HP Operations Manager for Windows

DCE RPC Communication without using the Endpoint Mapper


Allowing one or more well-known ports through a firewall is often considered as a security risk. Especially, allowing the well-known port of the DCE RPC endpoint mapper, 135, can be a risk.

Security in firewall environments can be significantly improved by reducing communication to a single, user-defined port. This section describes a solution where the DCE RPC endpoint mapper is not used, allowing you to close port 135 in the firewall, thus significantly increasing the security of your environment. RPC communication of HPOM for Windows will then only require one open destination port in each direction.

HTTP-based communication used for performance data or service discovery data is not affected by this change and requires additional, but user-defined ports, as outlined in the firewall white paper.

This applies only to communication with DCE agents. HTTPS agents use a different communication mechanism and different ports. See Configuring HTTPS communication through firewalls.

NoteNOTE:
It is assumed that you are familiar with HP Operations Manager for Windows fundamentals, and are knowledgeable with agent-server communication.


NoteNOTE:
Information contained within this section assumes that firewalls have been established in accordance with the HP Operations Manager for Windows Firewall Configuration White Paper.


Current HPOM Communication

With HPOM for Windows 7.x, communication between managed nodes and management servers is generally based on DCE RPC or Microsoft’s implementation of it: Microsoft RPC.

HP Operations services and processes acting as RPC servers register at the local DCE endpoint mapper (UNIX: rpcd or dced, Windows: RPC service) to publish their offered services. They specify a certain port or they are assigned a free port, through which they can be contacted.

HP Operations processes acting as RPC clients first contact the endpoint mapper on the destination node to find the registered server. The client is not initially aware of the port that the server is using and must request this information from the DCE endpoint mapper.

There are RPC servers and clients on both management server systems and managed node systems: RPC clients on the management server contact RPC servers on the nodes, and RPC clients on the nodes contact the RPC server on the management server. In addition, there is local DCE RPC communication on the HP Operations management server system and managed nodes, which means RPC clients contact RPC servers on the same system.

Related Topics: