ManageEngine® Applications Manager

Security/Firewall Requirements

This section explains how the Applications Manager can be accessed behind a firewall. Fire walls act as barriers preventing unauthorized access to a network. They act as entrance through which authorized people may pass and others not.

You need to configure the firewall so that the host on which Applications Manager runs, can access the monitor at the relevant port.

Ports to be opened when Monitors are behind the firewall:

Monitors	Port Details
APPLICATION SERVERS
Glassfish	Glassfish JMX port (default : 8686)
JBoss	Two-way communication between JBoss web server port (default : 8080) and Applications Manager web server port (default : 9090) Applications Manager hostname should be accessible from JBoss server JBoss RMI object port (default : 4444)
Microsoft .Net	Windows Management Instrumentation (WMI) -- Port: 445 Remote Procedure Call (RPC) (default : 135) Also refer to the ports required for WMI Mode of monitoring under Servers
Oracle Application Server	Oracle Application Server port (default : 7200)
Tomcat	Tomcat web server port (default : 8080)
VMware vFabric tc Server	JMX port of VMware vFabric tc Server (default : 6969)
WebLogic	Two-way communication between WebLogic listening port (default : 7001) and Applications Manager web server port (default : 9090)
WebSphere	WebSphere application port (default : 9080)
CUSTOM MONITORS
Database Query monitor	Corresponding database server port
File/Directory, Script (Telnet/SSH mode)	Telnet Port: 23 (if mode of monitoring is Telnet) SSH Port: 22 (if mode of monitoring is SSH)
File/Directory, WMI Performance counter (WMI mode)	Windows Management Instrumentation (WMI) -- Port: 445 Remote Procedure Call (RPC) -- Port: 135 Also refer to the ports required for WMI Mode of monitoring under Servers
DATABASE SERVERS
DB2	The port in which DB2 is running (default: 50000)
Memcached	The port in which Memcached server is running (default : 11211)
MySQL	The port in which MySQL is running (default : 3306)
Oracle	The port in which Oracle is running (default : 1521)
PostgreSQL	The port in which PostgreSQL is running (default : 5432)
SQL Server	The port in which SQL Server is running (default : 1433)
Sybase	The port in which Sybase is running (default : 5000)
ERP
Oracle EBS	Oracle EBS webserver port (default:7200)
MAIL SERVERS
Exchange Server	The port in which Exchange Server is running (default : 25) Windows Management Instrumentation (WMI) (default : 445) Remote Procedure Call (RPC) (default : 135) Also refer to the ports required for WMI Mode of monitoring under Servers
Mail Server	SMTP server port (default : 25) to send mails from Applications Manager POP port (default : 110 ) to fetch mails using the POP server
MIDDLEWARE/PORTAL
IBM WebSphere MQ	The MQ Listener Port (default:1414)
Microsoft MSMQ/SharePoint Server	Windows Management Instrumentation (WMI) -- Port: 445 Remote Procedure Call (RPC) -- Port: 135 Also refer to the ports required for WMI Mode of monitoring under Servers
VMware vFabric RabbitMQ Server	The Port ID where the management plugin is configured (default : 55672)
WebLogic Integration Server	WebLogic Integration port (default : 7001)
SERVERS
