Security/Firewall Requirements


This section explains how the Applications Manager can be accessed behind a firewall. Firewalls act as barriers preventing unauthorized access to a network. They act as entrance through which authorized people may pass and others not. You need to configure the firewall so that the host on which Applications Manager runs, can access the monitor at the relevant port.

Note: It is important to know that all ports must be opened for bi-directional communication to take place.

Ports to be opened when Monitors are behind the firewall:

Monitors Port Details
APPLICATION SERVERS
Glassfish Glassfish JMX port (default : 8686)
JBoss Two-way communication between JBoss web server port (default : 8080) and Applications Manager web server port (default : 9090).
Applications Manager hostname should be accessible from JBoss server.
JBoss RMI object port (default : 4444).
Jetty Enable JMX for monitoring. The JMX Port for default installations of Jetty is 9999.
Microsoft .NET

Windows Management Instrumentation (WMI) -- Port: 445

Remote Procedure Call (RPC) (default : 135)

Know more about the  ports required for WMI Mode of monitoring.
Oracle Application Server Oracle Application Server port (default : 7200)
Tomcat Tomcat web server port (default : 8080)
VMware vFabric tc Server JMX port of VMware vFabric tc Server (default : 6969)
WebLogic Two-way communication between WebLogic listening port (default : 7001) and Applications Manager web server port (default : 9090)

WebSphere

WebSphere application port (default : 9080)

CLOUD APPS
Microsoft Azure
  • REST API HTTPS port (Default port: 443)
  • For Azure VM: Powershell port (Default port: 5985,5986)
  • For Azure SQL: DB connection via JDBC port (Default port: 1433)
Amazon REST API via SDK HTTPS port (Default port: 443)
Microsoft 365 REST API HTTPS port (Default port: 443)
Openstack REST API HTTPS port (Default port: 443)
Google Cloud Platform REST API HTTPS port (Default port: 443)
Oracle Cloud
  • REST API HTTPS port (Default port: 443)
  • For Autonomous Database: DB connection via JDBC port (Default port: 1433)
CUSTOM MONITORS
Database Query monitor Corresponding database server port
File/Directory, Script (Telnet/SSH mode)

Telnet Port: 23 (if mode of monitoring is Telnet)

SSH Port: 22 (if mode of monitoring is SSH)

File/Directory, WMI Performance counter (WMI mode)

Remote Procedure Call (RPC) (Default :TCP 135)

Windows Management Instrumentation (WMI) (Default : TCP 445)

Know more about the  ports required for WMI Mode of monitoring.
DATABASE SERVERS
DB2 The port in which DB2 is running (default: 50000)
Memcached The port in which Memcached server is running (default : 11211)
MySQL The port in which MySQL is running (default : 3306)
Oracle The port in which Oracle is running (default : 1521)
PostgreSQL The port in which PostgreSQL is running (default : 5432)
Microsoft SQL Server The port in which SQL Server is running (default : 1433). UDP port 1434 might be required for the SQL Server Browser Service when you are using named instances.
Sybase The port in which Sybase is running (default : 5000)
SAP HANA SAP HANA's IndexServer port (default: 30015)
Apache HBase The port in which Hbase is running. For default installations of HBase, the JMX port number is 10101 for Master and 10102 for RegionServer.
NoSQL
Cassandra Enable JMX for monitoring. The JMX Port for default installations of Cassandra is 7199.
ERP
Oracle EBS Oracle EBS webserver port (default:7200)
Microsoft Dynamics CRM/365 (On-Premise)

To monitor a Microsoft Dynamics CRM/365 application, use Administrator user account which has the permission to excute WMI queries on 'root\CIMV2' namespace of the Dynamics CRM/365 Server.

Firewall access for monitoring:

Ports required for monitoring via WMI.

  • Windows Management Instrumentation (WMI) (default : TCP 445)
  • Remote Procedure Call (RPC) (default :TCP 135)
  • Also refer to ports required for WMI Mode of monitoring under Servers

Powershell access for monitoring:

Click here to see powershell prerequisites.

