stoggy1
1 Copper

I dont think this script is going to work very well

I havent used vmware in a long time. And I know nothing about the previous commercial versions. And maybe the MCSE here jacked ours up I don't know. I just got here.

The default firewall rules in vmware 3.5 allow for the `esxcfg-firewall -e snmpd` to allow inbound connections to tcp 161 and outbound connections to tcp 162, which is normal snmp. From what I have seen IT assistant doesn't have a way to specify what port it is going to use for snmp traffic and it is using an unpriviledged port. So the -e snmpd option wont work for IT assist.

I add this to the /etc/vmware/firewall/services.xml file. Now just `esxcfg-firewall -e ITassistant`. The service id='00xx' is just an incremental number just use the next one in the file. this allows in and out tofrom tcp 161, this will work.


ITassistant

inbound
udp
161


outbound
udp
161



When you config your snmp daemon you sed the orig to your tmp then you mv your temp onto your changes. You are overwriting what you just wrote. You sed's are fine doing 1 thing per line makes it easy to read.

w/ sed in place

echo '*** Configuring snmp and restarting snmp service ***'
cp /etc/snmp/snmpd.conf /etc/snmp/snmpd.ITA-INSTALL
sed -i "s/rocommunity.*/rocommunity $COMMUNITY_NAME/g" /etc/snmp/snmpd.conf
sed -i "s/trapcommunity.*/trapcommunity $COMMUNITY_NAME/g" /etc/snmp/snmpd.conf
sed -i "s/trapsink.*/trapsink $SNMP_TRAP_DEST/g" /etc/snmp/snmpd.conf
0 Kudos
6 Replies
Scott Hanson
3 Argentium

RE: I dont think this script is going to work very well

First, thanks for the help rewritting the snmpd.conf changes, I didn't know about the -i option in sed, makes it more elegant. As it was written, it did work. I wasn't using the -i option so the changes weren't written to the original file - only to the tmp. Ugly but effective (and the reason I asked for some help in the comments 🙂

I'm confused about what you are saying for the SNMP traffic. OMSA installed on ESX uses standard snmp ports, the esxcfg-firewall -e command has always worked on the machines in the lab.

Is something different going on in your environment, or did the previous admin muck up the configuration ?

I'll change the script to incorporate the better sed solution, thanks again.
0 Kudos
stoggy1
1 Copper

RE: I dont think this script is going to work very well

when i was working with it to enable the snmp traffic the `esxcfg-firewall -e snmpd` was opening 2 ports in the firewall:

inbound tcp to 161 and
outbound tcp to 162

this is normal smtp.

The Itassistant program was using an unpriviledged port, maybe this is non-standard? but so when the esx server would respond it would go to say tcp port 2222 at the destination. This was getting blocked in the outbound chain. Yes this is very dependent on the setup. Is this not standard for vmware though? the esxcfg-firewall is kind of basic and ultimately would be hard to work with. iptables is there, so oh well.


in your script before you copied the file in /etc/snmp/snmpd.conf then you sed'd the file to tmp and then you would mv ./tmp to /etc/snmp/snmpd.conf, but you were doing this after every sed line. So at the end of your script there will be only 1 line in the snmpd.conf.

yea i like the -i switch it allows you to edit a file in place instead of having to cp or mv the redirected file afterwards. make sure to cp first though. It is only avail in gnu sed afaik.

you might want to make a snmpd.conf file and then copy the already generated file into place though, this would be easier later if you need to make changes. I always change dell's install scripts. As bad as some of their stuff is the installer is really nice and easy to fix. You dont have to mess around in the rpms to make some changes and its just a .sh script so adding a line to copy the file into place is really easy. You would think they could prompt a couple lines and do it for you though.

read -p "ENTER RO COMMUNITY" ROCOM
read -p "ENTER TRAP COMMUNITY" TRAPCOM
sed -e "s//$ROCOM/g;s//$TRAPCOM/g" tempsnmp.conf > $snmpd.conf

- or -

setup.sh -b -r -R -T -I
0 Kudos
Scott Hanson
3 Argentium

RE: I dont think this script is going to work very well

Not sure what's going on with your port problems. This section of the ITA manual lists all the ports that ITA and OMSA use for communication -- http://support.dell.com/support/edocs/software/smitasst/8.2/en/ug/securein.htm#1053951

What problem are you having ? ESX machines not appearing in ITA ?

