C.2 Firewall passage directions

This section describes the firewall passage directions of Performance Management.

The following figure shows an example of a system configuration that explains the relationship between Performance Management and a firewall. If there is a firewall between hosts, the settings for penetration are needed.

Figure C‒1: Relationship between Performance Management and firewalls

The statuses of the firewall passage directions are as follows:

Firewall between a Web browser and PFM - Web Console
Firewall between PFM - Web Console and PFM - Manager
Firewall between PFM - Manager and PFM - Agent, PFM - RM, or PFM - Base
Firewall between PFM - Agent, PFM - RM, or PFM - Base and another PFM - Agent, PFM - RM, or PFM - Base

The following describes the settings required to enable penetration of the firewall for each case. The following legend and notes are for the tables below that show firewall penetration directions.

Legend:

->: The direction in which communication (connection) begins

#1

After communication (connection) begins, sending and receiving are performed on the established session. Specify the settings so that a response to the established session can also penetrate a firewall.

#2

When communication (connection) begins, the connection-source host uses a free port number assigned by the OS as the sending port. Therefore, specify the settings so that any port number can penetrate a firewall as the sending port.

#3

The port number can be fixed by using the jpcconf port define command. Also, the parameter is a value that is displayed at the Services field output by the jpcconf port list -key all command when the port number is fixed.

#4

When the status of the Performance Management service that runs in a cluster system is checked, the connection-source host communicates with the Status Server service of the connection-destination host by using the host names (IP addresses) of the physical host and logical host.

Therefore, allow a port number specified for jp1pcstatsvr to penetrate a firewall for communication from the connection-source host to the host names (IP addresses) of both the physical host and logical host in a communication performed with the Status Server service.

For example, when you specify the settings of the Status Server service for communication from PFM - Manager to the PFM - Agent, PFM - RM, or PFM - Base host, allow a port number specified for jp1pcstatsvr to penetrate a firewall for communication with both the following host names (IP addresses).

PFM - Agent, PFM - RM, or PFM - Base host (Physical host)
PFM - Agent, PFM - RM, or PFM - Base host (Logical host)

Organization of this subsection

(1) Firewall among a Web browser, PFM - Web Console, and PFM - Manager
(2) Firewall between PFM - Manager and PFM - Agent or PFM - RM
(3) Firewall between PFM - Agent or PFM - RM and PFM - Agent or PFM - RM on another host

(1) Firewall among a Web browser, PFM - Web Console, and PFM - Manager

The following figure shows port passing of a firewall among a Web browser, PFM - Web Console, and PFM - Manager.

Figure C‒2: Port passing of a firewall among a Web browser, PFM - Web Console, and PFM - Manager

Also, the following figure shows IP address passing between PFM - Web Console and PFM - Manager.

Figure C‒3: IP address passing between PFM - Web Console and PFM - Manager

The settings required to allow penetration of a firewall are needed for IP address so that it can be used for communication among the target hosts. Specify the settings for penetrating the firewall for IP address with [Figure] so that sending and receiving can be performed.

Because IP address with × is not used between PFM - Web Console and PFM - Manager, the settings required for penetrating a firewall are not needed for it.

(a) Firewall that exists in communication from a Web browser to PFM - Web Console

When a Web browser connects to PFM - Web Console across a firewall, set the port numbers according to the directions shown in the following table so that communications can penetrate the firewall.

Table C‒4: Firewall passage directions (communication from a Web browser to PFM - Web Console)
Host using a Web browser	Passage direction^#1	PFM - Web Console host
Any^#2	->	20358 (Default)

Specify the settings of the firewall so that the sending port that a Web browser uses temporarily can pass through the receiving port 20358 (the default) of PFM - Web Console

(b) Firewall that exists in communication from PFM - Web Console to PFM - Manager

When PFM - Web Console connects to PFM - Manager across a firewall, set the port numbers according to the directions shown in the following table so that communications can penetrate the firewall.

Table C‒5: Firewall passage directions (communication from PFM - Web Console to PFM - Manager)
PFM - Web Console host	Passage direction^#1	PFM - Manager host^#3
Any^#2	->	`jp1pcvsvr`

Specify the settings of the firewall so that the sending port that PFM - Web Console uses temporarily can pass through the receiving port of PFM - Manager.

(c) Firewall that exists in communication from PFM - Manager to PFM - Web Console

If PFM - Manager and PFM - Web Console are to be installed across a firewall, the use of a Virtual Private Network is recommended. If a VPN cannot be used, you should set up a callback port number.

