HP Insight Remote Support Advanced and Remote Device Access Software Version: A.05.
Security Overview Legal Notices Warranty The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice. Restricted Rights Legend Confidential computer software.
Contents Security Overview 1 Contents 3 About This Document 8 Publishing History 8 Document Organization 8 Related Documents 9 Executive Overview 10 HP Insight Remote Support Advanced 11 List of Components 12 Architectural Overview 12 General Security Measures 13 Application Security 13 Outbound Security 14 Inbound Security 14 Data Security 14 Data Collection and Privacy 14 Data Sent to HP 15 HP Data Storage and Retention Policy 16 Data Privacy 16 Communication Protocol
Security Overview Contents Remote Support Client 22 Installation and Setup 22 Data Collection and Storage 23 User Interface - Integration with HP SIM 23 HP Transport Security 24 Communication with HP Data Center 24 Automated Connections to HP 24 Redundant HP Data Centers 25 Global Server Load Balancing (GSLB) 25 Firewall/Port Requirements for RSC and RSSWM 25 How Do I Know That I Am Connecting to HP? 26 How Do I Verify Connectivity to Each Data Center? 26 Remote Support data center
Security Overview Contents Remote Device Access (RDA) 37 Executive Overview 37 Service Description 37 Service Value 38 Authentication 38 Access Control Overview 38 Secure Communications 38 Unattended RDA Using SSH Customer Access System (CAS) 39 39 Customer-owned CASii 39 Virtual CAS 40 HP Instant Customer Access Server (iCAS) 41 Access Control Details 42 Access control on the HP side 42 Access control on the customer side 43 Connectivity Method: SSH-Direct – Secure Shell over I
Security Overview Contents Signature Checking 53 CRL Checking 54 Self-Signed Certificates 55 Summary of Network Ports for Standard Operating System Connectivity Standard Operating System Network Ports Summary of Network Ports for Servers 56 56 58 Central Management Server (CMS) 58 HP-UX Managed Systems 60 Integrity Linux Managed Systems 61 Integrity Windows Server 2003 Managed Systems 62 Integrity Windows Server 2008 Managed Systems 63 Multivendor and Application Adapter (MVAA) 65 Non
Security Overview Contents SAN Managed Systems 82 SAN Switch Managed Systems 83 Revision History for Insight Remote Support Advanced Network Ports 84 A.05.40 84 A.05.50 84 A.05.60 84 A.05.70 86 Summary of Network Ports for Remote Device Access 87 Customer Access System (CAS) 87 Additional Ports for Virtual CAS 89 Additional Ports for iCAS 90 Additional Ports for P9000/XP Storage Array 91 hpVPN 92 Revision History for Remote Device Access Network Ports 93 Virtual CAS 8.
About This Document Publishing History Manufacturing Part Number Edition Number Publication Date 5992-5383 1.3 August 2009 5900-0564 2.0 January 2010 5900-0564 2.1 May 2010 5900-0566 3.0 August 2010 5900-1610 4.0 April 2011 5900-1735 5.0 October 2011 6.0 October 2012 6.1 January 2013 6.2 January 2013 6.3 January 2013 6.
Security Overview About This Document Related Documents l HP Systems Insight Manager Installation and Configuration Guide for Microsoft® Windows This document provides information about installing, configuring, and using HP Systems Insight Manager on supported Windows systems. This guide includes an introduction to basic concepts, definitions, and functionality associated with HP Systems Insight Manager. Refer to http://h18013.www1.hp.com/products/servers/management/hpsim/infolibrary.
Chapter 1 Executive Overview Today’s IT department plays a central role in meeting business objectives. Leveraging your IT infrastructure investments and improving overall system availability and utilization are crucial in today’s business environment. HP Insight Remote Support Advanced simplifies the management of highly diverse IT environments by providing a single remote monitoring and support solution for multiple operating systems and technologies, thereby reducing cost and complexity.
Chapter 2 HP Insight Remote Support Advanced This chapter provides an overview of the security features available in HP Insight Remote Support Advanced. Insight Remote Support Advanced is designed to collect reactive and proactive event data from servers and storage devices using the various network protocols described in this paper.
Security Overview Chapter 2: HP Insight Remote Support Advanced List of Components The installation of HP System Insight Manager and HP Insight Remote Support Advanced provides several software components which include: l HP Remote Support Software Manager (RSSWM) l Remote Support Client l Remote Support Common Components (MC3) l Remote Support Eligible Systems List l Web-Based Enterprise Services (WEBES) l Event Log Monitoring Collector (ELMC) l Remote Support Configuration Collector (RSCC)
Security Overview Chapter 2: HP Insight Remote Support Advanced The CMS communicates with agents running on the managed systems. Events are processed and filtered. Qualified events are forwarded to HP for further diagnostic analysis. Events that require attention, such as disk failures, will trigger action from an HP support specialist.
