Unsolved
This post is more than 5 years old
212 Posts
0
4207
unisphere Host agent and Windows 2008 Firewall advanced security
Hi
We have problems getting the unisphere host agent to communicate through the Windows 2008 firewall with advanced settings
If we shut the firewall down everything works ( but this is not an option)
We thought that we knew how to configure the firewall and have given the agent access both ways, but it does not work
Have anyone seen this problem before....
I have searched the KB but no help in there, on how to setup the firewall...only on the "normal " firewall
Thx
Jim
dynamox
1 Rookie
1 Rookie
•
20.4K Posts
0
May 31st, 2012 05:00
Jim,
can you install Wireshark on that box ? Should be easy to capture what ports it's using to talk back and forth.
Jim_Hegner
212 Posts
0
May 31st, 2012 06:00
Thx
I will give it a try...and see if we can get that on to one of the servers..
Jim_Hegner
212 Posts
0
May 31st, 2012 06:00
Hi Dynamox
We already know what port the the Host agent uses, we got that from the EMC support.
But when we open those ports in the firewall and restart the agent, it does not work.
Neither does it work if we give the agent full access both ways through the firewall.
The problem is that the hosts shows up as unmanaged...
But if we shut the firewall down we see the host as managed...and this is even without restarting the agent
Our customer cannot connect hs server to the corporate network if the firewall is disabled, so we need to figure out what is wrong, EMC support does not seem to know what to do...they have been working on it for 7 days, with no solution
dynamox
1 Rookie
1 Rookie
•
20.4K Posts
0
May 31st, 2012 06:00
i would install Wireshark, drop the firewall ...filter Wireshark output to where it only captures traffic between the SP ( you can try SPA and SPB) and see if it gives you any additional information.
dynamox
1 Rookie
1 Rookie
•
20.4K Posts
0
June 8th, 2012 07:00
Jim,
any luck with this ?
Jim_Hegner
212 Posts
0
June 8th, 2012 23:00
Hi dynamox
nope nothing new.
Our customer cannot give us permissions to but any unauthorized software on their servers.
EMC support has given up, but the customer has opened a support case, internally with the corporate IT domain admins.
Fact is that something in the windoes firewall is blocking the host agent no matter what we try to do, only thing that works is disabling the firewall.
We think that the servers unherit somekind of security settings when they join the domain...
The customer is one of the worlds largest software companies, where we work in one oft
Their development centres
dynamox
1 Rookie
1 Rookie
•
20.4K Posts
0
June 9th, 2012 05:00
what firewall ports have you tried so far ? I'll try to reproduce it on my test system.
christopher_ime
2K Posts
0
June 9th, 2012 17:00
Just a few thoughts:
In the absence of a packet capture as suggested above, I would suggest logging dropped packets as follows:
1) Select: "Windows Firewall Properties"
2) For each Profile: Domain, Private and/or Public:
a) Under "Logging", click "Customize"
b) "Log dropped packets": Yes
3) Note the location of the firewall logs (default):
%SYSTEMROOT%\system32\LogFiles\Firewall\pfirewall.log
4) Initiate all possible traffic:
a) Initiated from Unisphere Host Agent on Windows Server:
Restart service (by default Windows Firewall allows all Outbound traffic and being stateful will allow the inbound traffic even if there isn't an explicit inbound rule)
b) Initiated from VNX SP's:
Within Unisphere, under Host tab -> Update All Hosts (and Poll)
5) Review pfirewall.log
You *should* only have to allow either "by Program": full path to the HostAgent.exe executable (or after you create the rule, you can refine it by service name in the rule properties). Also, by default, it should be listening on port TCP/6389 if you are also limiting by port or only creating rules based on TCP ports and not program names. To verify TCP port in question, at a command prompt search for HostAgent.exe from the following output (as a reminder, you may need to run cmd as Administrator):
netstat -abn
I would also keep in mind that the Windows 2008 firewall is stateful, so you don't have to create an explicit rule for the response. Not sure if any of this helps.
Jim_Hegner
212 Posts
0
June 12th, 2012 02:00
Hi all
we know found the issue with this one...
The problem was IPsec, that blocked the traffic from the Host Agent, and this was configured at our customers site from the Domain controllers, after they gave persmission for the traffic everything works fine.
Thank you everyone for your suggestions on this small issue.
Jim
dynamox
1 Rookie
1 Rookie
•
20.4K Posts
0
June 12th, 2012 05:00
IPsec got activated only when Windows Firewall was enabled ? That's odd