To set a callback port number, use the initialization file for the PFM - Web Console host (config.xml). The following table describes the settings:

Table C‒6: Firewall passage directions (communication from PFM - Manager to PFM - Web Console)
PFM - Manager host	Passage direction^#1	PFM - Web Console host
Any^#2	->	Callback port number that PFM - Web Console service uses (ownPort)
Any^#2	->	Callback port number that the PFM - Web Console command uses (ownCmdPort)

Specify the settings of the firewall so that the sending port that PFM - Manager uses temporarily can pass through the receiving port of PFM - Web Console.

For details about the specifiable values, see Initialization file (config.xml).

To apply the changes in the initialization file (config.xml), you need to restart PFM - Web Console. If any other settings are changed, PFM - Web Console may not function correctly.

The following shows an example of the settings:

Figure C‒4: Example of setting the initialization file (config.xml)

After setting this file, allow each port number to penetrate the firewall in the directions shown in the table.

To Page Top

(2) Firewall between PFM - Manager and PFM - Agent or PFM - RM

The following figure shows port passing of a firewall from PFM - Manager to PFM - Agent or PFM - RM.

Figure C‒5: Port passing of a firewall from PFM - Manager to PFM - Agent or PFM - RM

The following figure shows port passing of a firewall from PFM - Agent or PFM - RM to PFM - Manager.

Figure C‒6: Port passing of a firewall from PFM - Agent or PFM - RM to PFM - Manager

Also, the following figure shows IP address passing between PFM - Manager and PFM - Agent or PFM - RM.

Figure C‒7: IP address passing between PFM - Manager and PFM - Agent or PFM - RM

Because IP address with × is not used between PFM - Manager and PFM - Agent or PFM - RM, the settings for penetrating a firewall are not needed for it.

(a) Firewall that exists in communication from PFM - Manager to PFM - Agent, PFM -RM, or PFM - Base

If there is a firewall between PFM - Manager and PFM - Agent, PFM - RM, or PFM - Base, set fixed port numbers for all PFM - Manager and PFM - Agent, PFM - RM, or PFM - Base services. Additionally, set port numbers according to the direction given in the following table so that communications can pass through the firewall.

For details about the Agent Store services and Agent Collector services, see the appendix in each PFM - Agent manual. For details about the Remote Monitor Store services and Remote Monitor Collector services, see the appendix of the PFM - RM manual.

Table C‒7: Firewall passage direction (communication from PFM - Manager to PFM - Agent, PFM - RM, or PFM - Base)
PFM - Manager host	Passage direction^#1	PFM - Agent, PFM - RM, or PFM - Base host^#3
Any^#2	->	`jp1pcah`
		`jp1pcstatsvr`
		The port number of the Collector service of PFM - Agent or PFM - RM
		The port number of the Store service of PFM - Agent or PFM - RM

Table C‒8: Firewall passage direction (communication from PFM - Manager to PFM - Agent, PFM - RM, or PFM - Base that runs in a cluster system)
PFM - Manager host	Passage direction^#1	PFM - Agent, PFM - RM, or PFM - Base host^#3
Any^#2	->	`jp1pcah`
		`jp1pcah_logical-host-name`
		`jp1pcstatsvr`^#4
		The port number of the Collector service of PFM - Agent or PFM - RM
		The port number of the Store service of PFM - Agent or PFM - RM

Specify the settings of the firewall so that the sending port that PFM - Manager uses temporarily can pass through the receiving port of PFM - Agent, PFM - RM, or PFM - Base.

(b) Firewall that exists in communication from PFM - Agent, PFM -RM, or PFM - Base to PFM - Manager

If there is a firewall between PFM - Manager and PFM - Agent, PFM - RM, or PFM - Base, set fixed port numbers for all PFM - Manager and PFM - Agent, PFM - RM, or PFM - Base services. Additionally, set port numbers according to the directions shown in the following table so that communications can penetrate the firewall.

