4 Replies Latest reply on Aug 17, 2011 2:32 AM by dmease729

    Query on ports required for remote MVM2100 appliance

    dmease729

      Hi All,

       

      I am rolling out a 3100 appliance with multiple 2100 appliances that will be responsble for scanning remote nets on behalf of the 3100.  I have been looking at the documentation, and have noted the following:

       

      1) From the 'McAfee Vulnerability Manager Installation Guide' (v7 - latest on portal), page 23 I can see that the scan engine communicates with the scan controller over 3803/tcp.  I can also see that the FCM agent that will be located on the scan engine communicates to the configuration manager over 3801/tcp. 

      2) From the same guide, communication path 9 (you will need to check guide) also states 'REST over HTTPS or HTTP'

      3) KB50834 *seems* to advise that the scan engine needs to have port 3800/tcp opened to it, *or* that it communicates out over 3800/tcp.  It is not really made clear by the table...

      4) KB54199 *seems* to imply that no ports need to be allowed to the scan engine itself, as section 4 does not list an option for scan engine.

       

      Now I have highlighted what I have found, I will detail what I have tested so far.  Note that the below has been tested in a virtual environment on windows servers, so this may explain any discrepancies.  I have two virtual MVM servers, one with *all* components installed, and the other with only the scan engine component installed (configured to connect over 3801/tcp to the enterprise manager machine).  If I open FCM console on the Enterprise Manager I can see the following components on the 'scan engine only' server: Configuration Agent, FASL engine, Scan Engine.

      From the main enterprise manager, I configured a default scan of one host, and configured this to be scanned from the 'scan engine only' server.  At all times I had wireshark running on the 'scan engine only' server.

       

      What I found:

       

      1) When left on its own, the scan engine server will create a new connection over port 3803/tcp to the enterprise manager and tear it down every 60 seconds.

      2) When left on its own, the scan engine appears to keep a connection open over port 3801/tcp to the enterprise manager.

      3) When a scan is created an set to run immediately on the enterprise manager, the scan engine appears to create a new connection over port 3803/tcp (out of the usual 60 second loop)

      4) When the scan had finished, and all results were available on the enterprise manager server (remember it has all the components), all I had ever seen was connections*from* the scan engine *to* the enterprise manager over ports 3803/tcp and 3801/tcp (indeed a netstat shows that the engine is not listening on any 'interesting' ports).

           - At no point did the enterprise manager initiate a new connection to the scan engine.

           - At no point did the scan engine initiate a new connection to the enterprise manager over any other port (including 3800, 443 or 80).

       

      So after that big ramble, my final question(s) is(are...):

       

      1) Do I need to open up any other ports for the operation of the scan engine other than 3801/tcp and 3803/tcp to the enterprise manager? (not including RDP for OS management etc)

      2) If I need to open up any other ports, what do I need to open, from where and to where, and what are the purposes of these ports.  Furthermore, would there be any reason that I did not see this traffic when I simulated a scan using that scan engine?

       

      Pheeeeew, Im gonna take a breath now.

       

      Cheers!

        • 1. Re: Query on ports required for remote MVM2100 appliance

          Hi Darren,

           

          I believe your assumptions are correct.  I'm going to forward your question to Jeff because he typically has all the answers for this.

           

          -Cathy

          1 of 1 people found this helpful
          • 2. Re: Query on ports required for remote MVM2100 appliance
            jhaynes

            What this really comes down to is differnt components talking to each other or specific ports. The only possible components that can run on the 2100 are:

            • Scan Engine
            • Scan Controller
            • FCAgent

             

            The MVM 2100 ships with 6.7 installed on it. In 6.7 the Scan Engine and the Scan Controller are running as a single component communicating back to the database on TCP Port 1433.  In 7.0 we separated the Scan Engine and Scan Controller into two separate processes. This allows an engine to be its own Scan Controller or use a differnt Scan Controller. In 7.0 the Scan Engine communicates to the Scan Controller on TCP Port 3803 regardless of if the Scan Controller is local to the Scan Engine or not.

             

            So based on what you described above I'm guessing that your MVM 2100 is not acting as it's own Scan Controller and it's using the Scan Controller installed on the Enterprise Manager. If that's accurate here are the ports you need to open.

             

            MVM 2100 Scan Engine --------3803----->to Scan Controller

            MVM 2100 FCAgent -------3801------> to FCServer (FCM Console)

             

            For management purposes I suggest you allow RDP to the MVM 2100

            MVM 2100 <-----3389------?????

             

            If my guess is not accurate and you are running a Scan Controller on the MVM 2100 and the Scan Engine on it is configured to use that Scan Controller you need to do this.

             

            MVM 2100 Scan Engine --------3803----->to local Scan Controller

            MVM 2100 Scan Controller ------1433----->to database

            MVM 2100 FCAgent -------3801------> to FCServer (FCM Console)

             

            I hope that clarifies how this works.

             

            Jeff Haynes

            • 3. Re: Query on ports required for remote MVM2100 appliance
              dmease729

              Cheers Jeff,

               

              That post has been a great help!  Still leaves my wondering what the 'REST over HTTPS or HTTP' means in the documentation, but I think I am going to park that thought for now :-)

               

              Muchly obliged,

              • 4. Re: Query on ports required for remote MVM2100 appliance
                dmease729

                Hi Again,

                 

                Further to my last reply, I have been thinking - if the 2100 ships with 6.7 by default, then it is already running the scan engine and scan controller combined.  When connecting to FCM, the engine will autoupgrade to the latest version - if it does this, it still has the scan engine and scan controller running - is it possible to remove the scan controller element and reconfigure it to use the scan controller on the enterprise manager?  We may not do this, however it is just something that I am curious about.  May be a case of RTMorKB :-) - working on Checkpoint stuff at the moment, if I get the chance to dig around I will answer myself!