Security Overview Chapter 2: HP Insight Remote Support Advanced Outbound Security Because HP SIM and Insight Remote Support Advanced collect event information from all monitored servers inside of the customer’s IT environment, external firewalls only need to be configured to allow outbound HTTPS connections between the CMS and the HP data center. Details of the connection requirements are provided later in this document.
Security Overview Chapter 2: HP Insight Remote Support Advanced Data Sent to HP For event monitoring, the information collected and transmitted to HP may include: l Hardware model number l Hardware serial number l Operating system version l IP address l Fully qualified domain name (FQDN) l Failing device configuration information l Failing device firmware information l Hardware event information; for example a failed power supply or temperature readings l Memory configuration information
Security Overview Chapter 2: HP Insight Remote Support Advanced HP Data Storage and Retention Policy Customer data is stored in a physically secure data center located in Austin Texas, Houston Texas, or Atlanta Georgia (USA). The data is stored across encrypted and unencrypted databases. Physical and logical access to the systems hosting these databases is restricted to HP IT data center personnel and HP Support teams.
Security Overview Chapter 2: HP Insight Remote Support Advanced HTTPS is HTTP with SSL or TLS encryption for security. All communications between the Central Management Server and the HP Remote Support Data Center are carried out over HTTPS. HTTPS is also used for the marshalling and transfer of collected device data between the CMS and the managed systems. HTTPS typically uses TCP port 443, but other services, like STE and WEBES, may specify a different port number for HTTPS communications.
Security Overview Chapter 2: HP Insight Remote Support Advanced l SSL and TLS The Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols are application-layer protocols which provide data encryption and authentication. TLS is an updated version of SSL v3. SSL and TLS use X.509 certificates, also known as “digital” certificates, for authentication.
Security Overview Chapter 2: HP Insight Remote Support Advanced test an Internet connection. ICMP is used in the RSCC system to discover devices on the network and to verify that a monitored system is ready to communicate. l IP IP (Internet Protocol) is a network-layer protocol that moves datagrams through an interconnected set of networks. IP does not guarantee delivery of datagrams and provides no security. Data may be lost, received out-of-order, or even duplicated.
Security Overview Chapter 2: HP Insight Remote Support Advanced The BSD system logging protocol, syslog, is an unencrypted protocol for transmitting system log messages and is described in RFC 3164. Syslog has been assigned UDP port 514 but many implementations allow for TCP communications for a more reliable transmission of data. Alternate ports may also be used. l TCP Transmission Control Protocol (TCP), or IP protocol 6, is a transport-layer protocol that provides reliable in-order delivery of data.
Security Overview Chapter 2: HP Insight Remote Support Advanced install Microsoft SQL Server 2008 R2 Express Edition if no other version of SQL Server is already installed. The WEBES installation automatically installs the PostgreSQL database. Note: WEBES uses PostgreSQL 8.4.1. HP SIM uses Microsoft SQL Server 2008 R2 Express Edition. PostgreSQL uses port 7950 instead of the default 5432.
Security Overview Chapter 2: HP Insight Remote Support Advanced Installation Package Security Software applications downloaded from HP are stored in the Installers directory, typically located at: \Installers\. MD5 checksums are used to verify that the installation files have not been modified since they were packaged at HP. During installation of HP SIM, a SIM administrator user is configured. The RSSWM agent sets up the HP RSSWM-SIM Context Service during agent installation.
Security Overview Chapter 2: HP Insight Remote Support Advanced authentication data in the client interface. The proxy password is encrypted via 128-bit AES encryption and stored on the file system in the folder: \config The AES key itself is compiled into the client service executable. Note: Insight Remote Support Advanced supports connecting directly to the Internet or connecting through a proxy server and supports all proxy servers conforming to the HTTP/1.0 Specification.
Security Overview Chapter 2: HP Insight Remote Support Advanced HP Transport Security The Insight Remote Support Client uses a VeriSign CA signed server-side X.509 certificate for authentication and confidentiality of Insight Remote Support Advanced data in transit between the CMS and the HP Remote Support Data Center. When initial setup is complete, the Remote Support Client will register itself with the HP Data Center.
Security Overview Chapter 2: HP Insight Remote Support Advanced to verify that communication with HP is functioning properly. Missing ‘Heartbeats’ are only acted upon for customers where this is a contractual deliverable. Currently, this is limited to customers who have purchased either a Mission Critical or a Mission Critical Partnership contract.
Security Overview Chapter 2: HP Insight Remote Support Advanced How Do I Know That I Am Connecting to HP? You may have concerns, especially during this transition time, that RSC and RSSWM are actually connecting to HP and not an impostor. Both RSC and RSSWM use SSL with certificates that can be verified by VeriSign. Both clients verify the HP data center certificates using either the VeriSign Certification Authority (CA) or the HP Class 2 CA certificate.
Security Overview Chapter 2: HP Insight Remote Support Advanced Utilize standard network protocols such as SNMP and WBEM to get attributes from the endpoint device, for example operating system type and version, kernel parameters, and installed software. This information will then be used to deliver as many remote support services as possible. Non-privileged system-specific access credentials are usually used, that is, the customer need not divulge administrator or root passwords.
Security Overview Chapter 2: HP Insight Remote Support Advanced systems as the RSE list; however, enabling Remote Support event submission only happens through the Remote Support Systems List, not the RSE List. l Web-Based Enterprise Services (WEBES) WEBES is a set of service tools, specifically WEBES Director, WEBES Common Components, and System Event Analyzer, that run on the HP SIM CMS with Insight Remote Support Advanced installed.
Security Overview Chapter 2: HP Insight Remote Support Advanced l Event Log Monitoring Collector (ELMC) The Event Log Monitoring Collector (ELMC), formerly known as WCCProxy, is included with WEBES in some cases and downloaded separately in others. The platform-specific functionality to interface with the operating system and with certain other service tools is contained in the ELMC. It provides error condition detection on the managed endpoint system on which it is installed.
Security Overview Chapter 2: HP Insight Remote Support Advanced Remote Support Network Component Port Usage l IP Protocol Port Protocol TCP 23 Telnet TCP 80 HTTP TCP 135 epmap TCP 139 NetBIOS TCP 445 NetBIOS TCP 1024-65535 UDP 69 TFTP UDP 137 NetBIOS UDP 138 NetBIOS UDP 161 SNMP UDP 162 SNMP TRAP Notes The Windows NetBIOS RPC mechanism negotiates ports in this range via TCP port 135 (epmap).
Security Overview Chapter 2: HP Insight Remote Support Advanced l Binary Event Log Data The System Event Analyzer component of WEBES monitors binary event logs. These events are collected by the Event Log Monitoring Collector (ELMC) client that is installed on the end point device. A persistent connection is established from WEBES on the CMS to ELMC on the managed device and events are sent across a socket connection as they are detected.
Security Overview Chapter 2: HP Insight Remote Support Advanced devices is collected as well. Finally, protocol credentials are captured (SNMP community strings, WBEM usernames and passwords, Command View usernames and passwords). All of this information is stored in the WEBES database on the CMS. The entitlement, site, and contact information is sent to HP when an incident is created. The passwords are encrypted in the database using 128-bit AES encryption.
Security Overview Chapter 2: HP Insight Remote Support Advanced Proactive Configuration Collection Components Installed on the CMS l Remote Support Configuration Collector (RSCC) The Remote Support Configuration Collector (RSCC) schedules and consolidates configuration information collections from entitled servers and devices using standard collection agents (Level 2 collectors) like WBEM and SNMP, it can also collect information using (Level 3 collectors) proprietary agents like the HP-UX ACC (Advanced C
Security Overview Chapter 2: HP Insight Remote Support Advanced Security Credentials Digital Certificates Certificates generated by HP Systems Insight Manager and the Web Agents are by default self-signed. Public Key Infrastructure (PKI) support is provided so that certificates may be signed by an internal certificate server or a third-party Certificate Authority (CA).
Security Overview Chapter 2: HP Insight Remote Support Advanced in the Microsoft® Windows® domain. Any account that cannot authenticate against the operating system prevents signing into the HP SIM and Insight RSA using that account.
Security Overview Chapter 2: HP Insight Remote Support Advanced in and sign out, and so on. Tools by default are configured to log results in the windows system audit log. Proper security precautions should be taken to prevent users from modifying the tool definition files to defeat the default security auditing. Command-line Interface Much of HP Systems Insight Manager and Insight Remote Support Advanced functionality can be accessed through the command line.
Chapter 3 Remote Device Access (RDA) Executive Overview Remote Device Access (RDA) is a support solution that enables the delivery of HP remote support services over the Internet or other connectivity methods. Today, many security-sensitive transactions, such as e-commerce, stock trades, and online banking, are executed securely over the Internet using the same security technology utilized in RDA by HP.
