I am rolling out a 3100 appliance with multiple 2100 appliances that will be responsble for scanning remote nets on behalf of the 3100. I have been looking at the documentation, and have noted the following:
1) From the 'McAfee Vulnerability Manager Installation Guide' (v7 - latest on portal), page 23 I can see that the scan engine communicates with the scan controller over 3803/tcp. I can also see that the FCM agent that will be located on the scan engine communicates to the configuration manager over 3801/tcp.
2) From the same guide, communication path 9 (you will need to check guide) also states 'REST over HTTPS or HTTP'
3) KB50834 *seems* to advise that the scan engine needs to have port 3800/tcp opened to it, *or* that it communicates out over 3800/tcp. It is not really made clear by the table...
4) KB54199 *seems* to imply that no ports need to be allowed to the scan engine itself, as section 4 does not list an option for scan engine.
Now I have highlighted what I have found, I will detail what I have tested so far. Note that the below has been tested in a virtual environment on windows servers, so this may explain any discrepancies. I have two virtual MVM servers, one with *all* components installed, and the other with only the scan engine component installed (configured to connect over 3801/tcp to the enterprise manager machine). If I open FCM console on the Enterprise Manager I can see the following components on the 'scan engine only' server: Configuration Agent, FASL engine, Scan Engine.
From the main enterprise manager, I configured a default scan of one host, and configured this to be scanned from the 'scan engine only' server. At all times I had wireshark running on the 'scan engine only' server.
What I found:
1) When left on its own, the scan engine server will create a new connection over port 3803/tcp to the enterprise manager and tear it down every 60 seconds.
2) When left on its own, the scan engine appears to keep a connection open over port 3801/tcp to the enterprise manager.
3) When a scan is created an set to run immediately on the enterprise manager, the scan engine appears to create a new connection over port 3803/tcp (out of the usual 60 second loop)
4) When the scan had finished, and all results were available on the enterprise manager server (remember it has all the components), all I had ever seen was connections*from* the scan engine *to* the enterprise manager over ports 3803/tcp and 3801/tcp (indeed a netstat shows that the engine is not listening on any 'interesting' ports).
- At no point did the enterprise manager initiate a new connection to the scan engine.
- At no point did the scan engine initiate a new connection to the enterprise manager over any other port (including 3800, 443 or 80).
So after that big ramble, my final question(s) is(are...):
1) Do I need to open up any other ports for the operation of the scan engine other than 3801/tcp and 3803/tcp to the enterprise manager? (not including RDP for OS management etc)
2) If I need to open up any other ports, what do I need to open, from where and to where, and what are the purposes of these ports. Furthermore, would there be any reason that I did not see this traffic when I simulated a scan using that scan engine?
Pheeeeew, Im gonna take a breath now.