4 Replies Latest reply on Jan 11, 2011 3:17 PM by DazSki

    What are the Minimum essential ports and direction in firewall for Agent 4.5

      I have done quite a bit of reviewing of questions and answers and looking at the information and I just want to clarify something before I go have a possibly large argument internally.

      This is so I can limit the number of open ports in the firewall.

       

       

      For an McAfee Agent what are the mimimum essential ports and their direction that are required for the ePO communication.

       

      Using : https://kc.mcafee.com/corporate/index?page=content&id=KB66797

       

      from my looking, this is my presumption.

       

      Agents are 4.5

      ePO Server is 4.5

       

       

      No  Port    Service          Direction                                    Description                                                     Detail   

      1)   443     SSL     TCP   Agent Outbound to ePO              Agent communcations to EPO                         required for Agent to contact ePO server

      2)   8081    ?         TCP   ePO inbound to Agent                 Wake up request to Agent from ePO server      unsure why required

      3)   21       ftp       TCP    Agent Outbound to Repository     Pull updates into Client                                   to get DAT and other updates from ePO or repository server

       

      NB: I realise 3) could also be http but... that is possibly marginally worse than allowing ftp .. depending on your point of view.

       

      My questions:

      Are only 1) and 3) required or do you need 2) as well.

       

      is 2) essential or only nice to have, i.e. you can from the ePO server push or query the agent running on a client.

       

      Can you only use ftp or http to retrieve updates etc from a repository?

       

      .... and ... while I am asking stupid questions I might as well as one more

                    Where you have multiple repositories, say 10 repositories, I presume you would need all 10 IP's in the rule (

       

      Also there is are a couple of other Services

      Port 8082 UDP - Agent Broadcast communication port - which looks to be only used by SuperAgents (or for SuperAgents to communicate with Agents) So if you are not using SuperAgents it is either NOT required, or if the SuperAgent is on the Agent side of the firewall it doesn't need to be open in the firewall.

       

      Port 8444 - Sensor to server communications port - for ePO App Server to receive RSD and Event Parser connections - ?? not sure if Agents do this job so I presume not required.

       

       

      Sincerely

       

       

      Message was edited by: DazSki on 1/11/11 6:02:10 AM CST
        • 1. Re: What are the Minimum essential ports and direction in firewall for Agent 4.5

          oh also

           

          I am seeing in the current firewall logs  the following interaction

           

          i) - Call to ePO on Port 443  (reported as https)

          ii) - Call to Repository-A using Port 22 (reported as ssh)

          iii)- call to another Repository-B using Port 22 (reported as ssh)

          iv) - call to another Repository-C using port 21  (reported as ftp)

          v) - call Repository-C using port 21 (reported as ftp)

           

          vi) repeat of steps i) to v)  [ i.e. straight after v) occurs it returns to i).

           

          Any ideas why it is making the two Port 22 calls i.e. steps ii) and iii).  There is no mention of Port 22 in the Documentation I can find.

           

          Cheers

          • 2. Re: What are the Minimum essential ports and direction in firewall for Agent 4.5

            Hello  DazSki,

             

            I'll try to answer a couple of your questions:

             

            Questions:

            No  Port    Service          Direction                                    Description                                                     Detail  

            1)   443     SSL     TCP   Agent Outbound to ePO              Agent communcations to EPO                         required for Agent to contact ePO server

            2)   8081    ?         TCP   ePO inbound to Agent                 Wake up request to Agent from ePO server      unsure why required

            3)   21       ftp       TCP    Agent Outbound to Repository     Pull updates into Client                                   to get DAT and other updates from ePO or repository server

             

            Answers:

            1) Its mandatory.

            2) Its very nice and really recommneded to have enable, but it's not mandatory. It's useful when you need to troubleshoot and/or tell your agents to take an urgent policy/task, so I'd really enable this port in any environment. Otherwise, the machines will be limited to the ASCI interval which by default is every 1 hour.

            3) If you are using FTP as repositories, yes, you will have to create a rule to allow ePO to replicate to your dist. repository and another rule to allow workstations to download DATs from its dist. repository.

             

            Question:

            Can you only use ftp or http to retrieve updates etc from a repository?

             

            Answer:

            Your repository options are HTTP, FTP, UNC, and SuperAgent (which runs over SPIPE - more info about SPIPE is here https://kc.mcafee.com/corporate/index?page=content&id=KB56111&actp=search&viewlo cale=en_US&searchid=1294751192868 )

             

             

            Regards

            Bruno

            1 of 1 people found this helpful
            • 3. Re: What are the Minimum essential ports and direction in firewall for Agent 4.5

              By default, there are no ePO traffic on port 22.

              Take a look on the ePO configuration - Settings - Ports, in order to see all of the ports numbers that are currently set in your environment (if nobody changed the default port to something like 22).

               

              Also take a look in your FTP repositories if there are any FTP configured in a different port.

               

              Another thing that I'd do is a network capture while monitoring this traffic from the epo server. After that review the network capture and try to see the contents of the traffic running on port 22. It might give you a better idea about what's going on.

               

              hope this helps,

               

              Regards,

              Bruno

              1 of 1 people found this helpful
              • 4. Re: What are the Minimum essential ports and direction in firewall for Agent 4.5

                G'day Bruno

                 

                Many thanks for the response.

                 

                Sorry but just to confirm.

                 

                Are those the only ports and directions that are required?

                i.e

                1)  Agent to ePO on 443   (Agent to ePO)

                2) ePO to Agent on 8081  (ePO to Agent)

                3)  repository updates ( Agent to Repository(s))

                 

                just while I am thinking

                1)  is a single Point?  i.e. there is only one location for the ePO Server as this is the Command Centre

                2) is a single point i.e. the main ePO Server, as this is the Command Centre

                3) can be many (i.e. many repositories)

                 

                again many thanks for the quick response.