Security Overview Chapter 3: Remote Device Access (RDA) Ad Hoc RDA options include: l HP Virtual Support Rooms (VSR) – A web-based desktop sharing application. l HP Instant Customer Access Server (iCAS) – A meet in the middle access model that allows HP remote access connections between HP and a customer network using SSH tunneled over a HTTP connection. Entitled Remote Access options include: l SSH-Direct – The SSH tunnel runs bare over the Internet.
Security Overview Chapter 3: Remote Device Access (RDA) Unattended RDA Using SSH All unattended RDA solutions rely on an SSH (SSH-2 protocol) tunnel running between the support specialist's desktop and a designated Customer Access System (CAS) deployed either in the customer DMZ or on a trusted network. An SSH server is required on the customer network acting as a so called customer access system (see CAS below).
Security Overview Chapter 3: Remote Device Access (RDA) Virtual CAS The Virtual CAS is provided by HP free of charge for HP RDA customers and is the HP preferred method for customers using an Entitled Remote Access solution. The Virtual CAS provides enhanced security and management functionality to restrict access into customer networks. Access restrictions on the vCAS solution can be easily defined by the customer administrator through a web interface.
Security Overview Chapter 3: Remote Device Access (RDA) HP Instant Customer Access Server (iCAS) HP Instant Customer Access Server (iCAS) is a lightweight connection tool that allows an HP support agent to quickly and securely connect to a customer's environment to aid in diagnosis and repair of supported hardware devices.
Security Overview Chapter 3: Remote Device Access (RDA) specifically grant access and provide the access credentials to the HP engineer before the connection to the target device can be established. Figure 3.2. Instant CAS (iCAS) Access Control Details Access control on the HP side HP manages all remote access customers in an internal web application called Remote Access Portal (RAP). Customers and their connection details are centrally and securely managed via the RAP user interface.
Security Overview Chapter 3: Remote Device Access (RDA) A Remote Access Connection System (RACS) is an SSH server that can forward an SSH connection to an appropriate CAS. When the HP support specialist connects and is authenticated to the RACS, the SSH server on the RACS checks the security token issued by the RAP to ensure that the support specialist is allowed to connect to customer’s IP address. Upon successful authorization, the RACS will forward the SSH connection to the HP routing device.
Security Overview Chapter 3: Remote Device Access (RDA) The customer owns the security policies and access control into his/her environment and can specifically restrict connections to named HP support personnel and can terminate connections as needed. The HP Support specialist is also subject to customer’s own access control and security policies in that the customer must provide login credentials if needed for the device that HP connects to.
Security Overview Chapter 3: Remote Device Access (RDA) Connectivity Methods for VPN Solutions Many customers’ security policies require that all inbound connections be protected inside a VPN connection that is terminated in a DMZ. HP offers site to site IPsec VPN access solutions for entitled remote access. SSH port-forwarding is still used, except that it is tunneled over IPsec using VPN routers. The combination of SSH and IPsec provides enhanced security.
Security Overview Chapter 3: Remote Device Access (RDA) hpVPN With hpVPN, HP provides a router to the customer. The router is deployed in the customer’s DMZ. HP’s VPN router establishes an IPsec VPN connection with a so called Customer Premises Equipment (CPE) router, at the customer’s site. HP maintains the software and router configurations on both ends. Currently, all hpVPN connections use triple-DES or AES encryption and SHA-1 HMAC.
Security Overview Chapter 3: Remote Device Access (RDA) Connectivity Method for Integrated Service Digital Network (ISDN) In some countries HP offers the option of ISDN connectivity. As with VPN solutions, SSH port-forwarding is used over ISDN to provide secure remote access. Figure 3.7.
Security Overview Chapter 3: Remote Device Access (RDA) The HP support specialist will generate room keys for the Virtual Support Room and share those keys via email or phone with the customer. The keys are required to enter the Virtual Support Room. The room keys are valid for one hour and must be re-generated after that time Joining a VSR session is simple. Customers can connect from any desktop with a supported browser and Internet access to the HP VSR infrastructure.
Security Overview Chapter 3: Remote Device Access (RDA) Data Privacy HP is committed to protecting Customer privacy. Personal information provided to HP and any data collected by this RDA tool or other associated tools and utilities will not be shared with third parties. It might be shared with other HP entities and business partners who are providing the services described in the Remote Support Documentation and who might be located in other countries.
