IBM Proventia Management SiteProtector

Configuring Firewalls for SiteProtector Traffic Version 2.0, Service Pack 8.1

Copyright Statement Copyright IBM Corporation 1994, 2010. IBM Global Services Route 100 Somers, NY 10589 U.S.A. Produced in the United States of America. All Rights Reserved.

Contents
About this publication . . . . . . . . v Chapter 1. Firewall Port Information. . . 1
Port Port Port Port information information information information for SiteProtector traffic . . . for Third Party Module traffic. for Active Directory integration for Internet access . . . . . . . . . . . . . 1 4 4 5 Configuring the Application Server for communication with NAT firewalls . . . . . . . 8 Restarting the Sensor Controller and Application Server services. . . . . . . . . . . . . . 8 Configuring the Agent Manager for communication through NAT firewalls . . . . . . . . . . . 9

Notices

. . . . . . . . . . . . . . 11
. . . . . . . . . . . . . 12

Chapter 2. Configuring Components for NAT Firewalls . . . . . . . . . . . . 7

Trademarks .

Copyright IBM Corp. 1994, 2010

iii

iv

SiteProtector System: Configuring Firewalls for SiteProtector Traffic

About this publication

SiteProtector cannot function properly if firewalls prevent components from communicating. This guide provides procedures for configuring network devices and SiteProtector components so that they can communicate through firewalls.

Intended audience
This document assumes that you are familiar with the following: v Procedures for configuring firewalls v Routers, or any other devices that you use to block traffic on your network v Procedures for modifying system files such as Windows registries and properties files

How to send your comments

Your feedback is important in helping to provide the most accurate and highest quality information. Send your comments by e-mail to document@iss.net. Be sure to include the name of the book, the part number of the book, the version of SiteProtector, and if applicable, the specific location of the text that you are commenting on (for example, a page number or table number.)

Topics
Chapter 1, Firewall Port Information, on page 1 Chapter 2, Configuring Components for NAT Firewalls, on page 7

Copyright IBM Corp. 1994, 2010

vi

SiteProtector System: Configuring Firewalls for SiteProtector Traffic

Chapter 1. Firewall Port Information

If SiteProtector components or modules are located behind firewalls, you may need to reconfigure the firewalls so that the components or modules can communicate with each other. This section includes background information and procedures for configuring firewall ports for different types of traffic.

TCP/IP ports
Firewalls commonly filter traffic by IP address and by TCP or UDP ports. Firewalls typically block these addresses and ports unless they are explicitly allowed.

Where firewalls are typically located

Firewalls can be placed anywhere on a network but are most commonly located between the following: v Console and the Application Server v Application Server and the agents v Agent Manager and Proventia Desktop agents v Event Collector and agents v Application Server and the Internet v Application Server and a Third Party Module

Topics
Port information for SiteProtector traffic Port information for Third Party Module traffic on page 4 Port information for Active Directory integration on page 4 Port information for Internet access on page 5

Port information for SiteProtector traffic

This topic provides information that can help you configure firewall rules that allow traffic between all SiteProtector components, except the Third Party Module.

Requirement
If a firewall is located between the source and destination component, create a firewall rule that allows incoming traffic to the destination ports that are specified. Reference: Refer to your firewall documentation for specific instructions about creating and configuring a firewall rule.

Destination ports that must be open

Destination ports use the TCP protocol unless otherwise indicated. The following table lists the destination ports that must be open to allow communication between each pair of SiteProtector components.

Copyright IBM Corp. 1994, 2010

Source Component SiteProtector Console

Destination Component SP Server

Wire Protocol HTTP/SP Server/RMI/ JRMP/JMS N/A HTTPS HTTPS L/S

1

Encryption Yes

Destination Ports 3988, 3989, 3994, 3996, 3997, 3998, 3999, 8093 3993 443 80 2998 389, 32682 2998, 8996 2998 2998, 3995 2998 3994 8998 1433, 445, 135, 1434 (UDP port not encrypted) 443 2998

Event Viewer ADS Appliance IBM ISS Web Site SP Server Databridges Active Directory Server Event Collector SecurityFusion module

Yes Yes None Yes None Yes Yes Yes Yes Yes Yes Yes

LDAP HTTPS/L/S L/S L/S/HTTPS

Agent Manager

Deployment Manager L/S X-Press Update Server Event Archiver Site DB HTTPS HTTPS JDBC/TDS/ Named Pipe, or RPS HTTPS

Proventia Network MFS Appliance

Yes Yes

Proventia Network L/S IDS prior to firmware release 1.0 Proventia Network IDS and Proventia Network IPS with firmware release 1.0 or later Proventia Network Enterprise Scanner External Ticketing Server SNMP Server SMTP Server Internet Scanner Network Sensor Server Sensor Third Party Module Remote Host IBM MSS Web site Desktop Agents (7.0 and earlier) Agent Manager

