Security/Firewall Requirements

This section explains how the Applications Manager can be accessed behind a firewall. Firewalls act as barriers preventing unauthorized access to a network. They act as entrance through which authorized people may pass and others not. You need to configure the firewall so that the host on which Applications Manager runs, can access the monitor at the relevant port.

Note: It is important to know that all ports must be opened for bi-directional communication to take place.

Ports to be opened when Monitors are behind the firewall:

Monitors	Port Details
APPLICATION SERVERS
Glassfish	Glassfish JMX port (default : 8686)
JBoss	Two-way communication between JBoss web server port (default : 8080) and Applications Manager web server port (default : 9090). Applications Manager hostname should be accessible from JBoss server. JBoss RMI object port (default : 4444).
Jetty	Enable JMX for monitoring. The JMX Port for default installations of Jetty is 9999.
Microsoft .NET	Windows Management Instrumentation (WMI) -- Port: 445 Remote Procedure Call (RPC) (default : 135) Know more about the ports required for WMI Mode of monitoring.
Oracle Application Server	Oracle Application Server port (default : 7200)
Tomcat	Tomcat web server port (default : 8080)
VMware vFabric tc Server	JMX port of VMware vFabric tc Server (default : 6969)
WebLogic	Two-way communication between WebLogic listening port (default : 7001) and Applications Manager web server port (default : 9090)
WebSphere	WebSphere application port (default : 9080)
CLOUD APPS
Microsoft Azure	REST API HTTPS port (Default port: 443) For Azure VM: Powershell port (Default port: 5985,5986) For Azure SQL: DB connection via JDBC port (Default port: 1433)
Amazon	REST API via SDK HTTPS port (Default port: 443)
Microsoft 365	REST API HTTPS port (Default port: 443)
Openstack	REST API HTTPS port (Default port: 443)
Google Cloud Platform	REST API HTTPS port (Default port: 443)
Oracle Cloud	REST API HTTPS port (Default port: 443) For Autonomous Database: DB connection via JDBC port (Default port: 1433)
CUSTOM MONITORS
Database Query monitor	Corresponding database server port
File/Directory, Script (Telnet/SSH mode)	Telnet Port: 23 (if mode of monitoring is Telnet) SSH Port: 22 (if mode of monitoring is SSH)
File/Directory, WMI Performance counter (WMI mode)	Remote Procedure Call (RPC) (Default :TCP 135) Windows Management Instrumentation (WMI) (Default : TCP 445) Know more about the ports required for WMI Mode of monitoring.
DATABASE SERVERS
DB2	The port in which DB2 is running (default: 50000)
Memcached	The port in which Memcached server is running (default : 11211)
MySQL	The port in which MySQL is running (default : 3306)
Oracle	The port in which Oracle is running (default : 1521)
PostgreSQL	The port in which PostgreSQL is running (default : 5432)
Microsoft SQL Server	The port in which SQL Server is running (default : 1433). UDP port 1434 might be required for the SQL Server Browser Service when you are using named instances.
Sybase	The port in which Sybase is running (default : 5000)
SAP HANA	SAP HANA's IndexServer port (default: 30015)
Apache HBase	The port in which Hbase is running. For default installations of HBase, the JMX port number is 10101 for Master and 10102 for RegionServer.
NoSQL
Cassandra	Enable JMX for monitoring. The JMX Port for default installations of Cassandra is 7199.
ERP
Oracle EBS	Oracle EBS webserver port (default:7200)
Microsoft Dynamics CRM/365 (On-Premise)	To monitor a Microsoft Dynamics CRM/365 application, use Administrator user account which has the permission to excute WMI queries on 'root\CIMV2' namespace of the Dynamics CRM/365 Server. Firewall access for monitoring: Ports required for monitoring via WMI. Windows Management Instrumentation (WMI) (default : TCP 445) Remote Procedure Call (RPC) (default :TCP 135) Also refer to ports required for WMI Mode of monitoring under Servers Powershell access for monitoring: Click here to see powershell prerequisites.
Microsoft Dynamics AX	Windows Management Instrumentation (WMI) -- Port: 445 Remote Procedure Call (RPC) -- Port: 135 Also refer to ports required for WMI Mode of monitoring under Servers
MAIL SERVERS
Exchange Server	Windows Management Instrumentation (WMI) (default : 445) Remote Procedure Call (RPC) (default : 135) PowerShell remoting - TCP 5985 and 5986 Exchange PowerShell session - TCP 80 and 443 Know more about the ports required for WMI Mode of monitoring
Mail Server	SMTP server port (default : 25) to send mails from Applications Manager. POP port (default : 110 ) to fetch mails using the POP server.
MIDDLEWARE/PORTAL
IBM WebSphere MQ	The MQ Listener Port (default:1414)
Microsoft MSMQ/SharePoint Server/Biztalk Server	Windows Management Instrumentation (WMI) -- Port: 445 Remote Procedure Call (RPC) -- Port: 135 PowerShell remoting - TCP 5985 and 5986 Know more about the ports required for WMI Mode of monitoring.
VMware vFabric RabbitMQ Server	The Port ID where the management plugin is configured (default : 55672)
