Managing HP Servers Thru Firewall in Insite Manager

Table of Contents
Abstract .............................................................................................................................................. 3
Acronyms in text .................................................................................................................................. 3
Introduction ......................................................................................................................................... 5
HP management products ..................................................................................................................... 6
Case 1: Management protocols banned from DMZ ................................................................................. 6
Asset management ........................................................................................................................... 6
Fault management ............................................................................................................................ 7
Deployment and Migration ................................................................................................................ 7
Integrate ......................................................................................................................................... 7
Control ........................................................................................................................................... 7
Case 2: Separate management network ................................................................................................. 7
Asset Management ........................................................................................................................... 9
Fault Management ........................................................................................................................... 9
Deployment and Migration ................................................................................................................ 9
Integrate ......................................................................................................................................... 9
Control ........................................................................................................................................... 9
Case 3: Managing through a firewall using a single network .................................................................. 10
Asset Management ......................................................................................................................... 10
SNMP ....................................................................................................................................... 11
DMI .......................................................................................................................................... 12
WBEM ...................................................................................................................................... 12
WMI ......................................................................................................................................... 12
WS-MAN .................................................................................................................................. 13
SSH .......................................................................................................................................... 13
Fault management .......................................................................................................................... 13
Deployment and Migration .............................................................................................................. 14
Control ......................................................................................................................................... 14
Integrate ....................................................................................................................................... 14
Control ......................................................................................................................................... 14
Configuration Management ............................................................................................................. 15
Version Control .......................................................................................................................... 17
Replicate Agent Settings .............................................................................................................. 17
SSH .......................................................................................................................................... 17
Managing HP Servers through Firewalls with
Insight Management 7.0 White Paper

Best Practices ................................................................................................................................. 17
HP Insight Management Installer ...................................................................................................... 18
HP Systems Insight Manager ........................................................................................................ 18
HP Insight Control ....................................................................................................................... 18
HP Matrix Operating Environment ................................................................................................ 18
HP Insight Management Installer Ports............................................................................................... 18
HP Smart Update Manager Ports ..................................................................................................... 21
HP Insight Control for VCenter Ports ................................................................................................. 23
HP Onboard Administrator Ports ...................................................................................................... 24
HP Virtual Connect Manager Ports ................................................................................................... 24
Policies required for IM DVD Installation ........................................................................................... 25
Additional policies required for proper operations of the system .......................................................... 25
Conclusion ........................................................................................................................................ 26
Appendix A: Configuring a separate management network .................................................................... 27
Appendix B: Modifying default ports .................................................................................................... 28
For more information .......................................................................................................................... 29
Call to action .................................................................................................................................... 29

3
Abstract
This paper identifies possible ways of managing HP servers with HP Insight Management deployed in
the area of the network that is considered more secure than the standard production network. This is
not a best practices document. This document provides information that can enable system
administrators to create management solutions appropriate for specific computing environments.
Insight Control is a product in the HP Insight Management family of products that can be downloaded
from the Internet. Insight Control is installed through the HP Insight Management Installer wizard,
which integrates the installation and upgrade of all Insight Management products.

Acronyms in text
The following acronyms are used in the text of this document.
Acronym Acronym expansion
CLP Command Line Protocol
CMS Central Management Server
CIM Common Information Model
DIMM Dual inline memory module
DCOM Distributed Component Object Model
DMTF Distributed Management Task Force
HP SIM HP Systems Insight Manager
HTTP Hyper Text Transport Protocol
HTTPS Hypertext Transfer Protocol over Secure Socket Layer
ICMP Internet Control Message Protocol.
IETF Internet Engineering Task Force
iLO 2 Integrated Lights-Out 2
IPMI Intelligent Platform Management Interface
MIB Management Information Base
OS Operating System
RMCP Remote Management Control Protocol
RPC Remote procedure call
SSH Secure Shell
SSL Secure Socket Layer
SM CLP Server Management Command Line Protocol
SMASH Systems Management Architecture for Server Hardware
SMI-S Server Management Initiative Specification
SMTP Simple Mail Transfer Protocol

4
SNMP Simple Network Management Protocol
TCP/IP Transmission Control Protocol / Internet Protocol
UDP User Datagram Protocol
WBEM Web-Based Enterprise Management
WMI Windows Management Instrumentation
WS-Management Web Services for Management
XML Extensible Markup Language

5
Introduction
Managing systems in a secure environment is a challenge that most system administrators face. It
requires a careful balance between critical security requirements and the need to effectively manage
and maintain the systems.
Within Internet connected architecture, there is typically a more secure zone, commonly referred to as
the demilitarized zone (DMZ). This zone is positioned between the corporate servers and the Internet,
usually separated from both by firewalls that restrict traffic flow. With this architecture, servers that
provide publicly available Internet services can be accessed through a firewall, but these services are
inaccessible on the internal network. This more secure zone provides an area that is isolated from the
internal network and is hardened against external attack (Figure 1). The security challenges in the
DMZ are similar to those in other areas of a network that require special security attention.

Figure 1 Block diagram of a generic corporate computing environment

Through three sample case studies, this paper explores options for managing HP systems in the DMZ.
It explains the benefits and risks associated with each option. Information in this paper should allow
system administrators to tailor solutions for their own computing environments, based on the levels of
management they need and the security risk level they are willing to take.
In Case 1, the majority of management protocols are prohibited from the secure network, and the
management solution will not be allowed to violate any security restrictions. This solution is not
recommended, as the administrator is incapable of managing the hardware in the DMZ. It completely
eliminates the use of HP management tools such as HP Insight Control.
In Case 2, a completely separate network is used for management. This solution has the benefit of
completely segregating management traffic from the primary network and allowing a full spectrum of
management capabilities (because management protocols can enter through the firewall). However, it
is the most expensive option in terms of hardware and infrastructure costs. While it does increase cost
due to additional hardware and infrastructure, this option allows the use of iLO 2 to securely manage
hardware in the DMZ. Of the two options providing management capabilities in the DMZ (case 2
and 3), this one has the least risk of hackers or security breaches.
In Case 3, management protocols are allowed and management traffic is permitted to travel through
the firewall to HP Insight Control. This results in a fully featured management solution at a measured
risk. Because the infrastructure uses a single network for both management and production traffic, this
option does increase the risk from hackers or security breaches.
The intended audience for this paper is engineers and system administrators familiar with existing HP
technology and servers. The paper does not attempt to define and explain all the security concepts
and topics mentioned. Instead, it refers readers to resources containing that information.