I hate to bet a nit about my original hack for sed and the snmpd.conf changes, but it did work. I think because of my convoluted implementation you are overthinking what is happening. Run the script, you'll see that it works.

I know that some of the product developers lurk on this site, so we appreciate the input. We also have a page dedicated to OpenManage Suggestions for Improvements if you have more --> http://www.delltechcenter.com/page/OpenManage+Suggestions+for+Improvements
0 Kudos
stoggy1
1 Copper

RE: I dont think this script is going to work very well

Yea ESX hosts not in ITA. I got them in there, I was just trying to figure out why they weren't in there to begin with.

also a better way of opening the web port instead of using the `esxcfg-firewall -o tcp,1311,in` command. would be to add another rule to the /etc/vmware/firewall/services.xml file so that they can be used in the security policies and other things in the gui.

the guy that uses ITassistant just reinstalled it. But it was and is using unpriv ports for smtp traffic. I think he is using 8.2 now.

I know they are different here because before i figured out what the ports were doing:
iptables -I INPUT -p udp -s -j LOG --log-prefix "from ITA "
iptables -I OUTPUT -p udp -d -j LOG --log-prefix "to ITA "

Would upgrading ITA change the default port it uses? Maybe his previous versions used unpriv ports and the new one shouldn't but now the registry is messed up?
0 Kudos
Saujanya
1 Copper

RE: I dont think this script is going to work very well

I haven't been following this thread in detail, forgive me for that. But I would like to provide few pointers in addition to those that Scott has mentioned above.
Details of ports used by various OpenManage applications can be found at in the OpenManage Security and Install Guide:
http://support.dell.com/support/edocs/software/smsom/5.4/en/ug/HTML/security.htm#wp1047254

Regarding the question of whether upgrading IT Assistant (ITA) change the default port it uses, my answer would be no. However, there have been enhancements in ITA from versions 8.1 to 8.2. See the "What's new" sections of the corresponding User's Guide for details (provide links below). In short, ITA 8.1 had the capability to discover and monitor VMware ESX systems, while 8.2 added auto-grouping and capturing migrations of VM's from one ESX host to another.

For ITA 8.1: http://support.dell.com/support/edocs/software/smitasst/8.1/en/ug/whatsnew.htm#1053186
For ITA 8.2: http://support.dell.com/support/edocs/software/smitasst/8.2/en/ug/whatsnew.htm#1054533
0 Kudos
stoggy1
1 Copper

RE: I dont think this script is going to work very well

I dont know if ours is different or if the doc is wrong but the ITA assistant is using an unpriv port for sntp traffic.

iptables -I INPUT -p udp -s -j LOG --log-prefix "from ITA "
iptables -I OUTPUT -p udp -d -j LOG --log-prefix "to ITA "

add these 2 rules to your ESX firewall and then do a discovery of the system and that will tell you, replace with your ITAservers IP or host name. Ours uses unpriv ports. i found where you can configure the web port in the ITA program but nothing about whether you can change it to request smtp on priv or unpriv ports.

From my understanding windows doesn't make priv ports. so if there is a service on that port then there is just a service on that port.

If there is no way ours can be different from yours then the doc is wrong or you are reading the doc wrong. Which brings me back to my original point you can just do `esxcfg-firewall -e smtp`. You need to open a range of ports if you want to firewall by destination or specify the source port on the outgoing chain.
0 Kudos