WebLogic Integration Server	WebLogic Integration port (default : 7001)
Oracle Tuxedo	The SNMP port number , on which the Tuxedo SNMP agent is running. The default port number is 161.
Apache ActiveMQ	Remote JMX should be enabled. The default JMX port is 1099. Learn how to enable JMX for ActiveMQ
Apache Kafka	The default JMX port is 9999. To enable JMX, you can set the JMX_PORT environment variable in the kafka-run-class.sh/kafka-run-class.bat file or use standard Java system properties. Alternatively, you can set the KAFKA_JMX_OPTS environment variable in the kafka-run-class.sh/kafka-run-class.bat file to enable JMX for monitoring in Applications Manager. For more information on configuring JMX, refer to this link.
Skype for Business Server	Windows Management Instrumentation (WMI) -- Port: 445 Remote Procedure Call (RPC) -- Port: 135 Also refer to ports required for WMI Mode of monitoring under Servers
SERVERS
AS400/iSeries	To connect AS400/iSeries server from Applications Manager it uses JTOpen package. The JTOpen package uses the following Non-SSL ports 449, 446, 8470, 8471, 8472, 8473, 8474, 8475, 8476. Ensure that the ports mentioned under "Port Non-SSL" column in the link are not blocked in firewall. https://www-01.ibm.com/support/docview.wss?uid=nas8N1019667
Linux / Solaris / AIX / HPUnix /Tru64 Unix	Telnet Port (default : 23), if mode of monitoring is Telnet. SSH Port (default : 22), if mode of monitoring is SSH SNMP Agent Port (default : 161), if mode of monitoring is SNMP
Windows	For WMI Mode of Monitoring: Applications Manager supports users with both administrator and non-administrator roles for monitoring Windows servers through WMI mode. However, it is recommended to use administrator privilege for Windows server monitoring. Ports required - Remote Procedure Call (RPC) (default : 135) WMI uses DCOM for remote communication. The server to be monitored by applications manager uses a random port number above 1024 by default to respond back. You have to connect to this target server and configure it to use a port within a specified range of ports. Check out this link to know more about restricting the ports in the target server: https://support.microsoft.com/en-us/help/154596/how-to-configure-rpc-dynamic-port-allocation-to-work-with-firewalls. Note that you must specify at least 5 ports in this range for target server ( you are normally recommended to open at least a 100 ports). This same range of ports must also be opened in the firewall. For Windows Server 2008 and later versions (Windows Server 2019, Windows Server 2016, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008), and in Windows Vista and later versions (Windows 10, Windows 8, Windows 7, Windows Vista), use the following dynamic port range: Start port: 49152 End port: 65535 For versions of Windows Server below 2008 (Windows 2000, Windows XP, and Windows Server 2003, and in Windows below Vista (Windows XP), use the following dynamic port range: Start port: 1025 End port: 5000 If your computer network environment uses Windows Server 2019, Windows Server 2016, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, Windows Vista together with versions of Windows below Windows Server 2008 and Windows Vista, you must enable connectivity over both the following port ranges: High port range: 49152 through 65535 Low port range: 1025 through 5000 For more information about the default dynamic port range, click here. For SNMP Mode of monitoring: Ports required - SNMP Agent Port: 161
Windows Cluster	For WMI Mode of Monitoring: Applications Manager supports users with both administrator and non-administrator roles for monitoring Windows servers through WMI mode. However, it is recommended to use administrator privilege for Windows server monitoring. Ports required - Remote Procedure Call (RPC) (default : 135) WMI uses DCOM for remote communication. The server to be monitored by applications manager uses a random port number above 1024 by default to respond back. You have to connect to this target server and configure it to use a port within a specified range of ports. Check out this link to know more about restricting the ports in the target server: https://support.microsoft.com/en-us/help/154596/how-to-configure-rpc-dynamic-port-allocation-to-work-with-firewalls. Note that you must specify at least 5 ports in this range for target server ( you are normally recommended to open at least a 100 ports). This same range of ports must also be opened in the firewall. For Windows Server 2008 and later versions (Windows Server 2019, Windows Server 2016, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008), and in Windows Vista and later versions (Windows 10, Windows 8, Windows 7, Windows Vista), use the following dynamic port range: Start port: 49152 End port: 65535 For versions of Windows Server below 2008 (Windows 2000, Windows XP, and Windows Server 2003, and in Windows below Vista (Windows XP), use the following dynamic port range: Start port: 1025 End port: 5000 If your computer network environment uses Windows Server 2019, Windows Server 2016, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, Windows Vista together with versions of Windows below Windows Server 2008 and Windows Vista, you must enable connectivity over both the following port ranges: High port range: 49152 through 65535 Low port range: 1025 through 5000 For more information about the default dynamic port range, click here. For SNMP Mode of monitoring: Ports required - SNMP Agent Port: 161