Microsoft Dynamics AX

Windows Management Instrumentation (WMI) -- Port: 445

Remote Procedure Call (RPC) -- Port: 135

Also refer to ports required for WMI Mode of monitoring under Servers
MAIL SERVERS
Exchange Server Windows Management Instrumentation (WMI) (default : 445)
Remote Procedure Call (RPC) (default : 135)
PowerShell remoting - TCP 5985 and 5986
Exchange PowerShell session - TCP 80 and 443
Know more about the ports required for WMI Mode of monitoring
Mail Server SMTP server port (default : 25) to send mails from Applications Manager.
POP port (default : 110 ) to fetch mails using the POP server.
MIDDLEWARE/PORTAL
IBM WebSphere MQ The MQ Listener Port (default:1414)
Microsoft MSMQ/SharePoint Server/Biztalk Server

Windows Management Instrumentation (WMI) -- Port: 445

Remote Procedure Call (RPC) -- Port: 135

PowerShell remoting - TCP 5985 and 5986

Know more about the  ports required for WMI Mode of monitoring.
VMware vFabric RabbitMQ Server The Port ID where the management plugin is configured (default : 55672)
WebLogic Integration Server WebLogic Integration port (default : 7001)
Oracle Tuxedo The SNMP port number , on which the Tuxedo SNMP agent is running. The default port number is 161.
Apache ActiveMQ Remote JMX should be enabled. The default JMX port is 1099.

Learn how to enable JMX for ActiveMQ

Apache Kafka

The default JMX port is 9999.

To enable JMX, you can set the JMX_PORT environment variable in the kafka-run-class.sh/kafka-run-class.bat file or use standard Java system properties. Alternatively, you can set the KAFKA_JMX_OPTS environment variable in the kafka-run-class.sh/kafka-run-class.bat file to enable JMX for monitoring in Applications Manager. For more information on configuring JMX, refer to this link.
Skype for Business Server

Windows Management Instrumentation (WMI) -- Port: 445

Remote Procedure Call (RPC) -- Port: 135

Also refer to ports required for WMI Mode of monitoring under Servers
SERVERS
AS400/iSeries

To connect AS400/iSeries server from Applications Manager it uses JTOpen package. The JTOpen package uses the following Non-SSL ports 449, 446, 8470, 8471, 8472, 8473, 8474, 8475, 8476. Ensure that the ports mentioned under "Port Non-SSL" column in the link are not blocked in firewall.

https://www-01.ibm.com/support/docview.wss?uid=nas8N1019667

Linux / Solaris / AIX / HPUnix /Tru64 Unix

Telnet Port (default : 23), if mode of monitoring is Telnet.

SSH Port (default : 22), if mode of monitoring is SSH

SNMP Agent Port (default : 161), if mode of monitoring is SNMP

Windows

For WMI Mode of Monitoring:

Applications Manager supports users with both administrator and non-administrator roles for monitoring Windows servers through WMI mode. However, it is recommended to use administrator privilege for Windows server monitoring.

Ports required -

Remote Procedure Call (RPC) (default : 135)
WMI uses DCOM for remote communication. The server to be monitored by applications manager uses a random port number above 1024 by default to respond back. You have to connect to this target server and configure it to use a port within a specified range of ports. Check out this link to know more about restricting the ports in the target server:  https://support.microsoft.com/en-us/help/154596/how-to-configure-rpc-dynamic-port-allocation-to-work-with-firewalls. Note that you must specify at least 5 ports in this range for target server ( you are normally recommended to open at least a 100 ports). This same range of ports must also be opened in the firewall.

  • For Windows Server 2008 and later versions (Windows Server 2019, Windows Server 2016, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008), and in Windows Vista and later versions (Windows 10, Windows 8, Windows 7, Windows Vista), use the following dynamic port range:

    Start port: 49152

    End port: 65535

  • For versions of Windows Server below 2008 (Windows 2000, Windows XP, and Windows Server 2003, and in Windows below Vista (Windows XP), use the following dynamic port range:

    Start port: 1025

    End port: 5000

  • If your computer network environment uses Windows Server 2019, Windows Server 2016, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, Windows Vista together with versions of Windows below Windows Server 2008 and Windows Vista, you must enable connectivity over both the following port ranges:

    High port range: 49152 through 65535

    Low port range: 1025 through 5000

  • For more information about the default dynamic port range, click here.

For SNMP Mode of monitoring:

Ports required - SNMP Agent Port: 161

Windows Cluster

For WMI Mode of Monitoring:

Applications Manager supports users with both administrator and non-administrator roles for monitoring Windows servers through WMI mode. However, it is recommended to use administrator privilege for Windows server monitoring.

