unisphere Host agent and Windows 2008 Firewall advanced security

Jim,

can you install Wireshark on that box ? Should be easy to capture what ports it's using to talk back and forth.

Thx

I will give it a try...and see if we can get that on to one of the servers..

Hi Dynamox

We already know what port the the Host agent uses, we got that from the EMC support.

But when we open those  ports in the firewall and restart the agent, it does not work.

Neither does it work if we give the agent full access both ways through the firewall.

The problem is that the hosts shows up as unmanaged...

But if we shut the firewall down we see the host as managed...and this is even without restarting the agent

Our customer cannot connect hs server to the corporate network if the firewall is disabled, so we need to figure out what is wrong, EMC support does not seem to know what to do...they have been working on it for 7 days, with no solution

i would install Wireshark, drop the firewall ...filter Wireshark output to where it only captures traffic between the SP ( you can try SPA and SPB) and see if it gives you any additional information.

Jim,

any luck with this ?

Hi dynamox

nope nothing new.

Our customer cannot give us permissions to but any unauthorized software on their servers.

EMC support has given up, but the customer has opened a support case, internally with the corporate IT domain admins.

Fact is that something in the windoes firewall is blocking the host agent no matter what we try to do, only thing that works is disabling the firewall.

We think that the servers unherit somekind of security settings when they join the domain...

The customer is one of the worlds largest software companies, where we work in one oft

Their development centres

what firewall ports have you tried so far ? I'll try to reproduce it on my test system.

Just a few thoughts:

In the absence of a packet capture as suggested above, I would suggest logging dropped packets as follows:

1) Select: "Windows Firewall Properties"

2) For each Profile: Domain, Private and/or Public:

a) Under "Logging", click "Customize"

b) "Log dropped packets": Yes

3) Note the location of the firewall logs (default):

%SYSTEMROOT%\system32\LogFiles\Firewall\pfirewall.log

4) Initiate all possible traffic:

a) Initiated from Unisphere Host Agent on Windows Server:

Restart service (by default Windows Firewall allows all Outbound traffic and being stateful will allow the inbound traffic even if there isn't an explicit inbound rule)

b) Initiated from VNX SP's:

Within Unisphere, under Host tab -> Update All Hosts (and Poll)

5) Review pfirewall.log

You *should* only have to allow either "by Program": full path to the HostAgent.exe executable (or after you create the rule, you can refine it by service name in the rule properties).  Also, by default, it should be listening on port TCP/6389 if you are also limiting by port or only creating rules based on TCP ports and not program names.  To verify TCP port in question, at a command prompt search for HostAgent.exe from the following output (as a reminder, you may need to run cmd as Administrator):

netstat -abn

I would also keep in mind that the Windows 2008 firewall is stateful, so you don't have to create an explicit rule for the response.   Not sure if any of this helps.

Hi all

we know found the issue with this one...

The problem was IPsec, that blocked the traffic from the Host Agent, and this was configured at our customers site from the Domain controllers, after they gave persmission for the traffic everything works fine.

Thank you everyone for your suggestions on this small issue.

Jim

IPsec got activated only when Windows Firewall was enabled ? That's odd