SERVICES
Active Directory	Windows Management Instrumentation (WMI) -- Port: 445 Remote Procedure Call (RPC) -- Port: 135 PowerShell remoting -- TCP 5985 and 5986 Also refer to ports required for WMI Mode of monitoring under Servers
FTP/SFTP	Port in which FTP or SFTP is running (default:21 for FTP, 22 for SFTP)
JMX [ MX4J / JDK 1.5]	Port of JMX agent (default:1099) To monitor JMX behind firewall, the following changes have to be done. Edit startApplicationsManager.bat/sh file. Add -Dmonitor.jmx.rmi.port=<port number for RMI socket communication> to the Java runtime options. Restart Applications Manager server Ensure that you have the RMI Socket port (step1) and JNDI Port (step4) are opened up in the firewall Add the JMX Applications monitor after providing the relevant details. The monitor should be added successfully
LDAP	LDAP server port
Network Policy Server (NPS)	Windows Management Instrumentation (WMI) -- Port: 445 Remote Procedure Call (RPC) -- Port: 135 Also refer to ports required for WMI Mode of monitoring under Servers
Service Monitoring	The service port that you need to monitor
SNMP	SNMP Agent port (Default:161)
Telnet	Port which you need to Telnet
Apache ZooKeeper	The default port of JMX agent is 1099 To enable Remote JMX for zookeeper in Linux Environments, open zkServer.sh file under bin folder and check the below following: JMXPORT=<PORT NO> ZOOMAIN="-Djava.rmi.server.hostname=<IP address> -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=$JMXPORT -Dcom.sun.management.jmxremote.authenticate=$JMXAUTH -Dcom.sun.management.jmxremote.ssl=$JMXSSL -Dzookeeper.jmx.log4j.disable=$JMXLOG4J org.apache.zookeeper.server.quorum.QuorumPeerMain" In Windows Environments, do the following changes in zkServer.bat file under bin folder: set JMXPORT=<PORT NO> set ZOOMAIN="-Dcom.sun.management.jmxremote" "-Dcom.sun.management.jmxremote.port=%JMXPORT%" "-Dcom.sun.management.jmxremote.ssl=false" "-Dcom.sun.management.jmxremote.authenticate=false" "org.apache.zookeeper.server.quorum.QuorumPeerMain" Replace <PORT NO> with JMXPORT and <IP address> with IP address of the machine.
Oracle Coherence	Enable JMX for monitoring. The JMX Port for default installations of Coherence is 1099.
Hadoop	Enable JMX for monitoring. The JMX port of the NameNode.
APPLICATION PERFORMANCE MANAGEMENT
APM Insight	One way communication from the Agent installed application server to the Applications Manager port- (default: 9090/8443).
VIRTUALIZATION
Hyper-V	Windows Management Instrumentation (WMI) -- Port: 445 Remote Procedure Call (RPC) -- Port: 135 Also refer to the ports required for WMI Mode of monitoring under Servers
VMWare ESX/ESXi	VMWare Web Service port (default:443)
Citrix Xenserver	The https Port where the XenServer web service runs. The default port is 443.
Docker	The Docker socket port. (default port: 4243).
Kubernetes	SSH Port (Default port: 22).
OpenShift	SSH Port (Default port: 22) RESTAPI Port (Default port: 8443)
WEB SERVER/SERVICES
SSL Certificate Monitor	SSL port in which the web server is running (default: 443).
Web Server	HTTP Port of Web Server. (Default port is 80. For SSL, it is 443)
Elasticsearch	The port on which the ElasticSearch is running (default: 9200).
Apache Solr	The port on which the Apache Solr is running (default: 8983)
IIS Server	Port on which IIS Server is running. (Default port is 80. For SSL, it is 443.)
Miscellaneous
Trap Listeners	Trap Listener port (default:1620) in Applications Manager server should be accessible from the server where you want to send traps. More on receiving SNMP Traps.
RUM Agent	Default RUM agent port 7070 (HTTP) and 7443 (HTTPS). Above RUM Agent ports should be opened in firewall for all the end users accessing the application which is monitored in Real User Monitor in Applications Manager. RUM Agent should be able to communicate with Applications Manager server. i.e. One way communication from the RUM Agent to the Applications Manager HTTPS port (default HTTPS port: 8443). Note: End users accessing the website monitored in Applications Manager should have access to RUM Agent. RUM Agent should be available on the internet and should be able to communicate with Applications Manager.
EUM Agent	Default EUM agent port 9999 (HTTP) and 9443 (HTTPS). EUM Agent should be able to communicate with Applications Manager server. i.e. One way communication from the EUM Agent to the Applications Manager HTTPS port (default HTTPS port: 8443). Firewall requirements for the following EUM-based monitor types should be the same as that of the non-EUM-based monitors supported in Applications Manager: DNS LDAP Telnet Mail Ping RBM (default port 9595)