6
HP management products
The following HP products are possible management options for HP servers deployed in the DMZ:
HP Insight Control Environment (ICE)-Linux
HP System Management Homepage (SMH)
HP Insight Management Agents (Agents)
HP Insight Management WBEM Providers for Windows (Insight Providers)
HP Infrastructure Orchestration (HPIO)
HP Insight Control Power Management (ICPM)
HP Smart Update Manager (HP SUM)
HP Systems Insight Manager (HP SIM)
HP WEBM Services for HP-UX
HP Insight Control performance management
HP Insight Control Server Deployment (ICSD)
HP Insight Control server migration
HP Version Control Agent (VCA)
HP Version Control Repository Manager (VCRM)
HP Insight Control virtual machine management
HP Virtual Server Environment (VSE)
HP Vulnerability and Patch Management Pack (VPM)
HP Management processors such as Integrated Lights-Out 2 (iLO 2)
HP Insight Control for VMware vCenter Server
HP Onboard Administrator (OA)
HP Virtual Connect Manager (VCM)

For information about these HP management products, see the For more information section at the
end of this paper. Appendix A: Configuring a separate management network gives port information
related to these products.
Case 1: Management protocols banned from DMZ
In some computing environments, IT security policies restrict management protocols in the secure
environment. Security policies may or may not permit other protocols (such as email or file sharing) in
the DMZ. An acceptable management solution must conform to security restrictions of the
environment.
Even if active management is not possible, some management information can flow from managed
devices in such an environment. Either SNMP or WBEM/WMI can be used to manage ProLiant
servers. These can be configured to prevent access from off the platform. For information on how to
configure SNMP or WBEM, see the documentation for your operating system.
Asset management
In this type of computing environment, administrators can collect system asset information from a
ProLiant server in the DMZ as long as the Agents or WBEM providers are running and an application
is running that can get the data locally. For example, Microsoft Systems Management Server can
get asset information from the Agents and transfer that information to its central server through the

7
operating system file share. As a second option, administrators can browse to the web-based System
Management Homepage (https://servername:2381/) and manually view the asset information.
Fault management
Administrators can configure ProLiant servers to send an email (through SMTP) when a hardware
problem occurs. In Microsoft Windows operating systems, the Agent Event Notifier provides this
optional feature. Administrators can set up and configure the Agent Event Notifier during the agent
deployment. In Linux operating systems, if a hardware problem occurs, emails are automatically
sent to the root email on the managed system.
The Insight Agents for Microsoft Windows also create Windows Event Log entries. A management
tool such as HP OpenView Operations or Microsoft Operations Manager operating in the same
environment can then collect the log entries and send them back to a centralized server. The Insight
Agents for Linux also create entries in the syslog. Administrators can write a script to look for these
entries and take appropriate action.
Deployment and Migration
With HP Insight Control installed managing, deploying Hardware and migration will be a difficult
task for the administrators. As, the protocols inside the secure area (DMZ) are banned, we need to
disable or allow the protocols within the Intranet, which is not suggestible.

Integrate
Create templates with detailed requirements (server, storage, networks) for simple or complex
infrastructure needs using visual drag-and-drop design tool. Users select from a catalog of published
infrastructure templates in the self-service portal, which routes the requests through a configurable
approval process. The network resource has to be available to the administrator and protocols have
to work fine in order to establish communication. Here security will be primary concern if we want to
integrate, as the firewall rules have to loosen.

Control
HP Insight Control gives you more from every dollar, hour, and watt invested in your ProLiant servers.
With Insight Control and related services, you can deploy new ProLiant servers quickly and reliably,
catalog your environment accurately, proactively monitor server health to pinpoint failures before they
result in unplanned downtime, manage ProLiant servers remotely from any location, and optimize
power usage confidently. As a result, you can reduce unplanned downtime and deliver stable IT
services to your line-of-business (LOB) users. In this case, we need to disable or allow the protocols
within the Intranet and Internet or VPN.

entries and take appropriate action
Case 2: Separate management network
In some computing environments, system administrators create a separate, secondary network parallel
to the primary or production network (Figure 2). The chief benefit to this approach is that
management traffic flows through the secondary network, while the limited access from the production

8
(primary) network maintains security. Configuring a separate management network using HP Systems
Insight Manager allows secure access to the systems in the DMZ.
The secondary network can also be used for other operations that would be inappropriate for the
primary network, such as tape backups, deployments using Insight Control Server Deployment, or
application maintenance.
Note:
Do not connect the management network to the corporate (internal)
network. Compromising one of the systems in the DMZ could allow a
hacker to get onto the management network. However, it may be beneficial
to allow VPN access to the management network.

Figure 2 Parallel primary (production) and secondary (management) networks

Servers inside the DMZ and on the internal network can use iLO 2 processors. Because the network
connection to iLO 2 is completely isolated from the network ports on the server, there is no possibility
for data to flow from the DMZ network to the iLO management network, or vice-versa. Therefore, if
anyone compromises the DMZ network, he or she cannot compromise the iLO network. This
architecture permits administrators to use iLO on servers located in the DMZ, or in the internal
network, without the risk of compromising sensitive data. This separation is accomplished through the
use of a dedicated NIC or the iLO 2 Shared Network Port with its Virtual Local Area Network. For
more information, see the paper titled HP Integrated Lights-Out security technology available at
http://h20000.www2.hp.com/bc/docs/support/SupportManual/c00212796/c00212796.pdf.
For best protection of the servers operating inside the DMZ, administrators should set the SNMP trap
destinations to the loop back address and enable the SNMP pass-through in iLO 2 so that SNMP
traps are routed onto the iLO management network. While this SNMP pass-through option does not
enable all management functions, it allows for passing status, inventory, and fault information to HP
Systems Insight Manager or another SNMP-capable management application. This option has the
benefit of being very secure because the host operating system does not recognize the Lights-Out
product as a NIC.

