6 Replies Latest reply on Jan 29, 2018 8:39 PM by rschroeder

    Exposing port 17778 on Internet

    ahmee

      We are trying to use agents for monitoring our servers in the cloud. We don't have VPN to the cloud. Agent initiated communication seems to be the appropriate choice here.

      I have one question about 17778 port though. From what I understand we have to expose port 17778 on Orion Server to the internet in order for agent initiated connection to work. I was really hoping, agents could use a service/port on Solarwinds which can not be used to access other information using REST API. I know, in order to connect to the API , credentials are needed but, management seems hesitant to the idea of exposing a port on internet which can be used to delete nodes or extract data in case of the credentials being compromised.

       

      Is there a way we can enable agent initiated communication on a port which does not allow REST API requests?

       

      Thanks

      Ahmee

       

       

       

      aLTeReGo

        • Re: Exposing port 17778 on Internet
          leigham martin

          Hello,

           

          Do you not have a firewall or perimeter WAF/IPS between your cloud and your network? or are you directly plugged into your cloud?

           

          Personally id advise against exposing your SW ports to the internet, you would usually have firewall rules that allow your cloud IP's into your main SolarWinds Server via the relevant ports?

           

          It really depends on how your setup.

           

          Regards,

           

          L.

          1 of 1 people found this helpful
          • Re: Exposing port 17778 on Internet
            aLTeReGo

            In situations such as what you describe, it's not at all uncommon for users to place a proxy in the DMZ which Agents connect to from the cloud. The proxy provides an additional layer of protection, providing authentication and preventing the internet from having direct contact with the Orion server itself. I've personally used both ccproxy on Windows, Squid on Linux for this exact purpose.

            1 of 1 people found this helpful
            • Re: Exposing port 17778 on Internet
              ahmee

              Thanks for your input guys. To explain our environment a bit further.

               

              - we do have perimeter firewalls

               

              - we also have VPNs to some parts of cloud but not in all regions. So the places where we have VPNs are easy to monitor.

               

              - Allowing only cloud instace IPs in the Firewall is an option but it will be a task to keep IP groups updated in perimeter firewalls

               

              - The proxy options looks good. We actually tried it the other day and so far havent been able to make it work. We tried it with Server initiated connection. A squid proxy has been placed on the DMZ network in AWS. We will play with this again today.

               

               

              Thanks and Regards

               

              Ahmee

              • Re: Exposing port 17778 on Internet
                rschroeder

                Remember that you do NOT have to give Solarwinds products read-write snmp permissions.  They work fine with read-only.

                 

                Although it's convenient to be able to shut or no-shut ports when looking at them in NPM, my organization doesn't allow read-write permissions for snmp.

                 

                Yes, you should proxy or VPN or firewall this traffic.  But there's no absolute functional need to give SW read-write permissions.  Without that power, suddenly your environment in the cloud isn't at as great a risk.