Applications Manager makes sure that data is secure. The internal PostgreSQL database allows only the localhost to access the database through authenticated users. User Names and Passwords are stored in the PostgreSQL database that is bundled along with the product. The passwords are encrypted to maintain security.

Privileges required for different monitor types:

Monitors	Privileges
Active Directory	Administrator username/password [WMI mode]
Amazon	The AWS Access Key Id for accessing the AWS through the API. The access key has 20 alpha-numeric characters. The Secret Access Key of the AWS. The secret key should be 40 alpha-numeric characters long.
Apache Server	Credentials for accessing the server status url for Apache
AS400/iSeries	To retrieve data for all modules in AS400/iSeries monitor except 'Disk', an user with USER user profile is required. To retrieve data for 'Disk' and to perform Admin actions from Applications Manager, an user with SECOFR user profile is required. If using the SECOFR user profile is not possible, then for retrieving disk data and to perform the admin actions such as viewing spooled file, job log and performing actions in JOBS, SPOOL, SUBSYSTEM a user profile with special authorities such as ALLOBJ, SAVSYS, JOBCTL, SPLCTL is required. The user should have permission to access QMPGDATA/QPFRDATA library because Applications Manager uses performance collection service for retrieving disk details from AS400/iSeries server. Note:* If the performance data collection is not enabled in AS400/iSeries, you need to start it by using the command STRPFRCOL or GO PERFORM-->COLLECT PERFORMANCE DATA-->START PERFORMANCE COLLECTION. You will also be able to execute the STRPFRCOL command from AS400/iSeries server monitor page in Admin-->Non-Interactive command option.
Database Query Monitor	User with privileges for accessing a particular database and execute the query
DB2	User with atleast SYSMON instance level authority
Exchange Server	Administrator username/password [WMI mode]
File/Directory	User with privileges for accessing the File or Directory to monitor
FTP/SFTP	If Authentication is enabled, enter the Username and Password for connecting to the FTP/SFTP server & move to required directory
Glassfish	Username and password for connecting to Glassfish Admin console
HP-UX	Guest user privilege
HTTP URL	If basic authentication is required enter the same in monitor
Hyper-V	Administrator privileges to the root OS (Windows 2008 R2 and other supported Hyper-V versions)
IBM AIX	Guest user privileges are sufficient but "root" privileges are required for collecting Memory related details. Hence, it is preferable to use a "root" account to view all the details
IBM WebSphere MQ	A Channel name with type of "Server Connection Channel"
JBoss	Use the JBoss username/password (if Jboss is authenticated). User should be able to access the JBoss JMX console. If not, no username/password is required
JMX/Java Runtime	If Authentication is enabled, enter the Username and password for connecting to the JMX agent. To monitor a JMX Applications, the following java runtime options are to be added to your application -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=<PORT NO> -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.local.only=false -Dcom.sun.management.jmxremote.authenticate=false Replace <PORT NO> with JMX Port of the machine.
LDAP	If Authentication is enabled, enter the Username and Password. If no username and password is provided, then it will connect to LDAP server as an anonymous login.
Linux	Guest user privilege
Mail Server	If Authentication is enabled, enter the Username and password for connecting to the SMTP and POP
Microsoft .Net	Administrator username/password [WMI mode]