AS400/iSeries	To connect AS400/iSeries server from Applications Manager it uses JTOpen package. The JTOpen package uses the following Non-SSL ports 449, 446, 8470, 8471, 8472, 8473, 8474, 8475, 8476. Ensure that the ports mentioned under "Port Non-SSL" column in the link are not blocked in firewall. http://www-01.ibm.com/support/docview.wss?uid=nas1acc12fda96496e4b8625668f007ab75f
Linux / Solaris / AIX / HPUnix /Tru64 Unix	Telnet Port (default : 23), if mode of monitoring is Telnet. SSH Port (default : 22), if mode of monitoring is SSH SNMP Agent Port (default : 161), if mode of monitoring is SNMP
Windows	Ports required for WMI Mode of monitoring: Windows Management Instrumentation (WMI) (default : 445) Remote Procedure Call (RPC) (default : 135) WMI uses DCOM for remote communication.The server to be monitored by applications manager uses a random port number above 1024 by default to respond back. You have to connect to this target server and configure it to use a port within a specified range of ports. You can follow the steps mentioned in this link : http://support.microsoft.com/kb/300083 for restricting the ports in the target server. Note that you must specify at least 5 ports in this range for target server ( you are normally recommended to open at least a 100 ports - http://support.microsoft.com/kb/217351/EN-US/ ). This same range of ports must also be opened in the firewall. Ports required for SNMP Mode of monitoring: SNMP Agent Port: 161
SERVICES
Active Directory	Windows Management Instrumentation (WMI) -- Port: 445 Remote Procedure Call (RPC) -- Port: 135 Also refer to ports required for WMI Mode of monitoring under Servers
FTP/SFTP	Port in which FTP or SFTP is running (default:21 for FTP, 22 for SFTP)
JMX [ MX4J / JDK 1.5]	Port of JMX agent (default:1099) To monitor JMX behind firewall the following changes have to be done. Edit startApplicationsManager.bat/sh file. Add -Dmonitor.jmx.rmi.port=<port number for RMI socket communication> to the Java runtime options. Restart Applications Manager server Ensure that you have the RMI Socket port (step1) and JNDI Port (step4) are opened up in the firewall Add the JMX Applications monitor after providing the relevant details. The monitor should be added successfully
LDAP	LDAP server port
Service Monitoring	The service port that you need to monitor
SNMP	SNMP Agent port (default:161)
Telnet	Port which you need to telnet
TRANSACTION
APM Insight	Applications Manager's Web Server port should be accessible from the APM Insight agent server (default:9090).
VIRTUALIZATION
Hyper-V	Windows Management Instrumentation (WMI) -- Port: 445 Remote Procedure Call (RPC) -- Port: 135 Also refer to the ports required for WMI Mode of monitoring under Servers
VMWare ESX/ESXi	VMWare Web Service port (default:443)
WEB SERVER/SERVICES
Real Browser Monitor (Qengine port)	The qeport (default:5001) mentioned in the AppManager_Home\working\conf\qeruntime.properties file should be accessible from the machine where you want to Record RBM webscripts
SSL Certificate Monitor	SSL port in which the web server is running [default:443]
Web Server - Apache / IIS / PHP	HTTP Port of Web Server (default:80)
Miscellaneous
Trap Listeners	Trap Listener port (default:1620) in Applications Manager server should be accessible from the server where you want to send traps. More on receiving SNMP Traps.

