Topic
IC4NOTICE: developerWorks Community will be offline May 29-30, 2015 while we upgrade to the latest version of IBM Connections. For more information, read our upgrade FAQ.
6 replies Latest Post - ‏2012-12-04T13:55:15Z by MaksKowalik
SystemAdmin
SystemAdmin
340 Posts
ACCEPTED ANSWER

Pinned topic ILMT 7.5 : Soure Port Agent & Console

‏2012-10-04T08:22:47Z |
Dear Support

We are using ILMT 7.5, the customer would like to define firewall policy between Agent/Console and ILMT server, due to the security issue, they want to know source port of agent and console as well. The documentation only says about the Server Ports.
Is there any way to define source port for ILMT agent and console ?

Is source port random port or fixed port ?
Updated on 2012-12-04T13:55:15Z at 2012-12-04T13:55:15Z by MaksKowalik
  • NHV2_Jan_Marszalek
    NHV2_Jan_Marszalek
    42 Posts
    ACCEPTED ANSWER

    Re: ILMT 7.5 : Soure Port Agent & Console

    ‏2012-10-04T16:34:03Z  in response to SystemAdmin
    There is in fact one server's port to be added - 16311 (in basic configuration, you will need to access only this one)

    For agents, there by default 3 ports to be added to firewall: 9988, 9977, 9999. They can be changed for each agent during installation.

    In simple case, if you have only basic security level between agent and server, you need to add only 16311 (for Web UI) and 9988 (for agent-server communication)
  • SystemAdmin
    SystemAdmin
    340 Posts
    ACCEPTED ANSWER

    Re: ILMT 7.5 : Soure Port Agent & Console

    ‏2012-10-05T03:08:12Z  in response to SystemAdmin
    Dear Support

    The port you have suggested are the server port right ? one for console connection and another for agent connection.

    Agent( Port X) ===> ILMT Server ( Port 9999 )
    Console( Port Y ) ====> ILMT Server ( Port 16311 )

    I want to know what is X and Y actually.
    • MaksKowalik
      MaksKowalik
      78 Posts
      ACCEPTED ANSWER

      Re: ILMT 7.5 : Soure Port Agent & Console

      ‏2012-10-05T10:55:56Z  in response to SystemAdmin
      Hi,

      it's not possible to tell the values of X or Y as they are allocated dynamically by the operating system. What's more, it can happen that console will open multiple TCP connections. This is how it looks at my desktop:

      Every 1.0s: netstat -an|grep 16311 Fri Oct 5 12:45:43 2012

      tcp 1 1 9.167.27.236:57169 9.156.46.34:16311 LAST_ACK
      tcp 0 0 9.167.27.236:57184 9.156.46.34:16311 ESTABLISHED
      tcp 0 0 9.167.27.236:57185 9.156.46.34:16311 ESTABLISHED
      tcp 0 0 9.167.27.236:57182 9.156.46.34:16311 ESTABLISHED
      tcp 0 0 9.167.27.236:57181 9.156.46.34:16311 ESTABLISHED
      tcp 0 0 9.167.27.236:57180 9.156.46.34:16311 ESTABLISHED
      tcp 0 0 9.167.27.236:57183 9.156.46.34:16311 ESTABLISHED
      Best regards,
      Maks Kowalik


      The postings on this site are my own and don't necessarily represent IBM's positions, strategies or opinions.
      • SystemAdmin
        SystemAdmin
        340 Posts
        ACCEPTED ANSWER

        Re: ILMT 7.5 : Soure Port Agent & Console

        ‏2012-12-04T13:24:08Z  in response to MaksKowalik
        but while scheduling scan jobs or configuring things for which the server needs to talk to agent ... Server initiated connection towards agent .
        Which ports should be open for firewall at the agent ends ....
        Server -----> Agent

        9988 is listening at the server end for agent to submit/communicate. But whats the vice - versa when server initiate a connection and wants to connect with the agent ????
        • MaksKowalik
          MaksKowalik
          78 Posts
          ACCEPTED ANSWER

          Re: ILMT 7.5 : Soure Port Agent & Console

          ‏2012-12-04T13:55:15Z  in response to SystemAdmin
          Hi,

          there's no "vice-versa". Server is unable to connect to the agent. The scan scheduling, or agent configuration works the following way:
          • user changes some params (scan periods, excluded directories, agent-to-scangroup assignment etc.)
          • these new values are stored in the server's database
          • agent CONTACTS the server and executes operation called DownloadParameters
          • during this DownloadParameters agent reads the values
          • according to what the agent has just read during DownloadParameters, it adjusts its schedules, enables/disables some services etc.

          So, there's no need to open any port for communication initiated from the server side.

          Best regards,
          Maks Kowalik

          The postings on this site are my own and don't necessarily represent IBM's positions, strategies or opinions.
  • SystemAdmin
    SystemAdmin
    340 Posts
    ACCEPTED ANSWER

    Re: ILMT 7.5 : Soure Port Agent & Console

    ‏2012-10-05T11:24:46Z  in response to SystemAdmin
    Dear Support

    Thank you very much for your clarification.