Job Management Partner 1/Performance Management - Agent Option for Virtual Machine Description, User's Guide and Reference

[Contents][Glossary][Index][Back][Next]

Appendix D.2 Firewall passage direction

Organization of this subsection
(1) Setting up the firewall passage direction
(2) Setting up the firewall passage direction (in a logical host operation)
(3) Firewall passage direction during communication between PFM - Agent for Virtual Machine and VMware Web Service
(4) Firewall passage direction during communication between PFM - Agent for Virtual Machine and Hyper-V

(1) Setting up the firewall passage direction

When PFM - Manager and PFM - Agent for Virtual Machine are installed across a firewall, set up fixed port numbers for all services of PFM - Manager and PFM - Agent. Furthermore, set up each port number in the direction shown in the table below to allow all services to pass through the firewall.

Table D-2 Firewall passage direction (between PFM - Manager and PFM - Agent)

Service name Parameter Passage direction
Agent Store service jp1pcsto5[nnn]# Agent [Figure] Manager
Agent Collector service jp1pcagt5[nnn]# Agent [Figure] Manager

Legend:
Manager: PFM - Manager host
Agent: PFM - Agent host
[Figure]: Direction for starting communication (connection) from the item on the right to the item on the left

#
When multiple instances are created, serial numbers (nnn) are added to the second and subsequent instances. No serial number is added to the first instance created.

When communication (connection) is started, the side receiving the connection (the side to which the arrow points) uses the port number in Table D-1 as the receiving port. The connecting side uses a free port number assigned by the OS. The range of port numbers used in this case varies according to the OS.

For Agent [Figure] Manager in the above table, set up the firewall such that the sending port temporarily used by Manager can pass through the receiving port of Agent.

Note:
To execute the jpctool db dump command or the jpctool service list command on the PFM - Agent host, use either of the following methods:
  • In the jpctool db dump command or jpctool service list command, specify the proxy option such that communication takes place via PFM - Manager. For details about the proxy option of the jpctool db dump command or jpctool service list command, see the chapter that explains commands in the manual Job Management Partner 1/Performance Management Reference.
  • Set port numbers between PFM - Agent hosts in the directions shown in the table below to allow them to pass through the firewall.

    Table D-3 Firewall passage direction (between PFM - Agent hosts)

    Service name Parameter Passage direction
    Agent Store service jp1pcsto5[nnn]# Agent [Figure] [Figure] Agent
    Agent Collector service jp1pcagt5[nnn]# Agent [Figure] [Figure] Agent

    Legend:
    Agent: PFM - Agent host
    [Figure] [Figure]: Direction for starting communication (connection) from the item on the left to the item on the right, and from the item on the right to the item on the left

    #
    When multiple instances are created, serial numbers (nnn) are added to the second and subsequent instances. No serial number is added to the first instance created.

(2) Setting up the firewall passage direction (in a logical host operation)

When PFM - Manager and PFM - Agent for Virtual Machine are installed across a firewall, set fixed port numbers for all services of PFM - Manager and PFM - Agent. Furthermore, set each port number in the direction shown in the table below to allow all services to pass through the firewall.

Table D-4 Firewall passage direction (between PFM - Manager and PFM - Agent (in a logical host operation))

Service name Parameter Passage direction
Agent Store service (logical host) jp1pcsto5[nnn]# Agent (logical host) [Figure] Manager
Agent Collector service (logical host) jp1pcagt5[nnn]# Agent (logical host) [Figure] Manager

Legend:
Manager: PFM - Manager host
Agent (logical host): PFM - Agent host
[Figure]: Direction for starting communication (connection) from the item on the right to the item on the left

#
When multiple instances are created, serial numbers (nnn) are added to the second and subsequent instances. No serial number is added to the first instance created.

When communication (connection) is started, the side receiving the connection (the side to which the arrow points) uses the port number in Table D-1 as the receiving port. The connecting side uses a free port number assigned by the OS. The range of port numbers used in this case varies according to the OS.

For Agent (logical host) [Figure] Manager, set up the firewall such that the sending port temporarily used by Manager can pass through the receiving port of the logical host of Agent.

(3) Firewall passage direction during communication between PFM - Agent for Virtual Machine and VMware Web Service

To collect VMware information, PFM - Agent for Virtual Machine needs to communicate with VMware Web Service. Therefore, when PFM - Agent for Virtual Machine and VMware Web Service are installed across a firewall, make the port number that was specified when setting the instance information for the PFM - Agent for Virtual Machine host usable for passing through the firewall. The communication direction between PFM - Agent for Virtual Machine and VMware Web Service is shown below.

Passage direction
PFM - Agent for Virtual Machine (Agent Collector service) [Figure] VMware Web Service

Legend:
[Figure]: Direction for starting communication (connection) from the item on the left to the item on the right

The table below shows the values that can be specified for the port number, which is one of the items in the instance information settings. For details, see 2.1.4(2) Setting up an instance environment.

Table D-5 Values that can be specified for the port number, which is one of the items in the instance information settings

Description Setting item Value that can be set Default
VMware Web Service target port number Port 0-65,535 Port = 0#

#
When Port = 0, use the following port number according to the Security value:
  • When the Security value is 0:
    Port = 80
  • When the Security value is 1:
    Port = 443

(4) Firewall passage direction during communication between PFM - Agent for Virtual Machine and Hyper-V

To collect Hyper-V information, it is necessary for PFM - Agent for Virtual Machine to use WMI to communicate with Hyper-V. Therefore, when PFM - Agent for Virtual Machine and Hyper-V are installed across a firewall, passage through the firewall must be enabled.

Passage direction
PFM - Agent for Virtual Machine (Agent Collector service) [Figure] Hyper-V

Legend:
[Figure]: Direction for starting communication (for connecting) from the item on the left to the item on the right

WMI uses DCOM. Because DCOM uses dynamic port allocation, the port used for DCOM must pass through the firewall. For details about the setup method, see the firewall product's documentation or check with the firewall product's developer.

Operation via a firewall is not suitable because individual WMI and DCOM requests cannot be separated. The following figure shows a recommended configuration.

Figure D-1 Example of configuration where the port used for DCOM passes through a firewall

[Figure]

[Contents][Back][Next]

[Trademarks]

All Rights Reserved. Copyright (C) 2009, 2010, Hitachi, Ltd.