Table C‒9: Firewall passage directions (communication from PFM - Agent, PFM - RM, or PFM - Base to PFM - Manager)
PFM - Agent, PFM - RM, or PFM - Base host	Passage direction^#1	PFM - Manager host^#3
Any^#2	->	`jp1pcagt0`
		`jp1pcsto0`
		`jp1pcnsvr`
		`jp1pcmm`
		`jp1pcsto`
		`jp1pcep`
		`jp1pctrap`
		`jp1pcvsvr2`
		`jp1pcah`
		`jp1pcstatsvr`

Table C‒10: Firewall passage directions (communication from PFM - Agent, PFM - RM, or PFM - Base to PFM - Manager that runs in a cluster system)
PFM - Agent, PFM - RM, or PFM - Base host	Passage direction^#1	PFM - Manager host^#3
Any^#2	->	`jp1pcagt0_logical-host-name`
		`jp1pcsto0_logical-host-name`
		`jp1pcnsvr`
		`jp1pcmm`
		`jp1pcsto`
		`jp1pcep`
		`jp1pctrap`
		`jp1pcvsvr2`
		`jp1pcah`
		`jp1pcah_logical-host-name`
		`jp1pcstatsvr`^#4

Specify the settings of the firewall so that the sending port that PFM - Agent, PFM - RM, or PFM - Base uses temporarily can pass through the receiving port of PFM - Manager.

To Page Top

(3) Firewall between PFM - Agent or PFM - RM and PFM - Agent or PFM - RM on another host

The following figure shows port passing of a firewall between PFM - Agent or PFM - RM and PFM - Agent or PFM - RM on another host.

Figure C‒8: Port passing of a firewall between PFM - Agent or PFM - RM and PFM - Agent or PFM - RM on another host

The following figure shows IP address passing between PFM - Agent or PFM - RM and PFM - Agent or PFM - RM on another host.

Figure C‒9: IP address passing between PFM - Agent or PFM - RM and PFM - Agent or PFM - RM on another host

Because IP address with × is not used between PFM - Agent or PFM - RM and PFM - Agent or PFM - RM on another host, the settings for penetrating a firewall are not needed for it.

(a) Firewall that exists in communication from PFM - Agent, PFM -RM, or PFM - Base to PFM - Agent, PFM -RM, or PFM - Base on another host

If there is a firewall between PFM - Agent, PFM - RM, or PFM - Base and PFM - Agent, PFM - RM, or PFM - Base on another host, the settings required for penetrating the firewall are needed only when you want to execute the jpctool db backup, jpctool db dump, or jpctool service list command between the target hosts. Also, the settings for penetrating a firewall between PFM - Manager and PFM - Agent, PFM - RM, or PFM - Base are needed.

Note that when you execute the jpctool db dump or jpctool service list command with the -proxy option specified in an environment in which communication from the target host to the PFM - Manager host can be established, communication is performed through PFM - Manager. Therefore, command execution becomes possible, and the settings required for penetrating a firewall are not needed.

When you execute the jpctool db backup command for the target host, the settings for penetrating a firewall are needed. You can perform operations required to obtain a backup on the local host by specifying the -alone option for the command. In this case, the settings required for penetrating a firewall are not needed. So, consider this in the operation design.

For details about the jpctool db backup, jpctool db dump, or jpctool service list command, see Chapter 3. Commands.

When you specify the settings required to allow penetration of a firewall, set fixed port numbers for all of both PFM - Agent and PFM - RM, or the PFM - Base services. Additionally, set port numbers according to the directions shown in the following table so that communications can penetrate the firewall.

Table C‒11: Firewall passage directions (communication from PFM - Agent, PFM - RM, or PFM - Base to another PFM - Agent, PFM - RM, or PFM - Base)
PFM - Agent, PFM - RM, or PFM - Base host	Passage direction^#1	Another PFM - Agent, PFM - RM, or PFM - Base host^#3
Any^#2	->	`jp1pcah`
		`jp1pcstatsvr`
		The port number of the Collector service of PFM - Agent or PFM - RM
		The port number of the Store service of PFM - Agent or PFM - RM

Table C‒12: Firewall passage directions (communication from PFM - Agent, PFM - RM, or PFM - Base to another PFM - Agent, PFM - RM, or PFM - Base that runs in a cluster system)
PFM - Agent, PFM - RM, or PFM - Base host	Passage direction^#1	Another PFM - Agent, PFM - RM, or PFM - Base host^#3
Any^#2	->	`jp1pcah`
		`jp1pcah_logical-host-name`
		`jp1pcstatsvr`^#4
		The port number of the Collector service of PFM - Agent or PFM - RM
		The port number of the Store service of PFM - Agent or PFM - RM

Specify the settings of the firewall so that the sending port that PFM - Agent, PFM - RM, or PFM - Base uses temporarily can pass through the receiving port of another PFM - Agent, PFM - RM, or PFM - Base.

To Page Top