will be awaiting their respective community owner's approval: Network Ports used by Application Control (formerly Application Manager)