Ports required -

Remote Procedure Call (RPC) (default : 135)
WMI uses DCOM for remote communication. The server to be monitored by applications manager uses a random port number above 1024 by default to respond back. You have to connect to this target server and configure it to use a port within a specified range of ports. Check out this link to know more about restricting the ports in the target server:  https://support.microsoft.com/en-us/help/154596/how-to-configure-rpc-dynamic-port-allocation-to-work-with-firewalls. Note that you must specify at least 5 ports in this range for target server ( you are normally recommended to open at least a 100 ports). This same range of ports must also be opened in the firewall.

  • For Windows Server 2008 and later versions (Windows Server 2019, Windows Server 2016, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008), and in Windows Vista and later versions (Windows 10, Windows 8, Windows 7, Windows Vista), use the following dynamic port range:

    Start port: 49152

    End port: 65535

  • For versions of Windows Server below 2008 (Windows 2000, Windows XP, and Windows Server 2003, and in Windows below Vista (Windows XP), use the following dynamic port range:

    Start port: 1025

    End port: 5000

  • If your computer network environment uses Windows Server 2019, Windows Server 2016, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, Windows Vista together with versions of Windows below Windows Server 2008 and Windows Vista, you must enable connectivity over both the following port ranges:

    High port range: 49152 through 65535

    Low port range: 1025 through 5000

  • For more information about the default dynamic port range, click here.

For SNMP Mode of monitoring:

Ports required - SNMP Agent Port: 161

SERVICES
Active Directory

Windows Management Instrumentation (WMI) -- Port: 445

Remote Procedure Call (RPC) -- Port: 135

PowerShell remoting -- TCP 5985 and 5986

Also refer to ports required for WMI Mode of monitoring under Servers
FTP/SFTP

Port in which FTP or SFTP is running (default:21 for FTP, 22 for SFTP)

JMX [ MX4J / JDK 1.5] Port of JMX agent (default:1099)
 

To monitor JMX behind firewall, the following changes have to be done.

  • Edit startApplicationsManager.bat/sh file. Add
    -Dmonitor.jmx.rmi.port=<port number for RMI socket communication> to the Java runtime options.
  • Restart Applications Manager server
  • Ensure that you have the RMI Socket port (step1) and JNDI Port (step4) are opened up in the firewall
  • Add the JMX Applications monitor after providing the relevant details.
  • The monitor should be added successfully
LDAP LDAP server port
Network Policy Server (NPS)

Windows Management Instrumentation (WMI) -- Port: 445

Remote Procedure Call (RPC) -- Port: 135

Also refer to ports required for WMI Mode of monitoring under Servers
Service Monitoring The service port that you need to monitor
SNMP SNMP Agent port (Default:161)
Telnet Port which you need to Telnet
Apache ZooKeeper

The default port of JMX agent is 1099

To enable Remote JMX for zookeeper in Linux Environments, open zkServer.sh file under bin folder and check the below following:
  • JMXPORT=<PORT NO>
  • ZOOMAIN="-Djava.rmi.server.hostname=<IP address> -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=$JMXPORT -Dcom.sun.management.jmxremote.authenticate=$JMXAUTH -Dcom.sun.management.jmxremote.ssl=$JMXSSL -Dzookeeper.jmx.log4j.disable=$JMXLOG4J org.apache.zookeeper.server.quorum.QuorumPeerMain"
In Windows Environments, do the following changes in zkServer.bat file under bin folder:
  • set JMXPORT=<PORT NO>
  • set ZOOMAIN="-Dcom.sun.management.jmxremote" "-Dcom.sun.management.jmxremote.port=%JMXPORT%" "-Dcom.sun.management.jmxremote.ssl=false" "-Dcom.sun.management.jmxremote.authenticate=false" "org.apache.zookeeper.server.quorum.QuorumPeerMain"
Replace <PORT NO> with JMXPORT and <IP address> with IP address of the machine.
Oracle Coherence Enable JMX for monitoring. The JMX Port for default installations of Coherence is 1099.
Hadoop Enable JMX for monitoring. The JMX port of the NameNode.
APPLICATION PERFORMANCE MANAGEMENT
APM Insight One way communication from the Agent installed application server to the Applications Manager port- (default: 9090/8443).
VIRTUALIZATION
Hyper-V