9
Asset Management
With HP Systems Insight Manager installed on the secondary management network, system
administrators can collect system asset information from a ProLiant server on that management
network through the iLO 2 pass-through. As a second option, administrators can browse to the System
Management Homepage (https://servername:2381/) and manually view the asset information.
Appendix A: Configuring a separate management network describes the procedure for configuring a
separate management network. When using SNMP management protocols, SNMP should be
configured to accept packets only from the IP addresses used on the management network, or SNMP
should be bound to the secondary network interface (if the operating system allows this). The HP
Insight Management Agents should be configured to allow access only from IP addresses on the
management network. HP Systems Insight Manager should be configured to discover the systems on
the secondary network. WMI and WBEM can be disabled on the primary network by configuring a
firewall on the system to disable each of the protocols on the primary NIC.
Fault Management
SNMP traps can be forwarded through the Lights-Out interface on ProLiant servers. This allows full
fault management data to flow into HP Systems Insight Manager or another management product
(such as HP OpenView Network Node Manager).
entries and take appropriate action.
In this type of computing environment, administrators can collect network resource information from a
gateway which is connected to the intranet in the DMZ through bypassing it from the firewall.
Managing, deploying Hardware and migration will be a smooth task for the administrators.

Integrate
Key integrations are provided through HP Insight Control for Microsoft System Center and HP Insight
Control for VMware vCenter Server. The Insight control Agents for Microsoft Windows also create
Windows Event Log entries. The Microsoft System Center integration supports OS deployment and
updates, HP ProLiant and Blade System management and alerting, proactive virtual machine
management, and enhanced inventory reporting. The integration happens with the secondary network
which is connected to the network resources.

Control
Insight Control provides single-console integration with the leading management applications. Insight
Control for VMware vCenter Server delivers powerful HP hardware management capabilities to
virtualization administrators without ever having to leave the vCenter console. The benefit to this
approach is that management traffic flows through the secondary network, while the limited access
from the production (primary) network maintains security. We doesnt require the need of disabling
the firewall rules

10
Case 3: Managing through a firewall using a single
network
In other computing environments, a firewall commonly separates the central management server
(CMS) and the managed server. In such an environment (Figure 3), two networks are given different
levels of trust. For example, the managed server may be in a DMZ, while the CMS resides in a more
trusted portion of the intranet. The firewall is used to control traffic between these two networks. The
firewall permits the exchange of only specific types of traffic between specific systems.
In some situations, the firewall may simply restrict communication between specific IP addresses. For
example, the firewall may allow the exchange of any IP packets between the managed system and
the CMS. However, because host names and IP addresses can be spoofed, a higher level of
restriction can be imposed through the firewall; that is, the firewall can permit only non-spoofable
protocols.
In this case study, we assume that the firewall is configured to allow only requests from the CMS to
the managed server and returned responses. Typically, this means the firewall will not permit UDP
traffic, as connectionless protocols cannot easily be configured to block incoming packets. Only
specific TCP ports will be opened, and they will possibly be filtered for certain types of traffic.

Figure 3 Firewall separating central management server from managed server

Asset Management
HP Insight Management provides asset management services by first discovering and identifying the
managed systems, gathering data from instrumentation running on each managed system, storing this
data in a SQL database, and finally providing reporting capabilities on this gathered data. These
steps require communication between the CMS and managed system as described in the following
paragraphs.
First the managed systems and the instrumentation running on them must be identified. HP Insight
Management offers an automatic discovery mechanism using IP ping sweep, or administrators can
manually add systems by name or address. In either case, the CMS will attempt to contact the
managed system using a ping; if this fails, then no further requests will be sent to the system.
HP Insight Management normally uses an ICMP echo to ping a system; however, some network
administrators turn off ICMP through firewalls. In this situation, the administrator can configure HP
Insight Management to use a TCP port to ping systems. Port 80 is used by default, but an alternative
port may be specified in a configuration file. The target system need not be actively listening to the
chosen port, but the firewall must be configured to allow these requests to pass.

11
Next, the CMS will attempt to identify a number of management protocols such as SNMP, HTTP, and
WBEM. The protocols used for asset management depend on the types of systems being managed
(Table 1):
ProLiant servers provide management data through SNMP, giving complete coverage of the
hardware instrumentation. Integrity servers running Windows also provide this SNMP
instrumentation.
ProLiant and Integrity servers running Microsoft Windows 2003 or 2008 also expose much data
through the Insight Providers and WMI. The HP Insight Providers include server providers
(information about processors, memory, peripheral devices, computer system information, and
sensor information); network providers (network controller information and indications); and storage
providers (storage controller information and indications). WMI on Integrity currently does not cover
detailed hardware information such as controllers, DIMMs, and physical disks.
ProLiant and Integrity servers running Linux may also provide management data through WBEM.
While that data is not currently as rich as the SNMP information, WBEM provides basic hardware
and operating system information today. WEBM will be expanded to provide full instrumentation in
future.
HP 9000 and Integrity servers running HP-UX provide management data with WBEM. HP
recommends WBEM for asset management and makes it available on 11.x versions of HP-UX.
(These systems also support SNMP, but SNMP is not required for asset management.)
Table 1 Protocols used for asset management of industry-standard servers
Server OS SNMP WBEM WMI SSH WS-MAN
ProLiant Windows Y Y
1
Y
ProLiant Linux Y Y

Y

HP 9000 HP-UX Y
2
Y (11.x)

HP Integrity HP-UX Y
2
Y

HP Integrity Linux Y Y

Y

HP Integrity Windows Y Y
1
Y
Other devices Y Y
1
When WMI mapper is installed
2
Not required for asset management

