Compatibility with HP-UX Bastille and Other Network Firewalls

Network firewall software such as HP-UX Bastille might block the communication protocols used by the VSE Management Software. If your CMS or VSE managed systems use firewall software, follow the configuration guidelines in the following sections.

VSE Management Software Network Communication Protocols

The VSE Management Software retrieves real-time and historical utilization data from managed systems and their associated applications using the following network communication protocols.

The SSH-2 (secure shell) protocol is used to install the VSE agent software from the CMS to support the visualization and configuration features of Virtualization Manager, and to collect utilization data for Capacity Advisor.
Web-Based Enterprise Management (WBEM) services are used to support the visualization and configuration features of Virtualization Manager and to collect utilization data for Capacity Advisor.
OpenSSL protocol is used to obtain application information from managed systems for Application Discovery.

HP Systems Insight Manager (SIM) uses additional communication protocols between the CMS and managed systems to provide real-time system status and WBEM indications, and for basic communication between the web-based applications and the end user.

If you are using firewall software such as HP-UX Bastille on the CMS or on managed systems, the firewall must be configured so that it does not block the required network communication. The following sections present detailed configuration instructions for HP-UX Bastille. Other network firewall software must be similarly configured.

Additional information about SIM secure data transmission and related issues can be found in the manuals and white papers available from the “Information library” link at http://www.hp.com/go/hpsim.

Firewall Settings on the CMS

The following set of protocols should be allowed through firewalls between the CMS and the managed systems.

Communication Between the CMS and Managed Nodes

The Internet Control Message Protocol ICMPv4 Type 8 (Echo), the ping protocol.
HTTPS over port 5989, used by WBEM.
HTTPS over port 2381, used by web agents.
SSH-2 over port 22, used by the Distributed Task Facility (DTF).
OpenSSL over port 9143, used by Application Discovery.
Global Workload Manager uses ports 9617 and 9618 on the CMS. Refer to the “Communications Ports” section of the HP Global Workload Manager Version 4.1 User's Guide for information about changing the default ports.

Communication Between the CMS and the Web Browser

HTTP over port 280 (initial communication).
HTTPS over port 50000 (subsequent user interface communication).

Bastille Settings on the CMS

If Bastille/Install-Time Security will be used to secure the CMS, use the “Managed DMZ” level for initial lockdown. To configure the CMS for Managed DMZ, use the following procedure. For additional information, see bastille(1M).

Procedure 2-1 Configure CMS for Managed DMZ Under HP-UX Bastille

Copy the configuration file /etc/opt/sec_mgmt/bastille/MANDMZ.config to /etc/opt/sec_mgmt/bastille/config.
NOTE: In some versions of HP-UX Bastille, the MANDMZ.config file may be located in a subdirectory under /etc/opt/sec_mgmt/bastille/.

Add the following rules to the top of the file /etc/opt/sec_mgmt/bastille/ipf.customrules.




	NOTE: Lines shown ending in “`\`” should be combined with the following line and entered as a single line.

# Custom CMS firewall rules
# Allow ping
pass in quick proto icmp from any to any icmp-type 8 \
keep state

# Allow HTTP on port 280 for inbound HP SIM connections
pass in quick proto tcp from any to any port = 280
# Allow HTTPS on port 50000 for inbound HP SIM connections
pass in quick proto tcp from any to any port = 50000

# Global Workload Manager uses ports 9617 and 9618 to
# communicate with remote agents
pass in quick proto tcp from any to any port = 9617 \
flags S keep state keep frags
pass in quick proto tcp from any to any port = 9618 \
flags S keep state keep frags

# Application Discovery uses OpenSSL on port 9143
pass in quick proto tcp from any to any port = 9143 \
flags S keep state keep frags

Run the Bastille configuration engine by entering the following command:
# /opt/sec_mgmt/bastille/bin/bastille -b

Firewall Settings on Managed Systems

The following set of protocols should be allowed through the firewall:

The Internet Control Message Protocol ICMPv4 Type 8 (Echo), the ping protocol. Both inbound and outbound ping are needed for SIM discovery and system status.
HTTPS over port 5989, used by WBEM.
HTTPS over port 2381, used by web agents.
SSH-2 over port 22, used by the Distributed Task Facility (DTF).
Global Workload Manager uses port 9617 on managed nodes. Refer to the “Communications Ports” section of the HP Global Workload Manager Version 4.1 User's Guide for information about changing the default ports.

Bastille Settings on the Managed System

If Bastille/Install-Time Security will be used to secure the managed system,, use the “Managed DMZ” level for initial lockdown. To configure a managed system for Managed DMZ, use the following procedure. For additional information, see bastille(1M).

Procedure 2-2 Configure Managed System for Managed DMZ Under HP-UX Bastille

Copy the configuration file /etc/opt/sec_mgmt/bastille/MANDMZ.config to /etc/opt/sec_mgmt/bastille/config.
NOTE: In some versions of HP-UX Bastille, the MANDMZ.config file may be located in a subdirectory under /etc/opt/sec_mgmt/bastille/.