Cannot deploy cdm probe on a set of robots in our DMZ

book

Article ID: 192589

calendar_today

Updated On:

Products

NIMSOFT PROBES DX Infrastructure Management

Issue/Introduction

We have deployed multiple robots version 9.1.0 and 9.2.0 in our environment but we cannot deploy cdm to a set of robots in the DMZ and it generates a communication error.

Cause

- local firewall software

Environment

Release: 9.2.0

Component : UIM - ROBOT

Resolution

For UIM hub <-> robot communications, you need to be able to communicate with the robot on port 48000, and the robot needs to be able to communicate with the hub on port 48002

Notes for security team regarding the robots that sit inside the DMZ:

You could use security rules (allow hub outside the DMZ to communicate with the robots on port 48000, or limit comm. for specific source:destinations), or install UIM hub within DMZ and establish tunnel to hub ‘outside’ the DMZ and use either the default tunnel port 48003 (recommended) or port 443 if security team prefers it. Tunnel could be hub inside DMZ to remote hub or back to the Primary Hub itself.

AIX References:

lsfilt: List filters rules present in the table. When created, each rule is assigned a number, which can be easily seen using this command.

https://www.ibm.com/support/knowledgecenter/en/ssw_aix_71/m_commands/mkfilt.html 

http://unixswing.blogspot.com/2019/03/sample-firewall-in-aix.html

telnet TO hub on port 48002 from the DMZ robots worked fine but not in the other direction to the robot on port 48000, that failed.

End result was: Firewall software installed on the given machines in the DMZ prevented incoming connections because the port was not 'whitelisted.' Access was granted and communication was then bidirectional between the robots/agents and the hubs.