Monitoring in the DMZ

Hi All,

Is anyone aware of which specific ports would need to be opened to allow monitoring in the DMZ, from looking around at older post im not sure if this is possible due to WMI needing a port range open ?

thanks

Stuart

Find more posts tagged with

ports

npm

dmz

Accepted answers

skyblademonkey

How agents work

Server & Application Monitor Getting Started Guide
- Agents

Polls nodes and applications across multiple discreet networks with overlapping IP address space.

Provides secure encrypted polling over a single port.

Supports low bandwidth, high latency connections.

Polls nodes across domains where no domain trusts are established.

Provides full encryption between the monitored host and the Orion poller.

Monitors the server and installed applications during a network outage, regardless of whether the agent can communicate with the poller. When the poller connection is restored, the agent forwards the results of its monitoring data collected during the outage to the poller for processing. All data gaps are filled with the data collected by the agent.

The agent allows you to monitor servers hosted by services, such as Amazon EC2, Rackspace, Microsoft Azure, or virtually any other Infrastructure as a Service (IaaS).

Orion Server initiated communication: The agent waits for requests from the server on the default port of 17790. This port must be opened on the firewall of the agent computer so the server can connect. No change to the server firewall is required.

Agent Plugin Version

Tip: Use Orion Server initiated communication in DMZ environments or cloud scenarios such as Azure. Use agent initiated communication with a proxy to poll multiple computers within a single Azure cloud service.

All comments

skyblademonkey

How agents work

Server & Application Monitor Getting Started Guide
- Agents

Polls nodes and applications across multiple discreet networks with overlapping IP address space.

Provides secure encrypted polling over a single port.

Supports low bandwidth, high latency connections.

Polls nodes across domains where no domain trusts are established.

Provides full encryption between the monitored host and the Orion poller.

Monitors the server and installed applications during a network outage, regardless of whether the agent can communicate with the poller. When the poller connection is restored, the agent forwards the results of its monitoring data collected during the outage to the poller for processing. All data gaps are filled with the data collected by the agent.

The agent allows you to monitor servers hosted by services, such as Amazon EC2, Rackspace, Microsoft Azure, or virtually any other Infrastructure as a Service (IaaS).

Orion Server initiated communication: The agent waits for requests from the server on the default port of 17790. This port must be opened on the firewall of the agent computer so the server can connect. No change to the server firewall is required.

Agent Plugin Version

muckman

Stuart use the agent to monitor everything in the DMZ. The agent will eliminate your need for a WMI credential and WinRM while streamlining along a single port. Unless you're using a separate credential for DMZ than you are for internal WMI then you are exposing your network. But if you really must use WMI then this is the article that you want to read:

https://thwack.solarwinds.com/community/solarwinds-community/product-blog/blog/2013/01/08/wmi-portapocalypse

matthewrackley

Hi All,

Just a quick question around DMZ, do you think its a good idea placing the monitoring engine in the DMZ zone ?

What Security issues to you believe this will bring to a user ?

Thanks

Regards Matt

dgsmith80

Hi Matt,

The answer is subjective dependant on your environment. If a large majority of your equipment is sat inside the DMZ then it might make sense to have the main engine there. Don’t forget though that if you need to monitor anything outside of the DMZ you then need to create rules for that, and you could go down the agent route or the APE route. Also consider where your support staff will be accessing the system from as if they are outside the DMZ then you need to punch holes for web access, and then the mail server. As you can see there are many considerations.

matthewrackley

Hi David,

Thank you for the response, its a great help.

Here at Tech Data we have a end user that asked this question yesterday so i thought i would do some research on it and see what the general feel was for setting it up this way.

I will be advising the end user to not do it this way.

Thanks again

Regards Mattt

cmazko

The online help links in the 2016 replies are old. To learn about agents in the latest online help system, see Poll devices with SolarWinds Orion agents.