C.2 Direction of communication through a firewall

(1) The direction of the firewall's passage (JP1/IM-Manager and JP1/IM-View)

The following tables show the directionality of JP1/IM-Manager and JP1/IM-View firewalls. Note that JP1/IM supports packet-filtering and NAT (static mode) firewalls.

Table C‒5:  Direction of communication through a firewall

Service name	Port number	Direction of communication
jp1imevtcon	20115/tcp	JP1/IM - View -> JP1/IM - Manager (Central Console)
jp1imcmda	20238/tcp	JP1/IM - View -> JP1/Base#1 JP1/IM - Manager (Central Console) -> JP1/Base#1
jp1imcss	20305/tcp	JP1/IM - View -> JP1/IM - Manager (Central Scope)
jp1rmregistry	20380/tcp	JP1/IM - View -> JP1/IM - Rule Operation
jp1rmobject	20381/tcp
jp1imegs	20383/tcp	Firewall setup is unnecessary because all communication takes place on the machine on which JP1/IM - Manager is installed.
jddmain	20703/tcp	Web browser -> JP1/IM - Manager (Intelligent Integrated Management Base)
None#2	Port number of the IM database#3	JP1/IM - Manager (physical host) -> JP1/IM - Manager (IM database (physical host))
	Port number of the IM database#4	JP1/IM - Manager (logical host) -> JP1/IM - Manager (IM database (logical host))
jp1imcf	20702/tcp	JP1/IM - View -> JP1/IM - Manager (IM Configuration Management)
jp1imfcs	20701/tcp	Firewall setup is unnecessary because all communication takes place on the machine on which JP1/IM - Manager is installed.
jimmail	25/tcp#5	JP1/IM - Manager -> mail server (SMTP) (without authentication)
	587/tcp#5	JP1/IM - Manager -> mail server (SMTP) (with SMTP-AUTH authentication)
	110/tcp#5	JP1/IM - Manager -> mail server (POP3) (with POP-before-SMTP authentication)
None	20705/tcp	No need to configure the firewall because JP1/IM-Manager only communicates within the installed machine.
None	20706/tcp	No need to configure the firewall because JP1/IM-Manager only communicates within the installed machine.

When a connection is established, the port number in the table is used by the side being connected (the side towards which the arrow points). The connecting side uses an available port number assigned by the OS. The range of port numbers that can be used depends on the OS.

When JP1/IM is installed on a server host with a firewall, communications within that machine might also be subject to the firewall restrictions. In such a case, set up the firewall so that services can use the port numbers in the table even for communications within the firewall server host.

For details about operation with a firewall, see 9.3 Operating in a firewall environment in the JP1/Integrated Management 3 - Manager Configuration Guide.

To Page Top

(2) Setting the direction in which data passes through the firewall (when remotely monitored host information is collected)

The following connection methods are used to collect remotely monitored host information in JP1/IM - Manager:

In Windows:

SSH, NetBIOS (NetBIOS over TCP/IP), WMI

In UNIX:

SSH

Therefore, when you place JP1/IM - Manager and monitored hosts via a firewall, the data must pass through the firewall as follows:

JP1/IM - Manager (jcfmain and jcfallogtrap) -> Monitored hosts

Legend: ->: Direction of the connection when established

For an SSH connection

Let the data pass through the firewall using the port number specified for the SSH setting in the System Common Settings window of JP1/IM - Manager.

For a NetBIOS (NetBIOS over TCP/IP) connection

Let the data pass through the firewall using the port used by NetBIOS (NetBIOS over TCP/IP). For details about the configuration, see the manual for the firewall product, or ask the developer of the firewall product.

Note that the connection cannot be separated from other NetBIOS (NetBIOS over TCP/IP) connections.

For a WMI connection

WMI uses DCOM. DCOM uses dynamic port assignment. Therefore, let the data pass through the firewall using the port used by DCOM. For details about the configuration, see the manual for the firewall product, or ask the developer of the firewall product.

Note that the connection cannot be separated from other WMI or DCOM requests.

To Page Top

(3) Configure the transit direction of the firewall (if you are monitoring more than one location with Intelligent Integrated Management Base)

If the communication path has a firewall, Intelligent Integrated Management Base communication of the Integration Manager must be configured to allow the ports listed in the following tables to pass.

Each table shows the direction of the firewall. The legends and notes for each table are as follows:

• For communication between the Integration Manager host and the base/relay manager host

  Integration Manager host	Communication direction	Site/relay manager host	Typical Uses
  Any	→	Intelligent Integrated Management Base Ports	Obtaining JP1/IM-Agent under the control of the base/relay manager by executing jddcreatetree command information

  Legend

  → :Indicates the connection direction when a connection is established.

In addition, you must configure integrated operation viewer communication that connects to the Integration Manager to pass through the ports listed in the following tables.

For communication between integrated operation viewer and the site/relay manager host that connects to the Integration Manager

Integration Manager host	Communication direction	Site/relay manager host	Typical Uses
Any	→	Intelligent Integrated Management Base Ports	Operations on bases/relay managers and monitored hosts

→ :Indicates the connection direction when a connection is established.

To Page Top

(4) Configuring Firewall Transit Direction (JP1/IM-Agent)

If your communication path has a firewall, you must configure JP1/IM agent management base to allow imbase and imbaseproxy ports to pass. You can also use a NAT type firewall.

The firewall traverse directions are shown in each table. The legend and notes for each table are as follows:

Legend:

→ : When a connection is established, it indicates a connection from the left term to the right term.

← : When a connection is established, it indicates a connection from the right term to the left term.

#

Indicates to use any free port number assigned by the OS.

• For communication between integrated agent host and the Integrated Manager host

  Integrated agent host	Communication direction	Integrated Manager host	Typical Uses
  Any#	→	JP1/IM agent management base's imbase, imbaseproxy port-port	Remote write Alert notification Log monitor Getting requests and sending responses from imbase

• Communication between integrated agent host and monitored Web servers

  Integrated agent host	Communication direction	Web server to be monitored	Typical Uses
  Any#	→	Port of the web server to be monitored	Monitoring by Blackbox exporter(HTTP/HTTPS)

• Communication between integrated agent host and monitored hosts (ICMP monitoring)

  Integrated agent host	Communication direction	Monitored Host (ICMP Monitoring)	Typical Uses
  None	→	Set to respond to ICMP Type 8(Echo Request)	Monitoring by Blackbox exporter(ICMP)
  Set to receive ICMP Type 0(Echo Reply)	←	None

• Communication between integrated agent host and monitored AWS CloudWatch

  Integrated agent host	Communication direction	Monitored AWS CloudWatch	Typical Uses
  Any#	→	Port of the monitored AWS CloudWatch	Monitored by Yet another cloudwatch exporter

• Communication between integrated agent host and HTTP proxy server

  Integrated agent host	Communication direction	HTTP proxy server	Typical Uses
  Any#	→	HTTP proxy server port	Communication with the manager host Communication with monitored servers using Exporter such as Blackbox exporter

  Important

  API for scrape on Exporter used by JP1/IM-Agent do not protect Exporter portwith authentication, so be sure to protect it with a firewall.

  For more information, see 1.21.2(8) Configuring the firewall for Windows (mandatory) and 2.19.2(9) Configuring the firewall for Linux (mandatory) in JP1/Integrated Management 3-Manager Building Guidedocumentation.

To Page Top