Microsoft Office SharePoint Server	Administrator username/password [WMI mode]
MS SQL	System Administrator/Owner for the "master" database
MSMQ	Administrator username/password [WMI mode]
MySQL	The User-name specified should have access to the databases to be monitored. MySQL should also be configured. This allows the host on which App Manager is running to access the MySQL database.
Oracle EBS	Users with CONNECT, SELECT_CATALOG_ROLE and SELECT ANY TABLE roles.
RabbitMQ	The User must have an administrator tag (that has privileges to list all the objects under every Virtual host) to monitor a RabbitMQ server.
SAP/SAP CCMS	You need a SAP user profile with the following authorization objects: S_RFC, S_XMI_LOG and S_XMI_PROD which are the minimum prerequisities for adding a SAP monitor. We use the SAP Java Connector to connect to the SAP ABAP server. The SAP JCo will communicate from APM to SAP using the SAP Dispatcher. The SAP Dispatcher port to be used is 3200 with the SAP System number.
Script monitor	User with privileges for executing the script and accessing the output file.
Server with SNMP mode	SNMP Community string with read privileges.
SNMP/Network device	For SNMP Version V1/V2c: SNMP Community string with read only privileges. For SNMP Version V3: Select one of the three Security Levels in the drop-down list: NoAuthNoPriv - Messages can be sent unauthenticated and unencrypted. Enter a UserName and Context Name. AuthNoPriv - Messages can be sent authenticated but unencrypted. Enter a UserName, Context Name and an Authentication Password. You can select an Authentication Protocol like MD5 or SHA from the drop-down list. AuthPriv - Messages can be sent authenticated and encrypted. Enter a UserName, Context Name,an Authentication Password and a Privacy Password. You can select an Authentication Protocol like MD5 or SHA from the drop-down list. By default 'DES' encryption technique will be used.
Solaris	Guest user privilege.
Sybase	The user should have admin privileges or the DB owner for master database.
Tomcat	For 5.x and above, a username and password is required to connect to Tomcat Manager Application. If not, no username/password is required. For 5.x the user specified should have a 'manager' role. For 6.x and above, the user specified should have "manager-gui", "manager-script", "manager-jmx" and "manager-status" roles.
VMWare ESX/ESXi	When adding VMWare ESX/ESXi servers for monitoring, we recommend that you use the root account. However, if you are unable to use the root account, you can use a 'view-only' profile to add the servers. This profile has all the privileges required for monitoring. The user you create must be: a member of the group user. based on the profile 'read only'.
VMware vFabric RabbitMQ Server	User Name and Password of RabbitMQ server.
WebLogic	Use the WebLogic username/password, if WebLogic is authenticated. The user should be an administrator. Otherwise, no username/password is required.
WebLogic Integration Server	Use the WebLogic username/password, if WebLogic is authenticated. User should be an administrator. Else no username/password is required.
Webservices	Give the User Name and Password, if it is required to invoke the webservice operation.
WebSphere	If Global Security is enabled, use the same username/password . If not, no username/password is required.
Windows	Administrator username/password [WMI mode].
Windows Cluster	Administrator username/password [WMI mode].

Enterprise Edition

Path	Ports
Admin Server to Managed Server	SSL Port (default 8443) for data syncing. Webserver (default 9090).
Managed Server to Admin Server	SSL Port (default 8443) for data syncing.

Note: Production Environment gives you the configuration details that you need to take care of, when moving Applications Manager into Production.