Selecting the protocols that must be enabled through the firewall depends on the types of system to be
managed. Issues associated with each protocol are discussed in the following paragraphs. Ideally,
WBEM will be used to manage servers located through a firewall.
SNMP
SNMP gives the best management coverage but at the highest risk. While no set operations are
required for asset management, SNMP is UDP-based; therefore, in many environments it is not
considered a suitable protocol to pass through the firewall. Because SNMPv1 has a simple, clear-text
community, it provides a low level of security. However, SNMP may be suitable for some
environments in which the network containing the managed systems is relatively controlled. The
community string is not suggestible be a default, Public or Private. It should be customized
accordingly.
Using SNMPv3, users can securely collect management information from their SNMP agents without
fear that the data has been tampered with. Also, confidential information, such as SNMP set packets

12
that change a device's configuration, can be encrypted to prevent their contents from being exposed
on the wire. Also, the group-based administrative model allows different users to access the same
SNMP agent with varying access privileges.
DMI
DMI is similar in design to SNMP. Each component to be managed must have a Management
Information Format (MIF) file that specifies the location of the component, name of vendor and model,
firmware revision number, interrupt request line (IRQ), I/O port address, and so on.
DMI is a remote procedure call (RPC-based protocol). To operate, DMI requires opening a number of
ports through a firewall. Therefore, DMI is not recommended for use through firewalls. It is largely
being replaced by WBEM.
Note
DMI is not supported on HP-UX systems running HP-UX 11.23 (11iv2) and
HP-UX 11.31 (11iv3). You must use WBEM for this operating system.
WBEM
Web-Based Enterprise Management (WBEM) is one of the newest management protocols. HP
Management products will communicate to systems either directly using the WBEM protocol, or to the
Windows WMI systems, using the WMI Mapper Proxy.
WBEM uses HTTPS to provide a secure TCP connection from the CMS to the managed system. WBEM
uses its own port (5989 for SSL connections) and is supported through firewalls. The CMS can use
trusted certificates to authenticate the managed system, while the managed system uses user names
and passwords to authenticate the CMS.
Note
Firewalls should be configured to allow the CMS to communicate with
managed systems through default port 5989. If you have modified the
default port setting for your WBEM provider, you must configure your
firewall for the port number your WBEM provider on which it is actually
configured.
WMI
WMI is Microsofts implementation of WBEM. WMI runs over DCOM, which in turn, uses RPC. The
WMI Mapper is an application that provides translation from WMI (a DCOM-based interface) to a
standardized WBEM interface (CIM XML/HTTP). This is a two-way translation. The WMI Mapper is
required for HP Insight Control to manage Windows computers, including ProLiant servers running the
Insight Providers for Windows. The WMI Mapper service runs separately from the HP SIM service. For
Windows systems behind a firewall, HP recommends installing the WMI Mapper on a managed
system in the secure network (Figure 4) and disabling direct remote access to WMI. This mapper
allows standard WBEM requests through the firewall, and they are mapped to WMI requests on the
managed system.

13

Figure 4 WMI Mapper on managed Windows system behind firewall

The WMI Mapper is included with the Windows version of HP SIM but can also be used with other
versions. It is available with the HP SIM software or from the HP website at
http://www.hp.com/go/hpsim. The mapper can be installed on a Windows system to allow WBEM
access to that system.
If the mapper is to be used as a proxy to access other systems, as shown in the previous DMZ
example, then HP SIM must be configured to recognize the mapper as a proxy: Use the Options
Security WMI Proxy Settings menu item and add the system on which the mapper is installed.
WS-MAN
WS-Management is a public standard SOAP-based protocol for sharing management data among all
operating systems, computers, and devices. WS-MAN depends upon SOAP. As of this writing, it is
used to manage iLO2 and HPOA.
SSH
Secure Shell (SSH) allows logging in to another system over a network and executing commands on
that system. It also enables administrators to move files from one system to another in an encrypted
format. It provides authentication and secure communications over insecure channels, and uses TCP
port 22 to communicate.
Fault management
The HP Agents have two means for communicating faults: SNMP traps and SMTP e-mail (Table 2).
Both originate from the agents in the DMZ to the CMS or to the SMTP mail server. The HP Insight
Management WBEM providers can communicate faults using WMI indications. It is recommended
that the WMI Mapper be installed on the managed system so that these faults can be sent using
WBEM (CIM-XML/HTTP) through the firewall.

Table 2 How HP agents communicate faults
CMS Managed
System
Port
Protocol
1

Description

14
In
2

Out In Out
Y Y 162 SNMP (UDP) SNMP Trap
Y Y 25 SMTP SMTP E-mail
Y Y 50004 HTTPS/HTTP WBEM event receiver (configurable)
1
All ports are for TCP and UDP
2
The CMS will normally have all managed system ports open, as the CMS is a managed system itself. Firewalls may be
configured to block these ports if the CMS is not to be managed from another system.
Increase deployment speeds by 12X (20 minutes versus 4 hours) with consistency and reliability using
ProLiant servers. HP Insight Control Server Deployment will help in conserving the time in the network
through its capabilities. In this case, protocols need to allow between the Management server and
systems.
Control
Staff efficiencies stem from time saved on tasks performed by IT administrators and technicians and
translate into increased productivity benefits in server administration, server deployment, server asset
management, server hardware maintenance, and new application deployment time. With this type of
computing environment, the administrator has to allow the protocols required to communicate
between the systems through the connected firewall.
Integrate

Company uses HP Insight Control to help manage its Microsoft Hyper-V environment, especially to
deploy virtual servers. Integrate Insight Control directly into HP Operations Center or with VMware
and Microsoft for single-console access to virtual and physical resources. The Matrix Operating
Environment can move server profile from one physical blade to another, bringing the flexibility of
virtualization to physical servers. With this type of computing environment, the administrator has to
allow the protocols required to communicate between the systems through the connected firewall.

Control
Staff efficiencies stem from time saved on tasks performed by IT administrators and technicians and
translate into increased productivity benefits in server administration, server deployment, server asset
management, server hardware maintenance, and new application deployment time. With this type of

15
computing environment, the administrator has to allow the protocols required to communicate
between the systems through the connected firewall.

Selecting the protocols that must be enabled through the firewall depends on the types of system to
be managed. Issues associated with each protocol are discussed in the following paragraphs. Ideally,
BEM will be used to manage servers located through a firewall.

