No replies to this topic

[sdelangue]

TERMINOLOGY IN THIS DOCUMENT
---

- 'Client application' refers to the following:
. SP Monitor.
. SP Analyst console.
. SP Portal.

- Arrows with a single line ('-->' and '<--') correspond to communication where the communication chanel is closed after the communication is finished.

- Arrows with a double line ('==>' and '<==') correspond to communication where the communication chanel is opened permanently.

- Square brackets ('[' and ']') represent a machine.

- Standard brackets ('(' and ')') represent a program, eventualy with its listening port.


DESCRIPTION OF THE COMMUNICATION
---

- Query the agent for real time information:
. [(Client application)] ==> [(9900, Communication Server) ==> (Dynamic port, Management Server)] --> [(9501, Collector)]

- Query the agent for history information and remote configuration:
. [(Client application)] ==> [(9900, Communication Server) ==> (Dynamic port, Management Server)] --> [(9502, File Server)]

- Receive alerts:
. [(Client application)] ==> [(9900, Communication Server) ==> (Dynamic port, Management Server, Dynamic port)] <-- [(Collector)]

- Obtain a token (license):
. [(Program requesting the token)] --> [(9955, Token Server)]


AGENTS IN DMZs
---

When agents are running in a 'DMZ' site, the site where SP Analyst is running is called the 'secured zone'.

Therefore:
- A Management Server is installed in each DMZ (and hence Communication Server).
- A Management Server in a DMZ talks only to the agents in the local DMZ.
- SP Analyst consoles connect to each Management Server.
- Only port 9900 is necessary to allow the communication between SP Analyst and the Management Server (via Communication Server). Communication is towards Management Server.


FIREWALL BETWEEN MANAGEMENT SERVER AND AGENTS
---

In general, there is no firewall between Management Server and the agents. Therefore in general there is no particular issue for the communication.

It may happen that there is a firewall between Management Server and the agents. In that case all ports must be fixed and opened on the firewall.

- On Management Server:
. Force the port used by Management Server for Management Server to receive alerts (e.g. Port 9505).

- On the firewall:
. Open 9501 for Collector (communication towards Collector).
. Open 9502 for File Server (communication towards File Server).
. Open the port fixed for Management Server (communication towards Management Server).


TOKEN SERVER
---

In general there is no firewall between the program requesting the license and Token Server. Therefore in general there is no particular issue for the communication.

It may happen that there is a firewall between the program requesting the license and Token Server programs. In that case ports must be opened on the firewall:
- Open port 9555 (communication towards Token Server).

If the above port cannot be opened in the required direction, then a Token Server gateway is necessary to reverse the direction of the communication.

Architecture with Token Server Gateway:
- A master Token Server can be installed in the secured zone.
- Secondary Token Server is installed in the DMZ.
- Only the master Token Server will hold the licenses.
- The secondary Token Server will just handle communication (it runs as a gateway).
- Agents will request their licenses to the local Token Server gateway (probably no port issue).
- One port needs to be opened between the master Token Server and the Token Server gateway, port 9556, in the direction master towards gateway.

[(Collector or Observer, in DMZ)] --> [(9955, Token Server gateway, in DMZ, 9556)] <== [(Master Token Server, in secured zone)]