I am installing a new EPO 5.9 server to replace an EPO server that has been upgraded from EPO4 through to EPO 5.3. This will be a side-by-side migration for my clients utilizing a new DB and new EPO server.
I have a question about the difference/rational for Agent-Server communication port and the Agent-Server communication secure port. Since my old ePO server was upgraded from 4 -> 5 we have the secure port disabled because it did not exist before ePO 5.0. We use a custom port for the Agent-Server Communication port as recommended rather than the default port 80.
I am having trouble figuring out why I would need or want to have two listening ports open for agent -> server communication. My understanding has always been that the agent -> server communication has been over the proprietary SPIPE protocol which is encrypted. What is the purpose or advantage of having both an Agent - server communication port and an agent-server communication secure port if the traffic is encrypted on both?
Is that a wrong assumption? Has data from the client sent to the server not been going over SPIPE all these years, but rather in plain text?
If, on the new server I enable Agent-Server communication secure port and configure it to a custom (not 443) port, is there any reason to leave the other Agent-Server communication port open? Why have two?
Is traffic on the agent-server communication secure port put through SPIPE and then SSL encrypted before being sent or does the secure port only use SSL and the standard (non-secure) communication port only use SPIPE?
I dont understand the need for two listening ports. Please help me to understand the difference.
It's simply to give you a choice as far as I know. Once the agent handler component of ePO was moved from proprietary code to apache it was then very easy to add SSL support, which is a feature that many customers had been requesting.
You're correct in that SPIPE traffic is encrypted - it's definitely not plaintext 🙂 Having both available gives you the choice of which encryption scheme you prefer to use.
With regard to disabling the non-SSL port, it depends on the agent versions that you have in your environment: some of the older agents require the non-SSL port for repository operations, for example. But assuming your agents are all recent (as in MA 5.x) then these are all capable of doing everything they need to over the SSL port.
Finally with regard to the two schemes - they're separate in that the agent does not do SPIPE first and then wrap it in SSL. It's "normal" SSL on the SSL port and SPIPE on the non-SSL port.