Top

Applications Manager makes sure that data is secure. The internal MySQL database allows only the localhost to access the database through authenticated users. User Names and Passwords are stored in the MySQL database that is bundled along with the product. The passwords are encrypted to maintain security.

Privileges required for different monitor types:

Monitors	Privileges
Active Directory	Administrator username/password [WMI mode]
Amazon	The AWS Access Key Id for accessing the AWS through the API. The access key has 20 alpha-numeric characters. The Secret Access Key of the AWS. The secret key should be 40 alpha-numeric characters long.
Apache Server	Credentials for accessing the server status url for Apache
AS400/iSeries	To retrieve data for all modules in AS400/iSeries monitor except 'Disk', an user with USER user profile is required. To retrieve data for 'Disk' and to perform Admin actions from Applications Manager, an user with SECOFR user profile is required. If using the SECOFR user profile is not possible, then for retrieving disk data and to perform the admin actions such as viewing spooled file, job log and performing actions in JOBS, SPOOL, SUBSYSTEM a user profile with special authorities such as ALLOBJ, SAVSYS, JOBCTL, SPLCTL is required. The user should have permission to access QMPGDATA/QPFRDATA library because Applications Manager uses performance collection service for retrieving disk details from AS400/iSeries server. Note:* If the performance data collection is not enabled in AS400/iSeries, you need to start it by using the command STRPFRCOL or GO PERFORM-->COLLECT PERFORMANCE DATA-->START PERFORMANCE COLLECTION. You will also be able to execute the STRPFRCOL command from AS400/iSeries server monitor page in Admin-->Non-Interactive command option.
Database Query Monitor	User with privileges for accessing a particular database and execute the query
DB2	User with atleast SYSMON instance level authority
Exchange Server	Administrator username/password [WMI mode]
File/Directory	User with privileges for accessing the File or Directory to monitor
FTP/SFTP	If Authentication is enabled, enter the Username and Password for connecting to the FTP/SFTP server & move to required directory
Glassfish	Username and password for connecting to Glassfish Admin console
HP-UX	Guest user privilege
HTTP URL	If basic authentication is required enter the same in monitor
Hyper-V	Administrator privileges to the root OS (Windows 2008 R2 and other supported Hyper-V versions)
IBM AIX	Guest user privileges are sufficient but "root" privileges are required for collecting Memory related details. Hence, it is preferable to use a "root" account to view all the details
IBM WebSphere MQ	A Channel name with type of "Server Connection Channel"
JBoss	Use the JBoss username/password (if Jboss is authenticated). User should be able to access the JBoss JMX console. If not, no username/password is required
JMX/Java Runtime	If Authentication is enabled, enter the Username and password for connecting to the JMX agent. To know more about monitoring a JMX Application if your application is behind a firewall, check out this blog post.
LDAP	If Authentication is enabled, enter the Username and Password. If no username and password is provided, then it will connect to LDAP server as an anonymous login.
Linux	Guest user privilege
Mail Server	If Authentication is enabled, enter the Username and password for connecting to the SMTP and POP
Microsoft .Net	Administrator username/password [WMI mode]
Microsoft Office SharePoint Server	Administrator username/password [WMI mode]
MS SQL	System Administrator/Owner for the "master" database
MSMQ	Administrator username/password [WMI mode]
MySQL	The User-name specified should have access to the databases to be monitored. MySQL should also be configured. This allows the host on which App Manager is running to access the MySQL database.
Oracle	User with CONNECT and SELECT_CATALOG_ROLE roles
SAP/SAP CCMS	You need a SAP user profile with the following authorization objects: S_RFC, S_XMI_LOG and S_XMI_PROD which are the minimum prerequisities for adding a SAP monitor.
Script monitor	User with privileges for executing the script and accessing the output file.
Server with SNMP mode	SNMP Community string with read privileges.
SNMP/Network device	For SNMP Version V1/V2c: SNMP Community string with read only privileges. For SNMP Version V3: Select one of the three Security Levels in the drop-down list: NoAuthNoPriv - Messages can be sent unauthenticated and unencrypted. Enter a UserName and Context Name. AuthNoPriv - Messages can be sent authenticated but unencrypted. Enter a UserName, Context Name and an Authentication Password. You can select an Authentication Protocol like MD5 or SHA from the drop-down list. AuthPriv - Messages can be sent authenticated and encrypted. Enter a UserName, Context Name,an Authentication Password and a Privacy Password. You can select an Authentication Protocol like MD5 or SHA from the drop-down list. By default 'DES' encryption technique will be used.
Solaris	Guest user privilege.
Sybase	The user should have admin privileges or the DB owner for master database.
Tomcat	For 5.x and above, a username and password is required to connect to Tomcat Manager Application. If not, no username/password is required. For 5.x the user specified should have a 'manager' role. For 6.x and above, the user specified should have "manager-gui", "manager-script", "manager-jmx" and "manager-status" roles.
VMWare ESX/ESXi	When adding VMWare ESX/ESXi servers for monitoring, we recommend that you use the root account. However, if you are unable to use the root account, you can use a 'view-only' profile to add the servers. This profile has all the privileges required for monitoring. The user you create must be: a member of the group user. based on the profile 'read only'.
VMware vFabric RabbitMQ Server	User Name and Password of RabbitMQ server.
WebLogic	Use the WebLogic username/password, if WebLogic is authenticated. The user should be an administrator. Otherwise, no username/password is required.
WebLogic Integration Server	Use the WebLogic username/password, if WebLogic is authenticated. User should be an administrator. Else no username/password is required.
Webservices	Give the User Name and Password, if it is required to invoke the webservice operation.
WebSphere	If Global Security is enabled, use the same username/password . If not, no username/password is required.
Windows	Administrator username/password [WMI mode].

Top

Enterprise Edition

Path	Ports
Admin to Managed Server	SSL Port (default 8443) - for database syncing Webserver (default 9090).
Managed Server to Admin	SSL Port (default 8443).

Note: Production Environment gives you the configuration details that you need to take care of, when moving Applications Manager into Production.

<< Prev	Home	Next >>
SNMP Agent Configuration		User Management Security Policy