Security Overview Chapter 3: Remote Device Access (RDA) Secured Communication These protocols are used either inside the customer’s intranet or over the Internet between the customer and HP. l ESP Encapsulating Security Payload (ESP), or IP protocol 50, is a protocol header inserted into an IP datagram to provide data encryption and authentication. Remote Device Access uses ESP in tunnel mode to establish VPN connectivity. l HTTPS HTTPS is HTTP with SSL or TLS encryption for security.
Security Overview Chapter 3: Remote Device Access (RDA) users are accustomed to working only with server certificates, SSL and TLS can be configured to require client-side certificates which provides password-less two-way authentication. The CMS and managed systems authenticate one using X.509 certificates. Also, all communications between the client browsers and the CMS are protected by SSL. The Remote Support Configuration Collector System supports both SSL V3 and TLS 1.0.
Appendix A X.509 Certificates and Insight Remote Support Advanced Overview An X.509 certificate contains a public key that can be used to check the validity of a digital signature. This digital signature verifies the authenticity of a document, a message, another X.590 certificate, or any datum of interest. The digital signature is generated using the X.509 certificate’s corresponding private key. X.
Security Overview Appendix A: X.509 Certificates and Insight Remote Support Advanced signature using the CA’s public key (that is, the CA’s certificate). If the certificate’s private key has been stolen, the certificate can be revoked by the CA. The CA maintains revoked certificates in a Certificate Revocation List (CRL). The CRL, which is a list of revoked certificates’ serial numbers, is signed by the CA. For a user to validate a certificate, he/she must have a priori knowledge of the CA’s certificate.
Security Overview Appendix A: X.509 Certificates and Insight Remote Support Advanced Figure A.2. Remote Support Software Management (RSSWM) CRL Checking The RSC can optionally check each certificate in the chain for revocation. At least three methods are used: 1. Checking a local copy of the associated CRL 2. Checking a copy of the associated CRL available in an LDAP database 3.
Security Overview Appendix A: X.509 Certificates and Insight Remote Support Advanced Some of these CRL checks can cause unexpected network traffic. Some CRL-checking mechanisms first try a local copy of the CRL. If a local CRL is unavailable or out-of-date it will then try the URIs found in the CRL Distribution Point attribute. OSCP activity can also trigger some network activity. When the RSC checks the revocation status of the services.isee.hp.com certificate, it may try the following URIs: l http://crl.
Appendix B Summary of Network Ports for Standard Operating System Connectivity The following tables summarize all ports that might be used in Insight Remote Support Advanced for Standard Operating System Connectivity. See Table B-1 for ports that are required for basic system operation. Standard Operating System Network Ports Table B.1.
Security Overview Appendix B: Summary of Network Ports for Standard Operating System Connectivity Protocol Ports Source Destination Function Configurable Optional System SMTP Server No port TCP Page 57 of 97 25 Simple Mail Transfer Protocol - Sending email Optional HP Insight Remote Support Advanced and Remote Device Access (A.05.
Appendix C Summary of Network Ports for Servers The following tables summarize all ports that might be used in Insight Remote Support Advanced for Servers. See Table B-1 for ports that are required for basic system operation. Central Management Server (CMS) Table C.1. CMS Connectivity - Firewall/Port Requirements Protocol Ports Source Destination Function Configurable Optional TCP 25 CMS CustomerDesignated SMTP Server Email notifications No Required TCP 443 or web proxy port CMS services.
Security Overview Appendix C: Summary of Network Ports for Servers Protocol Ports Source Destination Function Configurable Optional Web Browser UDP 161 CMS Managed Systems SNMP. This is the standard port used by SNMP agents on managed systems. The CMS sends requests to devices on this port.
Security Overview Appendix C: Summary of Network Ports for Servers HP-UX Managed Systems Table C.2.
Security Overview Appendix C: Summary of Network Ports for Servers Protocol Ports Source Destination Function Configurable Optional TCP 50002 Managed Systems CMS HP SIM HTTPS/SOAP with client certificate authentication No Required TCP 50004 Managed Systems CMS WBEM event receiver (HTTP and HTTPS) Yes Required ICMP N/A CMS Managed Systems Provides system reachability (ping) check during system discovery and before other operations.
Security Overview Appendix C: Summary of Network Ports for Servers Protocol Ports Source Destination Function Configurable Optional can be configured to use TCP port 5989 to simplify firewall settings. UDP 161 CMS Managed Systems SNMP. This is the standard port used by SNMP agents on managed systems. The CMS sends requests to devices on this port.
Security Overview Appendix C: Summary of Network Ports for Servers Protocol Ports Source Destination Function Configurable Optional TCP 135 Managed Systems CMS DCE endpoint resolution. Used by DCOM, and hence, Windows Management Interface (WMI) and WEBES No Required TCP 139 Managed Systems CMS NETBIOS Session Service.
