beautypg.com

Port restrictions – HP UX B6941-90001 User Manual

Page 448

background image

448

Chapter 10

Tuning, Troubleshooting, Security, and Maintenance

ITO Security

NOTE

You need to stop and restart both the management server and the agent
processes in order to enable any changes to (or initial configuration of)
the port ranges on the ITO management server and the managed node.

It is important to remember that the port range applies to both the TCP
and UDP protocols. However, although the RPC server attempts to
register with both protocols in the same port range, the RPC clients only
use the communication type selected for a given node in the

Node

Defaults Advanced Options

window to contact a server. So, if the

allocation of a UDP port in the desired range fails but the TCP port
allocation succeeds, the connection will succeed if the communication
type is set to TCP.

NOTE

NCS always uses UDP.

NOTE

MPE/iX managed nodes cannot communicate with the ITO management
server through a firewall. Setting the port range has no effect.

Port Restrictions

Any router acting as a packet-filtering firewall in an ITO environment
must be configured to keep the ports specified in Figure 10-2 open for
communication between the ITO management server and the managed
nodes. It is recommended that the minimum number of ports for the
management server (specified in range 1 in Figure 10-2) be in the order
of 50, although this depends on the number of calling managed nodes.
The minimum port range on the managed node (range 2) should be 10.
You set ranges 1 and 2 in the ITO GUI using the

Allowed Port Range

field in the

Configure Management Server

window and the advanced

options part of the

Node Defaults

window and the

Node Modify

windows, respectively.

Setting the port range for ITO does not reserve the ports in the defined
range exclusively for ITO processes. Other applications can register
(accidentally or otherwise) on ports in the range you specify, and this can
lead to a situation where, if the defined port range is small, no more
ports are available for allocation to ITO at a given time. In addition,
when you define the port range, you should take into account that extra
ports are required for such processes as

opctss

(socket server),

opccmm,

and opccma

which are spawned by the distribution manager

opcdistm

, and that an extra port is also required for each bulk transfer

and distribution.

See also other documents in the category HP Computers: