How do I properly configure the Windows Firewall Service for IntelligenceCenter?

Solution

Overview

The customer performs a default installation of IC with IC and DC on separate servers. However, the network administrators require the Windows Firewall to be enabled on both servers. The following ports must be allowed as exceptions by the Windows Firewall in order for IC to fully function.

ANSWER:
A. TCP Port 80: This is only required if the default ports were designated on install.
B. TCP Port 443: This is only required if the default ports were designated on install.
C. UDP Port 9800: This is for FDR. 1) IC will still function just not collect FDR data.
D. TCP Port 21: Required for Proper PacketShaper authentication and for collection of ME data.
E. TCP Port 8543: This is only REQUIRED when the IC and DC are separate. But best practice is to always allow.
F. TCP Port 8778: SAPI: This Port is limited to localhost on the DC Server. if anything should block that port even form localhost, you would find yourself, able to collect data and generate reports but unable to modify the infrastructure present on the server.
G. BlueCoatDataCollectorjboss-4.0.3serveragentconfdevice-system-configuration should be 127.0.0.1

H. TCP Port 5432: Local Postgres Database Port. Like the SAPI port above it is only accessible form localhost can be modified in the jboss. C:BlueCoatDataCollectorjboss-4.0.3serveragentconfdevice-system-configuration should be 127.0.0.1 if on the same server. It should reference the partner IP if a separate IC and DC Server are installed.

 

SPECIAL TCP FUNCTIONS:
TCP Echo: TCP Echo is required across the LAN. If it is off, ME will fail.
TCP Syn is by default OFF in all Windows environments since Windows 2000. IC assumes it is off.

Application to Individual NICs: Be aware that Exceptions can be applied to individual NICs. if you configure them, and still have problems, Double check the Advanced tab to see if someone applied multiple NICs.

What if I cannot add the above Ports to the Exception List?
You are subject to a GPO or other local security policy which prevents your user account form modifying the WindowsFirewall Service

Firewall Port Summary

Summary of IC Firewall Ports
Port Number
Class
Communication Points
Notes and facts of interest
21TCPIC / DC / SHFtp is required for ME Data and IC/DCInventory and Config
80TCpCL / ICWWW for Access to IC
443TCPCL /.ICSecure WWW for access to IC
8543TCPIC / DCOnly of interest if IC/ DC on separate machines
9800UDPDC/SHFDR Data Port between IC/DC
8778TCPDC/DCSAPI: Only 127.0.0.0 is allowed
5432TCPIC / DCPostures: Required anytime IC or DC need to talk
Tcp EchoNAIC/DC/SHNetwork Firewall must allowed
    

 

 


Cause
Resolution
Workaround
Additional Information
Bug Number
InQuira Doc IdFAQ973
Attachment

Article Feedback

Did this Article solve your issue?
Additional Comments:
 
Previous MonthNext Month
SunMonTueWedThuFriSat