Security Overview Appendix C: Summary of Network Ports for Servers Protocol Ports Source Destination Function Configurable Optional Systems This port is used to communicate with WBEM end point nodes. TCP 135 Managed Systems CMS DCE endpoint resolution. Used by DCOM, and hence, Windows Management Interface (WMI) and WEBES No Required TCP 139 Managed Systems CMS NETBIOS Session Service.
Security Overview Appendix C: Summary of Network Ports for Servers Protocol Ports Source Destination Function Configurable Optional ICMP CMS Managed Systems No N/A Provides system reachability (ping) check during system discovery and before other operations. Note that HP SIM can be configured to use TCP port 5989 to simplify firewall settings. Recommended Multivendor and Application Adapter (MVAA) Table C.6.
Security Overview Appendix C: Summary of Network Ports for Servers Protocol Ports Source Destination Function Configurable Optional TCP 7906 Managed Systems CMS Secure HTTP (HTTPS) port used by the listener running in No the Director's Web Interface. The Web browser connects to this port in the URL (e.g. https://target.sys.name.
Security Overview Appendix C: Summary of Network Ports for Servers Protocol Ports Source Destination Function Configurable Optional Systems managed systems. The CMS sends requests to devices on this port. TCP 7906 Managed Systems CMS Secure HTTP (HTTPS) port used by the listener running in No the Director's Web Interface. The Web browser connects to this port in the URL (e.g. https://target.sys.name.here:7906) Optional UDP 162 Managed Systems CMS SNMP Trap.
Security Overview Appendix C: Summary of Network Ports for Servers Protocol Ports Source Destination Function Configurable Optional TCP 50002 Managed Systems CMS HP SIM HTTPS/SOAP with client certificate authentication No Required TCP 50004 Managed Systems CMS WBEM event receiver (HTTP and HTTPS) Yes Required ICMP N/A CMS Managed Systems Provides system reachability (ping) check during system discovery and before other operations.
Security Overview Appendix C: Summary of Network Ports for Servers ProLiant Linux Managed Systems Table C.11. ProLiant Linux Connectivity - Firewall/Port Requirements Protocol Ports Source Destination Function Configurable Optional UDP 161 CMS Managed Systems SNMP. This is the standard port used by SNMP agents on managed systems. The CMS sends requests to devices on this port. No Required UDP 162 Managed Systems CMS SNMP Trap.
Security Overview Appendix C: Summary of Network Ports for Servers ProLiant Microsoft Hyper-V Managed Systems Table C.12. ProLiant Microsoft Hyper-V Connectivity - Firewall/Port Requirements Protocol Ports Source Destination Function Configurable Optional TCP 5989 CMS Managed Systems Secured WBEM CI-MOM protocol over HTTPS/SOAP. This port is used to communicate with WBEM end point nodes. Yes Required UDP 161 CMS Managed Systems SNMP.
Security Overview Appendix C: Summary of Network Ports for Servers Protocol Ports Source Destination Function Configurable Optional ICMP CMS Managed Systems No N/A Provides system reachability (ping) check during system discovery and before other operations. Note that HP SIM can be configured to use TCP port 5989 to simplify firewall settings. Recommended ProLiant VMWare ESX Managed Systems Table C.13.
Security Overview Appendix C: Summary of Network Ports for Servers ProLiant VMWare ESXi Managed Systems Table C.14. ProLiant VMWare ESXi Connectivity - Firewall/Port Requirements Protocol Ports Source Destination Function Configurable Optional TCP 5989 CMS Managed Systems Secured WBEM CI-MOM protocol over HTTPS/SOAP. This port is used to communicate with WBEM end point nodes.
Security Overview Appendix C: Summary of Network Ports for Servers ProLiant Windows Server Managed Systems Table C.15. ProLiant Windows Server Connectivity - Firewall/Port Requirements Protocol Ports Source Destination Function Configurable Optional TCP 5989 CMS Managed Systems Secured WBEM CI-MOM protocol over HTTPS/SOAP. This port is used to communicate with WBEM end point nodes. Yes Required TCP 135 Managed Systems CMS DCE endpoint resolution.
Security Overview Appendix C: Summary of Network Ports for Servers Protocol Ports Source Destination Function Configurable Optional Note that the CMS can be configured to limit this range. The source port will always be 135. UDP 137 Managed Systems CMS NETBIOS Name Service. Used by DCOM, and hence, Windows Management Interface (WMI) and WEBES No Required UDP 138 Managed Systems CMS NETBIOS Datagram Service.
