D.2 Firewall passage direction

Organization of this subsection

(1) Setting up the firewall passage direction
(2) Setting up the firewall passage direction (in a logical host operation)
(3) Firewall passage direction during communication between PFM - RM for Virtual Machine and VMware
(4) Firewall passage direction during communication between PFM - RM for Virtual Machine and Hyper-V
(5) Firewall passage direction during communication between PFM - RM for Virtual Machine and KVM

(1) Setting up the firewall passage direction

When PFM - Manager and PFM - RM for Virtual Machine are installed across a firewall, set up fixed port numbers for all services of PFM - Manager and PFM - RM for Virtual Machine Furthermore, set up each port number in the direction shown in the table below to allow all services to pass through the firewall.

Table D‒2: Firewall passage direction (between PFM - Manager and PFM - RM for Virtual Machine)
Service name	Parameter	Passage direction
Remote Monitor Store service	`jp1pcsto8[nnn]`^#	RM Manager
Remote Monitor Collector service	`jp1pcagt8[nnn]`^#	RM Manager

Legend:

Manager: PFM - Manager host

RM: PFM - RM host

[Figure] : Direction for starting communication (connection) from the item on the right to the item on the left

#

When multiple instances are created, serial numbers (nnn) are added to the second and subsequent instances. No serial number is added to the first instance created.

When communication (connection) is started, the side receiving the connection (the side to which the arrow points) uses the port number in Table D-1 as the receiving port. The connecting side uses a free port number assigned by the OS. The range of port numbers used in this case varies according to the OS.

For RM [Figure] Manager in the above table, set up the firewall such that the sending port temporarily used by Manager can pass through the receiving port of RM.

Note:

To execute the jpctool db dump command or the jpctool service list command on the PFM - RM host, use either of the following methods:

In the jpctool db dump command or jpctool service list command, specify the proxy option such that communication takes place via PFM - Manager. For details about the proxy option of the jpctool db dump command or jpctool service list command, see the chapter that explains commands in the manual Job Management Partner 1/Performance Management Reference.

Set port numbers between PFM - RM hosts in the directions shown in the table below to allow them to pass through the firewall.

Table D‒3: Firewall passage direction (between PFM - RM hosts)
Service name	Parameter	Passage direction
Remote Monitor Store service	`jp1pcsto8[nnn]`^#	RM RM
Remote Monitor Collector service	`jp1pcagt8[nnn]`^#	RM RM

Legend:

RM: PFM - RM host

[Figure] : Direction for starting communication (connection) from the item on the left to the item on the right, and from the item on the right to the item on the left

#

When multiple instances are created, serial numbers (nnn) are added to the second and subsequent instances. No serial number is added to the first instance created.

To Page Top

(2) Setting up the firewall passage direction (in a logical host operation)

When PFM - Manager and PFM - RM for Virtual Machine are installed across a firewall, set fixed port numbers for all services of PFM - Manager and PFM - RM for Virtual Machine. Furthermore, set each port number in the direction shown in the table below to allow all services to pass through the firewall.

Table D‒4: Firewall passage direction (between PFM - Manager and PFM - RM for Virtual Machine (in a logical host operation))
Service name	Parameter	Passage direction
Remote Monitor Store service (logical host)	`jp1pcsto8[nnn]`^#	RM (logical host) Manager
Remote Monitor Collector service (logical host)	`jp1pcagt8[nnn]`^#	RM (logical host) Manager

Legend:

Manager: PFM - Manager host

RM (logical host): PFM - RM host

[Figure] : Direction for starting communication (connection) from the item on the right to the item on the left

#

When multiple instances are created, serial numbers (nnn) are added to the second and subsequent instances. No serial number is added to the first instance created.

For RM (logical host) [Figure] Manager, set up the firewall such that the sending port temporarily used by Manager can pass through the receiving port of the logical host of RM.

To Page Top

(3) Firewall passage direction during communication between PFM - RM for Virtual Machine and VMware

To collect VMware information, PFM - RM for Virtual Machine needs to communicate with VMware. Therefore, if there is a firewall between PFM - RM for Virtual Machine and VMware, set the firewall to permit communication over the port of the monitoring target set on the PFM - RM for Virtual Machine host. The communication direction between PFM - RM for Virtual Machine and VMware is shown below.

Passage direction
PFM - RM for Virtual Machine (Remote Monitor Collector service) VMware

Legend:: : Direction for starting communication (connection) from the item on the left to the item on the right

The table below shows port numbers that can be used for communication with a monitoring target. For details, see 2.1.4(4) Setting up monitoring targets.

Table D‒5: Port numbers that can be used for communication with a monitoring target
Description	Setting item	Value that can be set	Default
VMware target port number	`Port`	0-65,535	Port = `0`^#

#

When Port = 0, use the following port number according to the Security value:

When the Security value is 0:

Port = 80
When the Security value is 1:

Port = 443

To Page Top

(4) Firewall passage direction during communication between PFM - RM for Virtual Machine and Hyper-V

To collect Hyper-V information, it is necessary for PFM - RM for Virtual Machine to use WMI to communicate with Hyper-V. Therefore, when PFM - RM for Virtual Machine and Hyper-V are installed across a firewall, passage through the firewall must be enabled.

Passage direction
PFM - RM for Virtual Machine (Remote Monitor Collector service) Hyper-V

Legend:: : Direction for starting communication (for connecting) from the item on the left to the item on the right

WMI uses DCOM. Because DCOM uses dynamic port allocation, the port used for DCOM must pass through the firewall. For details about the setup method, see the firewall product's documentation or check with the firewall product's developer.

Operation via a firewall is not suitable because individual WMI and DCOM requests cannot be separated. The following figure shows a recommended configuration.

Figure D‒1: Example of configuration where the port used for DCOM passes through a firewall

To Page Top

(5) Firewall passage direction during communication between PFM - RM for Virtual Machine and KVM

To collect KVM information, it is necessary for PFM - RM for Virtual Machine to communicate via SSH. Therefore, when PFM - RM for Virtual Machine and KVM are installed across a firewall, set the firewall to permit communication over the port of the monitoring target set on the PFM - RM for Virtual Machine host. The communication direction between PFM - RM for Virtual Machine and KVM is shown below.

Passage direction
PFM - RM for Virtual Machine (Remote Monitor Collector service) KVM

Legend:: : Direction for starting communication (for connecting) from the item on the left to the item on the right

The table below shows port numbers that can be used for communication with a monitoring target. For details, see 2.1.4(4) Setting up monitoring targets.

Table D‒6: Port numbers that can be used for communication with a monitoring target
Description	Setting item	Value that can be set	Default
KVM port number for an SSH connection	`Port`	0-65,535	`Port` = `0`^#

#: When Port = 0, the system will actually use port number 22, which is the default port number for SSH communication.

To Page Top