HTTPS

Yes

443

HTTPS Vendor Proprietary3 SNMP SMTP L/S L/S L/S L/S Windows RPC HTTPS HTTPS

Yes Yes None None Yes Yes Yes Yes None Yes Yes

443 1058, 10694 162 25 2998 2998 2998 2998 135 443 8082

SiteProtector System: Configuring Firewalls for SiteProtector Traffic

Source Component Agent Manager

Destination Component Desktop Agent SP Server Site DB SNMP Server

Wire Protocol N/A HTTPS OLE DB/ RPC/ Named Pipe SNMP L/S L/S HTTPS L/S HTTPS L/S L/S L/S SNMP L/S L/S ODBC/ RPC/ Named Pipe HTTPS HTTPS HTTPS HTTPS HTTPS

Encryption None Yes Configurable None Yes Yes Yes Yes Yes Yes Yes Yes None Yes Yes Configurable Yes Yes Yes Yes Yes Yes Yes Yes Yes

Destination Ports ICMP 3994, 8093, 8443 1433, 135, 445, 1434 162 901-930 914 8997 912 3994 901-930 901-930 901-9305 162 901-930 901-930 1433, 135, 445, 1434 8443 3994 3995 3995 3994 3994 8085 3995 3995

Event Collector

Databridge Agent Manager Event Archiver Event Collector SP Server Internet Scanner Network Sensor Proventia Network IDS SNMP Server RealSecure Sensor Agent SecurityFusion module Site DB IBM MSS Event Server

Event Archiver

SP Server Agent Manager

Event Archiver Importer Web Console Web Browser

Agent Manager SP Server

Deployment Manager HTTPS Agent Manager HTTPS HTTPS HTTPS

Proventia Network Enterprise Scanner Proventia Network IDS, Proventia Network IPS, Proventia Network MFS, and Proventia Server SecurityFusion module

Agent Manager Agent Manager6

Event Collector Site DB Agent Manager Agent Manager SP Server

L/S ODBC/ RPC/ Named Pipe HTTPS HTTPS RMI/JRMP

Yes Configurable Yes Yes Yes

950 1433, 135, 445, 1434 3995 3995 3989, 3988

Proventia Server IPS Proventia Desktop Event Viewer Service

Chapter 1. Firewall Port Information

Source Component Update Server

Destination Component Agent Manager IBM ISS Website

Wire Protocol HTTPS HTTPS

Encryption Yes Yes

Destination Ports 3995 443

1. 2. 3. 4. 5.

The Wire Protocol abbreviation L/S refers to Leap / Score. Port 3268 is referenced from the Global Catalog. Vendor Proprietary means this is only specific to the vendor. Port 1069 is based upon the Remedy Web Site. Proventia Network IDS firmware releases earlier than 1.0 use destination ports 901 through 903.

6. All Proventia Agents and Desktop Agent release 7 or earlier communicating with the Agent Manager have the Command & Control option.

Port information for Third Party Module traffic

You may be required to configure the firewall to allow traffic if a firewall is located between the Third Party Module (TPM) and either of the following: v a CheckPoint or Cisco firewall v another SiteProtector component

Requirement
If a firewall is located between the source and destination component, create a firewall rule that allows incoming traffic to the destination ports that are specified. Reference: See the SiteProtector Third Party Module Guide available on the IBM ISS Web site.

Destination ports that must be open

The following table lists the destination ports that must be open to allow communication between SiteProtector components and the TPM:
Source Component Cisco Secure PIX Destination Component Sensor Controller Event Collector Third Party Module Event Archiver Sensor Controller Event Collector SP Server Third Party Module Third Party Module Destination Ports 2998/tcp 901-931/tcp 514/udp 3994 2998/tcp 901-931/tcp

Port information for Active Directory integration

To integrate Active Directory with SiteProtector, the Sensor Controller must be able to communicate with Active Directory over certain ports.

Destination ports that must be open

The following table lists the destination ports that must be open to allow communication between SiteProtector components and Active Directory:

SiteProtector System: Configuring Firewalls for SiteProtector Traffic

Protocol Kerberos Secure Authentication Lightweight Directory Access Protocol (LDAP) Kerberos Passwords LDAP over SSL Microsoft Global Catalog Microsoft Global Catalog with LDAP/SSL

TCP Port 88 389 464 636 3268 3269

Port information for Internet access

If you download SiteProtector updates from the Internet, then you may need to reconfigure your firewall rules to allow this communication. This topic gives a procedure for configuring firewall rules for Internet access. Reference: Refer to your firewall documentation for specific instructions.

Requirement
If a firewall is located between the source and destination component, create a firewall rule that allows incoming traffic to the destination ports that are specified.

Destination ports that must be open

The following table lists the destination ports that must be open to allow communication between SiteProtector components and the IBM ISS Download Center.
Protocol SSL or HTTPS SSL or HTTPS SSL or HTTPS HTTP Destination Address xpu.iss.net www.iss.net download.iss.net iss.net Destination Port 443 443 443 80

Important: IBM ISS recommends that you use secure protocols (SSL or HTTPS) to download updates from the Deployment Manager.