Security Overview Appendix C: Summary of Network Ports for Servers Tru64 UNIX Managed Systems Table C.16. Tru64 UNIX Connectivity - Firewall/Port Requirements Protocol Ports Source Destination Function Configurable Optional TCP 7920 CMS Managed Systems The WEBES ELMC (formerly WCCProxy) process communicates with the Director on this port. This is a proprietary protocol. Any connections that exchange username and passwords use SSL. Not all connections are SSL.
Appendix D Summary of Network Ports for Storage The following tables summarize all ports that might be used in Insight Remote Support Advanced for Storage. See Table B-1 for ports that are required for basic system operation. StorageWorks MSA1000/1500 Storage Systems Table D.1. StorageWorks MSA1000/1500 Storage Systems Connectivity - Firewall/Port Requirements Protocol Ports Source Destination Function Configurable Optional TCP 23 CMS Managed Systems Telnet (unencrypted).
Security Overview Appendix D: Summary of Network Ports for Storage Protocol Ports Source Destination Function Configurable Optional ICMP N/A CMS Managed Systems Provides system reachability (ping) check during system discovery and before other operations. Note that HP SIM can be configured to use TCP port 5989 to simplify firewall settings. No Recommended TCP 5989 CMS Managed Systems Secured WBEM CI-MOM protocol over HTTPS/SOAP. This port is used to communicate with WBEM end point nodes.
Security Overview Appendix D: Summary of Network Ports for Storage Protocol Ports Source Destination Function Configurable Optional can be configured to use TCP port 5989 to simplify firewall settings. StorageWorks P6000 (EVA) Storage Systems Table D.4.
Security Overview Appendix D: Summary of Network Ports for Storage Protocol Ports Source Destination Function Configurable Optional TCP 7906 Managed Systems CMS Secure HTTP (HTTPS) port used by the listener running in No the Director's Web Interface. The Web browser connects to this port in the URL (e.g. https://target.sys.name.here:7906) Recommended UDP 161 CMS Managed Systems SNMP. This is the standard port used by SNMP agents on managed systems.
Security Overview Appendix D: Summary of Network Ports for Storage Protocol Ports Source Destination Function Configurable Optional TCP 50000 XP SVP CMS XP Data Transport No Required ICMP N/A CMS Managed Systems Provides system reachability (ping) check during system discovery and before other operations. Note that HP SIM can be configured to use TCP port 5989 to simplify firewall settings. No Recommended Page 80 of 97 HP Insight Remote Support Advanced and Remote Device Access (A.05.
Appendix E Summary of Network Ports for Networking The following tables summarize all ports that might be used in Insight Remote Support Advanced for Networking. See Table B-1 for ports that are required for basic system operation. E-Series Switch Managed Systems Table E.1. E-Series Switch Connectivity - Firewall/Port Requirements Protocol Ports Source Destination Function Configurable Optional UDP 161 CMS Managed Systems SNMP. This is the standard port used by SNMP agents on managed systems.
Security Overview Appendix E: Summary of Network Ports for Networking Network Managed Systems Table E.2. Network Connectivity - Firewall/Port Requirements Protocol Ports Source Destination Function Configurable Optional ICMP N/A CMS Managed Systems Provides system reachability (ping) check during system discovery and before other operations. Note that HP SIM can be configured to use TCP port 5989 to simplify firewall settings.
Security Overview Appendix E: Summary of Network Ports for Networking Protocol Ports Source Destination Function Configurable Optional Systems and network devices UDP 161 CMS Managed Systems SNMP. This is the standard port used by SNMP agents on managed systems. The CMS sends requests to devices on this port. No Optional UDP 162 Managed Systems CMS SNMP Trap. This is the standard port used by SNMP managers for listening to traps. No Optional SAN Switch Managed Systems Table E.4.
Appendix F Revision History for Insight Remote Support Advanced Network Ports This section describes firewall configuration changes that have occurred between releases of Insight Remote Support Advanced. A.05.40 The following port changes have been made for A.05.40: l EVA: SNMP ports 161 and 162 changed from "Optional" to "Recommended". l Integrity Linux: SNMP 161 and 162 changed from "Optional" to "Required". l ProLiant: SNMP ports 161 and 162 changed from "Optional" to "Required for Linux". A.05.
Security Overview Appendix F: Revision History for Insight Remote Support Advanced Network Ports l TCP port 5989 (WBEM) is noted as configurable. l TCP ports 50000 (HP SIM) are noted as configurable. l TCP ports 50001 and 50002 (HP SIM) are noted as not configurable. l E-Series Switches: Added new table. l HP-UX: Added TCP ports for Superdome 2 and Onboard Administrator (OA); changed TCP port 2381 to "Optional".
Security Overview Appendix F: Revision History for Insight Remote Support Advanced Network Ports l StorageWorks Tape Libraries: Added new table. l StorageWorks XP Array: Moved RDA ports to RDA table. l Tru64 UNIX: Removed TCP port 7906 and UDP port 162; added TCP port 22. A.05.70 The following changes have been made for A.05.
Appendix G Summary of Network Ports for Remote Device Access The following tables summarize all ports that might be used in Remote Device Access. See Table B-1 for ports that are required for basic system operation. Customer Access System (CAS) Table G.1.
Security Overview Appendix G: Summary of Network Ports for Remote Device Access Protocol Ports Source Destination Function Configurable Optional System Including CMS TCP 443 CAS Customer hpVPN Router HTTPS connection forwarded from HP through CAS to CMS or managed system Yes Optional TCP 22 CAS Target System Including CMS SSH command-line access Yes Optional TCP 23 CAS Target System Including CMS Telnet command-line access if SSH is not available.
Security Overview Appendix G: Summary of Network Ports for Remote Device Access Protocol Ports Source Destination Function Configurable Optional CMS TCP other CAS Target System Including CMS Customer-specified port and application protocol SSHforwarded from HP Yes Optional TCP other Customer Clients CAS Other access methods for CAS administration Yes Optional TCP 22 Customer's SSH Client Target System Including CMS SSH Command-line access Yes Optional Additional Ports for Virtual
Security Overview Appendix G: Summary of Network Ports for Remote Device Access Protocol Ports Source Destination Function ocsp.verisign.com certificate revocation check Configurable Optional TCP 22 Customer's SSH Client Virtual CAS SSH command-line access for Virtual CAS management No Optional TCP 25 Virtual CAS Customer-Designated SMTP Server Email notifications No Optional TCP 443 or web proxy port Virtual CAS h20529.www2.hp.
Security Overview Appendix G: Summary of Network Ports for Remote Device Access Protocol Ports Source Destination Function Configurable Optional port TCP 443 or web proxy port iCAS Host HP Regional RAMS Server or Web Proxy HTTPS to retrieve iCAS plug-in No Required TCP other iCAS Host Target System Customer-specified TCP port and application protocol SSHforwarded from HP Yes Optional UDP other iCAS Host Target System Customer-specified UDP port and application protocol SSHforwarded f
Security Overview Appendix G: Summary of Network Ports for Remote Device Access hpVPN Table G.5.
Appendix H Revision History for Remote Device Access Network Ports This section describes firewall configuration changes that have occurred between releases of Remote Device Access. Virtual CAS 8.12 Virtual CAS version 8.12 was the first release. Virtual CAS 9.10 There were no port changes for this release. Virtual CAS 10.03 There were no port changes for this release. Virtual CAS 10.06 The following port changes have been made for Virtual CAS 10.06: l Added ports for syslog.
Security Overview Appendix H: Revision History for Remote Device Access Network Ports l Added NTLM support for authenticating proxy servers. l Fixed timeout issue. l iCAS software is now signed and no longer emits warnings on Windows 7. l Fixed various anomalies concerning Microsoft Internet Explorer browsers. Insight Remote Support A.05.60: StorageWorks XP Arrays Added table for StorageWorks XP Arrays. Page 94 of 97 HP Insight Remote Support Advanced and Remote Device Access (A.05.
Appendix I Recommended Firewalls HP recommends the following firewalls: Vendor Support URL 3COM http://www.3com.com/services Check Point https://supportcenter.checkpoint.com/ Cisco http://www.cisco.com/cisco/web/support/index.html Juniper Networks http://www.juniper.net/support Nortel http://www.nortel.com/support ProCurve http://www.procurve.com/customercare/index.htm Stonesoft http://www.stonesoft.com/support/ For unlisted firewalls, contact the manufacturer for support.
Glossary Advanced Configuration Collector (ACC) for HP-UX The Advanced Configuration Collector component is made available on the Central Management Server for your convenience. It should be distributed to endpoint server systems that require this client to enable configuration collection in order for HP to provide proactive services. The distribution can be accomplished using the facility in HP SIM or your own software distribution application.
Security Overview Glossary update all of the Insight Remote Support components to your Central Management Server. This allows you to take advantage of new enhancements and updates as they become available. It also allows you to apply different software management policies for each of the different components if required. Web Based Enterprise Services (WEBES) Designed to perform real-time service event analysis through product specific rule sets.