Windows Management Instrumentation (WMI) -- Port: 445

Remote Procedure Call (RPC) -- Port: 135

Also refer to the ports required for WMI Mode of monitoring under Servers
VMWare ESX/ESXi VMWare Web Service port (default:443)
Citrix Xenserver The https Port where the XenServer web service runs. The default port is 443.
Docker The Docker socket port. (default port: 4243).
Kubernetes SSH Port (Default port: 22).
OpenShift SSH Port (Default port: 22)
RESTAPI Port (Default port: 8443)
WEB SERVER/SERVICES
SSL Certificate Monitor SSL port in which the web server is running (default: 443).
Web Server HTTP Port of Web Server. (Default port is 80. For SSL, it is 443)
Elasticsearch The port on which the ElasticSearch is running (default: 9200).
Apache Solr The port on which the Apache Solr is running (default: 8983)
IIS Server Port on which IIS Server is running. (Default port is 80. For SSL, it is 443.)
Miscellaneous
Trap Listeners Trap Listener port (default:1620) in Applications Manager server should be accessible from the server where you want to send traps. More on receiving SNMP Traps.
RUM Agent
  • Default RUM agent port 7070 (HTTP) and 7443 (HTTPS).
  • Above RUM Agent ports should be opened in firewall for all the end users accessing the application which is monitored in Real User Monitor in Applications Manager.
  • RUM Agent should be able to communicate with Applications Manager server. i.e. One way communication from the RUM Agent to the Applications Manager HTTPS port (default HTTPS port: 8443).
Note:
  • End users accessing the website monitored in Applications Manager should have access to RUM Agent.
  • RUM Agent should be available on the internet and should be able to communicate with Applications Manager.
EUM Agent
  • Default EUM agent port 9999 (HTTP) and 9443 (HTTPS).
  • EUM Agent should be able to communicate with Applications Manager server. i.e. One way communication from the EUM Agent to the Applications Manager HTTPS port (default HTTPS port: 8443).
  • Firewall requirements for the following EUM-based monitor types should be the same as that of the non-EUM-based monitors supported in Applications Manager:
    • DNS
    • LDAP
    • Telnet
    • Mail
    • Ping
    • RBM (default port 9595)

Applications Manager makes sure that data is secure. The internal PostgreSQL database allows only the localhost to access the database through authenticated users. User Names and Passwords are stored in the PostgreSQL database that is bundled along with the product. The passwords are encrypted to maintain security.

Privileges required for different monitor types:

Monitors Privileges
Active Directory Administrator username/password [WMI mode]
Amazon
  • The AWS Access Key Id for accessing the AWS through the API. The access key has 20 alpha-numeric characters.
  • The Secret Access Key of the AWS. The secret key should be 40 alpha-numeric characters long.
Apache Server Credentials for accessing the server status url for Apache
AS400/iSeries
  • To retrieve data for all modules in AS400/iSeries monitor except 'Disk', an user with *USER user profile is required.
  • To retrieve data for 'Disk' and to perform Admin actions from Applications Manager, an user with *SECOFR user profile is required.
  • If using the *SECOFR user profile is not possible, then for retrieving disk data and to perform the admin actions such as viewing spooled file, job log and performing actions in JOBS, SPOOL, SUBSYSTEM a user profile with special authorities such as *ALLOBJ, *SAVSYS, *JOBCTL, *SPLCTL is required.

  • The user should have permission to access QMPGDATA/QPFRDATA library because Applications Manager uses performance collection service for retrieving disk details from AS400/iSeries server. Note: If the performance data collection is not enabled in AS400/iSeries, you need to start it by using the command STRPFRCOL or GO PERFORM-->COLLECT PERFORMANCE DATA-->START PERFORMANCE COLLECTION. You will also be able to execute the STRPFRCOL command from AS400/iSeries server monitor page in Admin-->Non-Interactive command option.

Database Query Monitor User with privileges for accessing a particular database and execute the query
DB2 User with atleast SYSMON instance level authority
Exchange Server Administrator username/password [WMI mode]
File/Directory User with privileges for accessing the File or Directory to monitor
FTP/SFTP If Authentication is enabled, enter the Username and Password for connecting to the FTP/SFTP server & move to required directory
Glassfish Username and password for connecting to Glassfish Admin console
HP-UX Guest user privilege
HTTP URL If basic authentication is required enter the same in monitor
Hyper-V Administrator privileges to the root OS (Windows 2008 R2 and other supported Hyper-V versions)
IBM AIX Guest user privileges are sufficient but "root" privileges are required for collecting Memory related details. Hence, it is preferable to use a "root" account to view all the details
IBM WebSphere MQ A Channel name with type of "Server Connection Channel"
JBoss Use the JBoss username/password (if Jboss is authenticated). User should be able to access the JBoss JMX console. If not, no username/password is required
JMX/Java Runtime

If Authentication is enabled, enter the Username and password for connecting to the JMX agent.

