Figure 10-2 compulsory firewall port ranges in ito – HP UX B6941-90001 User Manual

Chapter 10

449

Tuning, Troubleshooting, Security, and Maintenance

ITO Security

NOTE

Although the allowed port range of given managed nodes may differ if
the managed nodes are connected to the ITO management server
through a different router, all managed nodes that use the same router
must use the same port range.

Figure 10-2

Compulsory Firewall Port Ranges in ITO

The DCE environment variable RPC_RESTRICTED_PORTS controls
the DCE RPC server runtime’s tendency occasionally to open additional
ports outside the range specified in ITO, when called by clients using
UDP. Since the managed nodes may make DCE RPC calls (using UDP) to
the rpcd on the management server, it is important that the

rpcd

/

dced

runs in an environment (on the management server) where the value of
RPC_RESTRICTED_PORTS is set to match the port range defined both
on the ITO management server and at the firewall. The value of
RPC_RESTRICTED_PORTS needs to be set in the following way in the
DCE system startup files. For example:

RPC_RESTRICTED_PORTS=tcp[range]1:udp[range1]

NOTE

Whatever protocol you choose in the ITO GUI for RPC connections, the
allowed port range you define must always be open for TCP in both
directions at the firewall to allow for bulk data transmission.

ITO Management Server

ITO Managed Node

[*]

135

Range 2

[*]

135

Range 1