Configuration Management
HP web agents on managed systems in a DMZ should first be configured to trust-by-certificate the HP
SIM server. This will authenticate all Version Control (VC) commands and all Replicate Agent Settings
(RAS) commands to the agent as coming from the specified CMS; these commands require HTTPS
over port 2381.
Systems must be discoverable by the CMS. Refer to the Asset Management section for more
information. Systems must also be identifiable, which minimally requires HTTP access over port 2301.
Table 3 identifies the protocols used for configuration management when managing through a
firewall.
Note
HP does not recommended enabling management protocols such as SNMP
or DMI on systems outside the firewall or directly connected to the Internet.
Table 3 Summary of protocols used for configuration management
CMS Managed
System
Port
Protocol
1

Description
In
2

Out In Out ICMP Ping
Y Y 22 SSH SSH server (for DTF)
Y Y 161 SNMP (UDP) SNMP Agent
Y Y 162 SNMP Trap (UDP) Trap listener

Y
4

Y 80 HTTP Management processor and other devices;
standard Web server
Y
Y
4

Y Y 280 HTTP Web server for HP SIM; Web agent auto-
start port

Y
4

Y 443 HTTPS Management processor and other devices;
standard Web server
Y 1433 TCP Microsoft SQL Server database
Y Y 2301 HTTP Web agent Web server
Y
3

2367 RMI HP SIM RMI connection
Y Y 2381 HTTPS Web agent Web server
Y 5432 ProstgreSQL Server database
Y Y 5988 HTTP WBEM service
Y Y 5989 HTTPS WBEM service

16
40420 VMM
Y 50000 HTTPS
HP SIM Web server (configurable
6
)
Y 50001 HTTPS HP SIM SOAP
Y 50002 HTTPS HP SIM SOAP with client certificate
authentication
Y 50003 HTTP HP SIM SOAP
Y Y 50004 HTTPS/HTTP WBEM event receiver (configurable
7
)
Y 50005 WBEM WBEM Events
Y 50006 PostgreSQL PostgreSQL
Y 50008 SIM JMS JMS port
Y 50009 SIM JNDI JNDI port
Y Y 50010
DMI
5

DMI
50013 RMI Web Services RMI Loader
50014 JRMP JRMP Invoker
50015 Pooled invoker Pooled invoker
Y Y 51124 HTTPS Agent communications and iLO booting
Y Y 51125 HTTPS Agent communications and iLO booting
Y Y 51126 HTTPS Communication between the migration
agents on servers.
Y Y 51127 HTTPS Application station for Insight Control Web
Server
Y Y 52000 HTTP ESA
Y Y 52001 HTTPS ESA

Y
4

Y 411 HTTP IBM Director agent

Y
4

Y 1311 HTTPS Server administrator

Y
4

2069 HTTP OSEM

Y
4

Y 3202 HTTPS StorageWorks NAS

Y
4

Y 3257 HTTPS Rack & Power Manager

Y
4

Y 4095 HTTP CommandView ESL

Y
4

Y 4096 HTTP CommandView SDM

Y
4

Y 8000 HTTP HP Web letAdmin

Y
4

Y 8008 HTTP Default home page

Y
4

Y 8443 HTTPS HP Web JetAdmin

Y
4

Y 9990 HTTP HPOSM Service Application

Y
4

Y 9991 HTTP OSM Event Viewer
Outbound (out) Request or response sent from a server is called outbound

17
Inbound (in) Request or response received by a server is called inbound
1
All ports are for TCP (except ICMP and SNMP).
2
3
RMI port is used within the CMS for inter-process communication. Connections from outside the CMS are not accepted, and
firewalls may block this port.
4
Many CMS outgoing ports are used for discovery.
5
The exact UDP/TCP ports used by DMI are dynamic and vary from system to system, but they tend to be around 32,780 and
higher.
6
50000 port number is configurable in server.xml (see Appendix B: Modifying default ports).
7
50004 port number is configurable in globalsettings.props (see Appendix B: Modifying default ports).

Version Control
This discussion is based on the assumption that the Version Control Repository (VCR) is behind the
firewall with CMS, and likely on the CMS.
Discovering the software available on the managed system requires SNMP over port 161. After
receiving a command to update some component, the system must retrieve the component from the
VCR, which it does using HTTPS over port 2381 to the VCR. To communicate its update status back to
the CMS, the agent uses HTTP over port 280. Additionally, the CMS polls the system for its status
every 15 minutes for up to 2 hours.
Replicate Agent Settings
Replicate Agent Settings require a source system whose configuration is copied and stored at the
CMS for duplicating to other target systems. This function relies on HTTPS traffic via port 2381 and
can operate over the firewall as long as the firewall is configured to pass this traffic.
SSH
SSH is used both locally on the HP SIM central management server and remotely to manage systems
for various tools. Normally, SSH servers listen on TCP port 22. If, for some reason, this must be
changed, the SSH port that HP SIM uses is configurable.
Best Practices
Systems can be made more secure by changing the default settings to the recommended Security
Policies Baselines by Microsoft Security Compliance Manager v. 2.0.20.0.
Reference:
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=16776

Below are the summary of the steps to be followed:
Apply the Member Server Security Compliance Baseline Policies for Windows Server
2008R2Sp1 to the system.
Open the firewall ports as mentioned in Table 3.
Install the pre-requisites required for installing IM DVD.
Install IM DVD.

18
HP Insight Management Installer
The HP Insight Management installer integrates installation of HP management software. The installer
will install or upgrade individual product as well as suites.
HP Systems Insight Manager
HP Systems Insight Manager Ports
HP System Management Homepage Ports
WMI Mapper
HP Insight Control Licensing and Reports
HP Version Control Repository Manager Ports
HP Insight Control
HP Insight Control licensing and reports
HP Insight Control Performance management Ports
HP Insight Control Power Management Ports
HP Insight Control Server Deployment Ports
HP Insight Control Server Migration Ports
HP Insight Control Virtual Machine Management Ports
HP Insight Managed System Setup Wizard
HP Insight Management Advisor
HP Matrix Operating Environment
HP Matrix Operating Environment Capacity Planning, Configuration and Workload
Management and HP Insight Capacity Advisor Consolidation Software
HP Matrix Recovery Management Ports
HP Matrix Infrastructure Orchestration Ports
HP Storage Provisioning Manager Ports
HP SPM Storage module

HP Insight Management Installer Ports
Table 4 Ports for HP Insight Management Installer
CMS Managed
System
Port
Protocol
1

Description
In
2

Out In Out ICMP Ping
Y Y 22 SSH SSH server (for DTF)
Y Y 162 SNMP Trap (UDP) Trap listener

Y
4

Y 80 HTTP Management processor and other devices;
standard Web server
Y
Y
4

Y Y 280 HTTP Web server for HP SIM; Web agent auto-
start port

Y
4

Y 443 HTTPS Management processor and other devices;
standard Web server
Y 1433 TCP Microsoft SQL Server database
Y
3

2367 RMI HP SIM RMI connection

19
Y 5432 ProstgreSQL Server database
Y Y 5989 HTTPS WBEM service
Y 50000 HTTPS
HP SIM Web server (configurable
6
)
Y 50001 HTTPS HP SIM SOAP
Y 50002 HTTPS HP SIM SOAP with client certificate
authentication
Y 50003 HTTP HP SIM SOAP
Y Y 50004 HTTPS/HTTP WBEM event receiver (configurable
7
)
Y 50005 WBEM WBEM Events
Y 50006 PostgreSQL PostgreSQL
Y 50008 SIM JMS JMS port
Y 50009 SIM JNDI JNDI port
Y Y 50010
DMI
5

DMI
50013 RMI Web Services RMI Loader
50014 JRMP JRMP Invoker
50015 Pooled invoker Pooled invoker

Y
4

Y 411 HTTP IBM Director agent

Y
4

Y 1311 HTTPS Server administrator

Y
4

2069 HTTP OSEM

Y
4

Y 3202 HTTPS StorageWorks NAS

Y
4

Y 3257 HTTPS Rack & Power Manager

Y
4

Y 4095 HTTP CommandView ESL

Y
4

Y 4096 HTTP CommandView SDM

Y
4

Y 8000 HTTP HP Web letAdmin

Y
4

Y 8008 HTTP Default home page

Y
4

Y 8443 HTTPS HP Web JetAdmin

Y
4

Y 9990 HTTP HPOSM Service Application

Y
4

Y 9991 HTTP OSM Event Viewer
Y Y 80 TCP System Discovery
1

Y Y 161 SNMP PMP/PPA

20
Y Y 443 SSL Communication with iLO
1780 hpvmmsvc service
Y Y 69 UDP PXE Client
Y Y 1759 UDP (Multi cast) PXE Client
Y Y 405 TCP PXEConfig
Y Y 406 TCP PXECfg Service
Y Y 407 TCP PXE Server and PXE MTFTP
Y Y 8081 HTTP DSWeb
Y Y 8080 HTTP DSWeb,Console Manager
Y Y 505 TCP Win32 console,Axengine,PXEManager
Y Y 402 TCP/UDP Agents, PXE Server, Data Manager, PXE
Manager
Y Y 5001 TCP Aclient
Y Y 5002 TCP Aclient
Y Y 415 TCP Remote Client
Y Y 402 UDP Deployment Server
Y Y 401 UDP Aclient (Wake-on-LAN Proxy)
Y Y 80 TCP System Discovery
1

Y Y 161 SNMP PMP/PPA
Y Y 162 SNMP (UDP) SNMP Trap
Y 514 UDP SYSLOG
Y 16443 HTTPS XML or SOAP over HTTPS Operations
Orchestration (OO) GUI to OO Central
Y 50002 HTTPS SOAP over HTTPS LSU Controller to HP
SIM and HTTPS HP Systems Insight Manager
SOAP with client certificate
Y 40420 HTTPS RMI over HTTPS LSU Controller to VMM
Y 51001 HTTPS RMI over HTTPS LSU Controller to LSA
(VSE logical server management)
Y 50000 HTTPS SOAP over HTTPS LSU Controller to LSU
Deployment Service connector and HTTPS
HP Systems Insight Manager Web Server
Y 1433 HTTPS JDBC over TCP talk via JDBC to SQL
Server and HP Systems Insight Manager
Web Server
Y 50001 HTTPS HP Systems Insight Manager SOAP

21
Y Y 5989 HTTPS HTTPS WBEM, WBEM Service on EVA
Command View Server, BNA port to
connect SPM
Y Y 2381 HTTPS Used by web agents
Y 20,21 TCP FTP - Used for upload and configuration
backup from CLI
Y 443 SSL Graphical User Interface
Y Y 24600-
24616
HTTPS Used for Web Management Interface
Y Y 22 SSH-2 Used by the Distributed Task Facility (DTF)
Y Y 9143 OpenSSL Used by Application Discovery
Y 9617,9
618
TCP Global Workload Manager uses on CMS
Y Y Y 280 HTTP Web server for HP SIM; Web agent auto-
start port
Y 50000 HTTPS HPSIM Webserver
Y 51001 HTTPS LSA RMI port
1
All ports are for TCP and UDP.
2
configured to block these ports if the CMS is not to be managed from another system. Discovery protocol is configurable
between ICMP or TCP and a configurable port; default is 80.
3
RMI port is used within the CMS for inter-process communication. Connections from outside the CMS are not accepted, and
firewalls may block this port.
4
Many CMS outgoing ports are used for discovery.
5
50000 port number is configurable in server.xml (see Appendix B: Modifying default ports).
6
50004 port number is configurable in globalsettings.props (see Appendix B: Modifying default ports).
Ports for HP Systems Insight Manager
Ports for HP Insight Control
Ports for HP Matrix Operating Environment

HP Smart Update Manager Ports
Table 5 HP SUM ports for Windows
CMS Managed
System
Port Protocol
1
Description
In
2

Out In Out
Y Y 445 and
137/138/1
39
TCP and
UDP
These ports are needed to connect to the remote
ADMIN$ share on target servers (port 137 only if
you are using NetBIOS naming service)
Y Y 60000-
60007
SSL Random ports are used in this range to pass
messages back and forth between the local and
remote systems via SSL
Y Y 80, 63000-
63005
HTTPS Used for passing files to the target and retrieving
the logs via an internal mini-https server. Uses
port 80 if it is available or a random port
between 63000 and 63005 if it is not. Allows
updates of the iLO firmware without the need to

22
access the host server. This will allow servers
running VMWare or other virtualization platforms
to update their iLO without the need to reboot
their server or migrate their VMs to other servers.
Y Y 50116 TCP This is port is used in CMS
Y Y 51268 TCP This port is used in target machine
Y Y 61000-
61007
These ports are used from the target server back
to the system running HP Smart Update Manager.
The same mechanism is used by the remote
access code as the 60000 ports, with the first
trial port as 61000. There is no guarantee that
the upper limit is 61007 when a conflict occurs.
For the case of ipv4-only and one NIC, the lowest
available one is used by HP Smart Update
Manager to pass information between processes
on the local workstation where HP Smart Update
Manager is executed, and the next available one
is used to receive messages from remote servers.
Y 62000 and
62001
These ports (or the first two ports available after
62000) are used for internal process
communications on the system running HPSUM on
each target
Y 62286 This port is the default for some internal
communications. It is the listening on the remote
side if there is no conflict. If a conflict occurs, the
next available one is used.
1
2

Table 6 HP SUM ports for Linux
CMS Managed
System
Port Protocol
1
Description
In
2

Out In Out
Y Y 22 SSH This port is needed to establish a connection to
the remote Linux server through SSH
Y Y 60000-
60007
SSL Random ports are used in this range to pass
messages back and forth between the local and
remote systems via SSL
Y Y 80, 63000-
63005
HTTPS Used for passing files to the target and retrieving
the logs via an internal mini-https server. Uses
port 80 if it is available or a random port
between 63000 and 63005 if it is not. Allows
updates of the iLO firmware without the need to
access the host server. This will allow servers
running VMWare or other virtualization platforms
to update their iLO without the need to reboot
their server or migrate their VMs to other servers.
Y Y 61000-
61007
These ports are used from the target server back
to the system running HP Smart Update Manager.
The same mechanism is used by the remote
access code as the 60000 ports, with the first
trial port as 61000. There is no guarantee that
the upper limit is 61007 when a conflict occurs.
For the case of ipv4-only and one NIC, the lowest

23
available one is used by HP Smart Update
Manager to pass information between processes
on the local workstation where HP Smart Update
Manager is executed, and the next available one
is used to receive messages from remote servers.
Y 62000 and
62001
These ports (or the first two ports available after
62000) are used for internal process
communications on the system running HPSUM on
each target
Y 62286 This port is the default for some internal
communications. It is the listening on the remote
side if there is no conflict. If a conflict occurs, the
next available one is used.
Y Y 7 ICMP ICMP Echo Reply/Request is used to determine if
target devices have successfully rebooted or not
1
2

HP Insight Control for VCenter Ports
This section is based on the assumption that HP Insight Control for VCenter is behind the firewall with
the CMS.
Table 7 Ports for HP Insight Control for VCenter
CMS Managed
System
Port Protocol
1
Description
In
2

Out In Out
Y 80 TCP Discovery
Y 162 SNMP Trap
(UDP)
Trap listener
Y 443 SSL Communication with iLO, HPOA, HPVCM
Y Y Y 50028 HTTPS Common Services default WBEM indications
listening port
Y Y 50025 HTTPS
Y Y 50026 TCP/Block Common Services default web port
Y Y 50027 Common Services secondary web port
Y Y 50029 Common Services secondary WBEM
indications listening web port
Y Y 5989 HTTPS HTTPS WBEM, WBEM Service on EVA
Command View Server
Y 5990 HTTPS
1
2

24
HP Onboard Administrator Ports
This section is based on the assumption that HP Onboard Administrator is behind the firewall with the
CMS.
Table 8 Ports for HP Onboard Administrator
CMS Managed
System
Port Protocol
1
Description
In
2

Out In Out
Y 443 SSL Communication with iLO, HPVCM
Y Y 22 SSH This port is needed to establish a connection
through SSH
Y Y 80 HTTP Management processor and other devices;
standard Web server
1
2

HP Virtual Connect Manager Ports
This section is based on the assumption that HP Virtual Connect Enterprise Manager is behind the
firewall with the CMS.
Table 9 Ports for HP Virtual Connect Enterprise Manager
CMS Managed
System
Port Protocol
1
Description
In
2

Out In Out
Y 443 SSL Graphical User Interface
Y 22 SSH This port is needed to establish a connection
through SSH using Command line Interface
Y Y 161 SNMP (UDP) SNMP Agent/Poll
Y 162 SNMP Trap
(UDP)
Trap listener
Y 69 UDP TFTP- Used for upload and configuration
backup from CLI
Y 20,21 TCP FTP - Used for upload and configuration
backup from CLI
Y 636 TCP LDAP Authentication
Y 514 UDP SYSLOG
Y 1812,1813 UDP RADIUS server if configured
Y 49 TCP TACACS server if configured
1
2

25
Policies required for IM DVD Installation
The following security policies are mandatorily to be enabled before proceeding with the DVD
Installation. If the below policies are enabled and proceed with the installation then DVD installation
will complete successfully.

Table 10 Security Policies required for IM DVD Installation
User rights assignments Security Options Why its required
Bypass traverse checking Everyone, LOCAL SERVICE, NETWORK
SERVICE,
Administrators, Users, Backup Operators
For to fetch the details from the IIS server
manager.
Access this computer from the
network
Everyone, Administrators, Users, Backup
Operators
To pass the service credentials screen in
installer
Log on as a service NT SERVICE\ALL SERVICES, Classic
.NET AppPool, DefaultAppPool
To pass the service credentials screen in
installer
Debug Programs Administrators SQL Express 2008 R2 installation
Manage auditing and security
logs
Administrators SQL Express 2008 R2 installation
Back up files and directories Administrators, Backup Operators RDP Installation

Load and unload device
drivers
Administrators RDP Installation
Restore files and directories Administrators, Backup Operators RDP Installation
Take ownership of files or
other objects
Administrators RDP Installation

Additional policies required for proper operations of the system
Below are the additional polices needed to be enabled for the proper functioning of the system.