To monitor a JMX Applications, the following java runtime options are to be added to your application
  • -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=<PORT NO>
  • -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.local.only=false -Dcom.sun.management.jmxremote.authenticate=false
Replace <PORT NO> with JMX Port of the machine.
LDAP If Authentication is enabled, enter the Username and Password. If no username and password is provided, then it will connect to LDAP server as an anonymous login.
Linux Guest user privilege
Mail Server If Authentication is enabled, enter the Username and password for connecting to the SMTP and POP
Microsoft .Net Administrator username/password [WMI mode]
Microsoft Office SharePoint Server Administrator username/password [WMI mode]
MS SQL System Administrator/Owner for the "master" database
MSMQ Administrator username/password [WMI mode]
MySQL The User-name specified should have access to the databases to be monitored. MySQL should also be configured. This allows the host on which App Manager is running to access the MySQL database.
Oracle EBS Users with CONNECT, SELECT_CATALOG_ROLE and SELECT ANY TABLE roles.
RabbitMQ The User must have an administrator tag (that has privileges to list all the objects under every Virtual host) to monitor a RabbitMQ server.
SAP/SAP CCMS

You need a SAP user profile with the following authorization objects: S_RFC, S_XMI_LOG and S_XMI_PROD which are the minimum prerequisities for adding a SAP monitor.

We use the SAP Java Connector to connect to the SAP ABAP server. The SAP JCo will communicate from APM to SAP using the SAP Dispatcher. The SAP Dispatcher port to be used is 3200 with the SAP System number.

Script monitor User with privileges for executing the script and accessing the output file.
Server with SNMP mode SNMP Community string with read privileges.
SNMP/Network device

For SNMP Version V1/V2c:

  • SNMP Community string with read only privileges.

For SNMP Version V3:

Select one of the three Security Levels in the drop-down list:

  • NoAuthNoPriv - Messages can be sent unauthenticated and unencrypted. Enter a UserName and Context Name.
  • AuthNoPriv - Messages can be sent authenticated but unencrypted. Enter a UserName, Context Name and an Authentication Password. You can select an Authentication Protocol like MD5 or SHA from the drop-down list.
  • AuthPriv - Messages can be sent authenticated and encrypted. Enter a UserName, Context Name,an Authentication Password and a Privacy Password. You can select an Authentication Protocol like MD5 or SHA from the drop-down list. By default 'DES' encryption technique will be used.
Solaris Guest user privilege.
Sybase The user should have admin privileges or the DB owner for master database.
Tomcat
  • For 5.x and above, a username and password is required to connect to Tomcat Manager Application. If not, no username/password is required.
  • For 5.x the user specified should have a 'manager' role.
  • For 6.x and above, the user specified should have "manager-gui", "manager-script", "manager-jmx" and "manager-status" roles.
VMWare ESX/ESXi

When adding VMWare ESX/ESXi servers for monitoring, we recommend that you use the root account. However, if you are unable to use the root account, you can use a 'view-only' profile to add the servers. This profile has all the privileges required for monitoring. The user you create must be:

  • a member of the group user.
  • based on the profile 'read only'.
VMware vFabric RabbitMQ Server User Name and Password of RabbitMQ server.
WebLogic Use the WebLogic username/password, if WebLogic is authenticated. The user should be an administrator. Otherwise, no username/password is required.
WebLogic Integration Server Use the WebLogic username/password, if WebLogic is authenticated. User should be an administrator. Else no username/password is required.
Webservices Give the User Name and Password, if it is required to invoke the webservice operation.
WebSphere If Global Security is enabled, use the same username/password . If not, no username/password is required.
Windows Administrator username/password [WMI mode].
Windows Cluster Administrator username/password [WMI mode].

Enterprise Edition

Path Ports
Admin Server to Managed Server SSL Port (default 8443) for data syncing.
Webserver (default 9090).
Managed Server to Admin Server SSL Port (default 8443) for data syncing.

Note: Production Environment gives you the configuration details that you need to take care of, when moving Applications Manager into Production.