Chapter 1. Firewall Port Information

SiteProtector System: Configuring Firewalls for SiteProtector Traffic

Chapter 2. Configuring Components for NAT Firewalls

If your SiteProtector components are located behind firewalls that use NAT or other types of address translation, you may be required to perform additional configuration tasks so that SiteProtector components can communicate.

Problems with using NAT with SiteProtector

By default, some SiteProtector components are configured to use private IP addresses to communicate with other components. NAT firewalls typically block components that use private IP addresses.

How to enable NAT communication

To correct NAT communication problems, you must configure SiteProtector components to use either a public IP address or a fully qualified domain name.

Common NAT firewall locations

NAT is typically enabled on external firewalls and not on firewalls that are located on the intranet. You may experience communication problems if firewalls are located between the following: v Remote consoles and the Application Server v Remote Proventia Desktop agents and the Agent Manager

Topics
Configuring the Application Server for communication with NAT firewalls on page 8 Restarting the Sensor Controller and Application Server services on page 8 Configuring the Agent Manager for communication through NAT firewalls on page 9

Copyright IBM Corp. 1994, 2010

Configuring the Application Server for communication with NAT firewalls

This topic explains how to configure the Application Server to communicate with NAT firewalls.

About this task

Important: Perform the procedure in this topic only if a NAT firewall is between the Application Server and the Console. Reference: For more information on stopping and restarting the application services, see Restarting the Sensor Controller and Application Server services.

Procedure
1. Stop the Application Server service. 2. Click Start on the taskbar, and then select Run. 3. In the Open field, type regedit. The Registry Editor appears. 4. Navigate to the following path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ 5. Use the following table to configure the registry keys:
Folder issSPAppService\Parameters issSPSenCtlService\Parameters Entry JVM Option Number 6 IPBind Change the... value data from the IP address to the DNS name value data from the IP address to the DNS name

Example: Djava.rmi.server.hostname=public_IP_or_FQDN 6. Restart the Sensor Controller and Application Server services.

Restarting the Sensor Controller and Application Server services

This topic explains how to stop or restart the Sensor Controller and the Application Server services.

About this task

After you have configured the Application Server to communicate with NAT, you must restart the Sensor Controller and Application Server services to put the changes into effect.

Procedure
1. Click Start on the taskbar of the computer where the Application Server and Sensor Controller are installed, and then select Settings Control Panel. 2. Open the Administrative Tools folder, and then double-click Services. The Services window appears. 3. In the right pane, scroll until you find SiteProtector Sensor Controller Service, and then select it. 4. Do one of the following: v To stop the Sensor Controller service, click Stop Service (the Stop option) on the toolbar. v To start the Sensor Controller service, click Start Service (the Play option) on the toolbar. 5. Repeat Steps 1 through 4 for the Application Server.

SiteProtector System: Configuring Firewalls for SiteProtector Traffic

Configuring the Agent Manager for communication through NAT firewalls

Perform the procedure in this topic only if a NAT firewall is between the Agent Manager and Proventia Desktop agents. This procedure configures the Agent Manager so that it can communicate with NAT firewalls.

Before you begin

You must perform this procedure before you generate agent builds. Otherwise, agents cannot communicate with the Agent Manager, and you will be forced to regenerate agent builds.

Procedure
1. On the computer where the Agent Manager is installed, locate the Agent Manager initialization files at the following path: \Program Files\ISS\SiteProtector\AgentManager\rsspdc.ini 2. Open the file in a text editor. 3. Change the dcName to one of the following: v DNS name (the recommended option) v public IP address Note: If you select the DNS name option, ensure that it resolves to an IP address. 4. Save the file. 5. On the Console, right-click the Agent Manager icon, and then select Stop. 6. Right-click the Agent Manager icon, and then select Start.

Chapter 2. Configuring Components for NAT Firewalls

10

SiteProtector System: Configuring Firewalls for SiteProtector Traffic

Notices
This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not grant you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY 10504-1785 U.S.A. For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to: Intellectual Property Licensing Legal and Intellectual Property Law IBM Japan Ltd. 1623-14, Shimotsuruma, Yamato-shi Kanagawa 242-8502 Japan The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.

Copyright IBM Corp. 1994, 2010

11

Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged, should contact: IBM Corporation SiteProtector Project Management C55A/74KB 6303 Barfield Rd., Atlanta, GA 30328 U.S.A Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee. The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or any equivalent agreement between us. All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only.

Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at Copyright and trademark information at Copyright and trademark information at www.ibm.com/ legal/copytrade.shtml. Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. UNIX is a registered trademark of The Open Group in the United States and other countries. Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both. Other company, product, or service names may be trademarks or service marks of others.

12

SiteProtector System: Configuring Firewalls for SiteProtector Traffic