Community
- Command Central
- MVP Program
- Monthly Mission
- Blogs
- Groups
- Events
- Media Vault
Products
- Observability
- Network Management
- Application Management
- IT Security
- IT Service Management
- System Management
- Database Management
Content Exchange
- SolarWinds Platform
- Server & Application Monitor
- Database Performance Analyzer
- Server Configuration Monitor
- Network Performance Monitor
- Network Configuration Manager
- SQL Sentry
- Web Help Desk
Free Tools & Trials

Exposing port 17778 on Internet

We are trying to use agents for monitoring our servers in the cloud. We don't have VPN to the cloud. Agent initiated communication seems to be the appropriate choice here.

I have one question about 17778 port though. From what I understand we have to expose port 17778 on Orion Server to the internet in order for agent initiated connection to work. I was really hoping, agents could use a service/port on Solarwinds which can not be used to access other information using REST API. I know, in order to connect to the API , credentials are needed but, management seems hesitant to the idea of exposing a port on internet which can be used to delete nodes or extract data in case of the credentials being compromised.

Is there a way we can enable agent initiated communication on a port which does not allow REST API requests?

Thanks

Ahmee

aLTeReGo

Find more posts tagged with

Accepted answers

All comments

leigham_martin

Hello,

Do you not have a firewall or perimeter WAF/IPS between your cloud and your network? or are you directly plugged into your cloud?

Personally id advise against exposing your SW ports to the internet, you would usually have firewall rules that allow your cloud IP's into your main SolarWinds Server via the relevant ports?

It really depends on how your setup.

Regards,

jkump

That's what I was thinking. The few cloud configurations we have, we have dedicated VPN pipes and then we allow the interesting traffic through the firewall.

leigham_martin

Quite right, if you have a hybrid Cloud/Internal infrastructure i would expect there to be a WAN network or dedicated VPN in which you would not need a firewall as it would be seen as your internal network preventing the need to expose orion to the open world.

aLTeReGo

In situations such as what you describe, it's not at all uncommon for users to place a proxy in the DMZ which Agents connect to from the cloud. The proxy provides an additional layer of protection, providing authentication and preventing the internet from having direct contact with the Orion server itself. I've personally used both ccproxy on Windows, Squid on Linux for this exact purpose.

ahmee

Thanks for your input guys. To explain our environment a bit further.

- we do have perimeter firewalls

- we also have VPNs to some parts of cloud but not in all regions. So the places where we have VPNs are easy to monitor.

- Allowing only cloud instace IPs in the Firewall is an option but it will be a task to keep IP groups updated in perimeter firewalls

- The proxy options looks good. We actually tried it the other day and so far havent been able to make it work. We tried it with Server initiated connection. A squid proxy has been placed on the DMZ network in AWS. We will play with this again today.

Thanks and Regards

Ahmee

rschroeder

Remember that you do NOT have to give Solarwinds products read-write snmp permissions. They work fine with read-only.

Although it's convenient to be able to shut or no-shut ports when looking at them in NPM, my organization doesn't allow read-write permissions for snmp.

Yes, you should proxy or VPN or firewall this traffic. But there's no absolute functional need to give SW read-write permissions. Without that power, suddenly your environment in the cloud isn't at as great a risk.