Table 11 Additional Policies need to be enabled
User rights assignments Security Options Why its required
Allow log on locally Administrators, Account Operators,
Server Operators, Print Operators,
Backup Operators
Determines which users can log on to the
computer
Allow log on through Remote
Desktop Services
Administrators This security setting determines which
users or groups have permission to log on
as a Remote Desktop Services client.
Force shutdown from a remote
system
Administrators, Server Operators
This security setting determines which
users are allowed to shut down a
computer from a remote location on the
network. Misuse of this user right can
result in a denial of service.

Shut down the system Administrators, Server Operators, Print
Operators, Backup Operators

This security setting determines which

26
users who are logged on locally to the
computer can shut down the operating
system using the Shut Down command.
Misuse of this user right can result in a
denial of service.

Conclusion
This has paper identified various options available for managing HP systems in a secure environment.
The solutions explained here are intended only as a framework for exploring the options. Each system
administrator can and should tailor a solution for his network based on these options.

27
Appendix A: Configuring a separate management network
To configure a separate management network using HP Systems Insight Manager, install HP Systems
Insight Manger on the secondary network by completing the following steps:
1. Configure SNMP to accept packets only from the IP addresses used on the management network,
or bind SNMP to the secondary network interface (if the operating system allows this):
On Windows systems:
From the Control Panel, open the Services menu.
Open the Properties for the SNMP Service.
Under the Security tab, add IP addresses to the list of IP Addresses that can accept SNMP
packets.
On systems running Linux or HP-UX:
Modify the configuration file snmpd.conf to accept SNMP packets only from the
desired hosts.
Do the same with any other OS service needed on the network.
2. If a firewall is used on the CMS or managed systems, configure the firewall rules to only allow
SNMP WMI and WBEM requests from address in the management network. Use the ports in
Appendix B: Modifying default ports to determine which rules to configure.

3. Configure the HP Insight Management Agents to allow access only from IP addresses on the
management network:
Log into the agent with administrator privileges.
Go to the Settings/Options page, and modify the IP Restricted Logins settings.
4. Configure HP Systems Insight Manager to discover the systems on the secondary network:
In HP Insight Manager, go to Options Discovery Automatic Discovery.
Add the IP addresses for the systems on the secondary network.
You can disable WMI, WBEM, and DMI on the primary network by configuring a firewall on the
system to disable each of the protocols on the primary NIC. The method of accomplishing this varies
for each firewall.

28
Appendix B: Modifying default ports
To modify the default port 50000 used by HP System Insight Manger to different port, install HP
System Insight Manger and complete the following steps:

1. Modify the default port value to the required port value from the following lines in server.xml
file under <HPSIM_Installed Dir>\jboss\server\hpsim\deploy\jboss-
web.deployer

<Connector port="280" scheme="http" protocol="HTTP/1.1" maxThreads="50"
minSpareThreads="5" maxSpareThreads="15" enableLookups="false"
acceptCount="10" debug="0" redirectPort="50000"
connectionTimeout="60000" />

<Connector port="50000" scheme="https" secure="true"
protocol="HTTP/1.1" SSLEnabled="true" maxThreads="200"
minSpareThreads="10" maxSpareThreads="25" enableLookups="false"
acceptCount="10" debug="5" clientAuth="false" URIEncoding="utf-8"
useBodyEncodingForURI="true" compression="on"
compressableMimeType="text/html,text/xml,text/plain,text/javascript,tex
t/css" keystoreFile="C:\Program Files\HP\Systems Insight
Manager\config\certstor\hp.keystore"
keystorePass="U6sjMQ0JllhXXCeVioBH" />

Example: To modify the value of port 50000 to <Custom_port_no>,
change port="50000" to port="<Custom_port_no>" and redirectPort="50000"
to redirectPort="<Custom_port_no>"

2. Restart HP System Insight Manager service.
To modify the default WBEM event Receiver port 50004 to a different port, install HP System Insight
Manger and complete the following steps:

1. Unsubscribe to WBEM Events for all the managed nodes which are already subscribed using
default WBEM event Receiver port 50004.

2. Modify the default port value to the required port value in the line
WBEM_Indications_Listener_Port=50004 in globalsettings.props file under
<HPSIM_Installed Dir>\config

Example: To modify the value of port 50000 to <Custom_port_no>,
Change WBEM_Indications_Listener_Port=50004 to
WBEM_Indications_Listener_Port=60004

3. Restart HP System Insight Manager service.

4. Re-subscribe to WBEM Events.

For more information
For additional information, refer to the resources listed below.
Source Hyperlink
ProLiant server management
HP Systems Insight Manager
http://h18013.www1.hp.com/products/servers/management/index.html
Understanding HP Systems
Insight Manager Security
http://www.hp.com/go/hpsim
http://h10018.www1.hp.com/wwsolutions/misc/hpsim-
helpfiles/HPSIM_53_Security.pdf
WBEM Providers for HP SIM
HP Insight Control
performance management
www.hp.com/go/hpwbem/
See the HP Insight Control Environnent User Guide located at
HP WEBM Services for HP-UX
http://www.hp.com/go/insight
Integrated Lights-Out 2 (iLO)
http://h18004.www1.hp.com/products/servers/management/hpsim/downl
oad.html
HP OpenView
www.hp.com/go/ilo
Call to action
www.openview.hp.com/
To help us better understand and meet your needs for ISS technology information, send comments
about this paper to: TechCom@HP.com.

Technology for better business outcomes
Copyright 2010, 2012 Hewlett-Packard Development Company, L.P. The
information contained herein is subject to change without notice. The only
warranties for HP products and services are set forth in the express warranty
statements accompanying such products and services. Nothing herein should be
construed as constituting an additional warranty. HP shall not be liable for technical
or editorial errors or omissions contained herein.
481364-005, March 2012

Managing HP Servers Thru Firewall in Insite Manager

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Managing HP Servers Thru Firewall in Insite Manager

Uploaded by

Copyright:

Available Formats

Table of Contents

You might also like