Firewall Ports
Figure D-2 shows the connection points between the physical components in an Operations Sentinel enterprise environment. It shows the communication paths and the contact port assignments for Operations Sentinel Console applications. If you place a firewall between any of the components, it must be configured to allow communication for the contact port assignments shown in the communication path.
The firewall must allow access to the following ports. All ports listed are TCP unless noted otherwise.
From Operations Sentinel client applications on an Operations Sentinel workstation
Operations Sentinel Console to a port on a managing Operations Sentinel server
445 or 139
5002
5003
5005
5006
5007
5010
5011
8733
OS 2200 Console View to a port on an Operations Sentinel server that hosts OS 2200 consoles
445 or 139
5009
OS 2200 Console Manager to a port on an Operations Sentinel server that hosts OS 2200 consoles
445 or 139
5009
From Operations Sentinel interfaces to the Operations Sentinel server
Windows Resource Monitor to a port on a managing Operations Sentinel server
5007
From an Operations Sentinel server
Operations Sentinel server logical console multiplexer (VMUX) to a port on an Operations Sentinel server that hosts OS 2200 consoles
5009
Operations Sentinel Universal Connection Interface to a managed MCP system
10301
10302
Definition of Ports
The following illustrations and accompanying definitions describe the individual contact port assignments and how they are used by Operations Sentinel services and applications.
spo_pcam 5002/tcp
The port (see Figure D-3) where the PCAM service listens for connections from Operations Sentinel Console clients. The clients are the components of the Operations Sentinel services that execute on the Operations Sentinel server.
spo_log 5003/tcp
The port (see Figure D-4) where the SPLOG service listens for connections from various Operations Sentinel components used by Operations Sentinel Logging to receive control information about Operations Sentinel logs.
spo_vbc 5003/udp
A UDP port (see Figure D-4) that receives status from the OS 2200 console and from the VMUX service on the hosting Operations Sentinel server. The firewall must allow the broadcast from the hosting Operations Sentinel server to the managing server.
spo_amux 5004/tcp
The listening port (see Figure D-5) for the AMUX service where it receives connections from the UCI processes that are launched to handle UNIX, Linux, and MCP connections. Similar to spo_pc, the Windows operating system on which Operations Sentinel server software is running selects the other end of these connections from the user pool of ports. This port is strictly internal to the managing Operations Sentinel server. The firewall does not need to open it.
spo_alert 5005/tcp
The listening port (see Figure D-6) on the Operations Sentinel server for the SPALS service that receives alerts from the Operations Sentinel server components. These include alerts that Operations Sentinel itself raises and alerts raised by event reports a customer built using the Event Services API. In contrast, the Windows Resource Monitor does not use it.
The firewall must allow the workstation to connect to the managing Operations Sentinel server using this TCP port. It also must allow any API clients sending AL event reports and any systems using the UNIX/Linux Resource Monitor to connect to the managing Operations Sentinel server using this TCP port.
spo_log2 5006/tcp
The listening port (see Figure D-7) that receives information, through LG event reports, that is recorded in Operations Sentinel logs. The firewall must allow the workstation and the Operations Server to connect to the managing Operations Sentinel server using this TCP port.
spo_universal 5007/tcp
The listening port (see Figure D-8) on the Operations Sentinel server used by the universal event server, SPUES, for the receipt of events from Operations Sentinel components. Operations Sentinel supplies agents for managed systems, and customers can write agents using the Event Services API library. The firewall must allow the connection to the managing Operations Sentinel server from any network entity that can send Operations Sentinel events. This includes all managed systems and any other nodes running a user-written Operations Sentinel API client.
spo_vci 5009/tcp
The port (see Figure D-9) where the VCI component running on the Operations Server of a ClearPath Dorado Enterprise System listens for connections from the OS 2200 Console interface VMUX service. This is similar to the spo_pc and spo_mcp defined server (listen) ports on other physical machines where Operations Sentinel components connect. The firewall must allow the connection from the managing Operations Sentinel server and each workstation to the Operations Server.
spo_spud 5010/tcp
The listening port on the Operations Sentinel server that is used by the universal data server, SPUD. Communications on this port are within the Operations Sentinel server. Hence, this port does not affect communications outside the Operations Sentinel server.
spo_spurt 5011/tcp
The listening port on the Operations Sentinel server used by the universal runtime server, SPURT, for the receipt of events from the Operations Sentinel Console (OSC). Since the OSC runs on the workstation, the firewall allows the connection from the workstation to the managing Operations Sentinel server through this port.
spo_sporegistryservice-8733/tcp
The listening port on the Operations Sentinel server used by the SpoRegistryService is to read and write remote registry entries. The firewall must allow the connection from the managing Operations Sentinel server to the workstation and other components of Operations Sentinel through this port.
spo_mcp 10301/spo_msg
The TCP port (see Figure D-10) where a UCI instance connects on an MCP system that Operations Sentinel is monitoring. The firewall must allow the connection from the managing Operations Sentinel server to the MCP system.
spo_mcp2 10302/spo_msg
The TCP port (see Figure D-10) where a UCI instance connects to the second (test) instance of an Operations Sentinel Interface to ClearPath MCP on an MCP system. If the site uses this port, which is usually when there are three or four Operations Sentinel servers, the firewall must allow the connection from the managing Operations Sentinel server to the MCP system.
spo_telnet 23/spo_telnet
This is the default port (see Figure D-11) where the Operations Sentinel universal control interface (UCI, used for UNIX and Linux monitoring) attaches on a managed system where that TELNET of the system server is listening. If you are using standard TELNET to monitor your UNIX and Linux or other TELNET-compliant system (DCP, VAX, and so forth), the firewall must allow the TCP connection from the managing Operations Sentinel server to the managed system.
spo_ssh 22/spo_ssh, spo_ssh1 22/spo_ssh1, and spo_ssh2 22/spo_ssh2
The default port (see Figure D-12) where the Operations Sentinel universal control interface (UCI, used for UNIX and Linux monitoring) attaches on a managed system where that SSH service of the system is listening. If your site is using SSH to monitor an SSH-compliant system, the firewall must allow the TCP connection from the managing Operations Sentinel server to the managed system.
445 and 139
Both the UDP and TCP versions of port 445 (see Figure D-13) are assigned to Microsoft with the name Microsoft-DS. Port 139 (see Figure D-13]) is the older version of port 445. OS 2200 Console View on an Operations Sentinel workstation initiates a connection to the Operations Server on port 445 to retrieve the logical console port value stored in a registry key. Port 139 is used if port 445 is not available.
The firewall must open one of these ports from the workstation to the Operations Server.
In addition, console macros and macro generators stored on the Operations Server are only available if port 445 or port 139 is open. The firewall must leave port 445 or port 139 open from the workstation to the managing Operations Sentinel server to allow it to read logs on the Operations Sentinel server. In a Dorado Series, console logs are kept on the Operations Server. If the Operations Sentinel workstation operator reads these logs, port 445 or port 139 must be open from the workstation to the Operations Server.
ICMP
PING uses ICMP for IPv4 and ICMPv6 for IPv6 (see Figure D-14) rather than UDP or TCP. To use spo_ping for checking managed systems or for checking connectivity using Operations Sentinel Console, the firewall must allow the ICMP protocol to pass through the firewall from the Operations Sentinel workstation to the managed system and be permitted on the target system.
