CA APM - Need Instructions for SSL communication between .Net Agent and Collector
search cancel

CA APM - Need Instructions for SSL communication between .Net Agent and Collector

book

Article ID: 281949

calendar_today

Updated On:

Products

CA Application Performance Management (APM / Wily / Introscope)

Issue/Introduction

We need to instrument an application deployed in DMZ and we dont have any collectors in the DMZ zone. I am looking for instructions in the product documentation to setup SSL based communication between the agent in (DMZ) to collector in LAN. Can you please provide me with the detailed instruction.

or otherwise If I set up a collector in DMZ what are the minimum ports needed?

 DMZ collector --> EM--> 5001  --- Is this mandatory?

DMZ Collector--> APM DB -->  Oracle Port ( we are on Oracle).  

Resolution

Connecting Agents directly to a new Collector, the MOM will be able to see all metrics, traces and any AppMap data.

By default, connecting an Agent to the EM is via 5001. Be sure that each server has the proper port opened in the firewall or proxy depending on which your server is using.

For connecting the .NET Agent to the EM over SSL, default SSL(https) port is 8444. See the documentation here.

Connect to the Enterprise Manager with HTTPS Tunneling

Additional Information

For monitoring .NET applications in the DMZ, I would generally not want to install a collector in the DMZ, but would use a HTTPS connection, and secure the connection using an SSL Certificate.  This is the most secure way.
 
This will require you to understand the HTTPS protocol, SSL certificates, and how they work.. this is not trivial.  You will need to research these protocols before attempting this configuration, if you have not done it before.
 
With that understanding in hand, follow the steps provided by Support with regards to setting up an encrypted connection.  
 
Connect to the Enterprise Manager with HTTPS Tunneling
 
Installing a collector in the DMZ is not best practice, as you will have to then secure the connection from the collector to the MOM anyway, AND the connection between the Agent and the collector... which will be a lot more work, and less secure.
 
On top of that, you will end up with the database connection also as a "hole in", which will open another port.  It's much more secure to just use a HTTPS connection for each agent into the DMZ, as all the apps already use HTTPS to get in via reverse proxy anyway.
 

Powered by Wolken Software