IT-Conductor Network Requirements

Owned by David Stavisski
Last updated: Aug 08, 2024 by Linh Nguyen
2 min read

This document should be a part of onboarding, with dedicated sections for specific applications might be needed under the Monitoring setup instructions per app.

 

Gateway Network Access

IT-Conductor Gateway plays a role of a reverse proxy and requires the following network access

Except the few exceptions IT-Conductor gateway does not require the incoming connections to be enabled.

The exceptions are:

  • SSH access to the host from tenant internal network. This is required for gateway configuration and troubleshooting

  • Optional, remote web-based gateway configuration. Off by default; not recommended, use SSH and command line interface instead

  • Optional, IT-Conductor Syslog Server - allows to configure IT-Conductor gateway as Linux syslog server so all Linux machines post syslog records to IT-Conductor for centralized monitoring and reporting

IT-Conductor cloud

The gateway is using HTTPS port 443 to communicate with IT-Conductor cloud services hosted on the public network as DNS name: agents.itconductor.com

Please ensure that firewall rules and routing is properly configured. You can test access from the gateway SSH session by execution the following command:

curl -I https://agents.itconductor.com/status

If all is working properly the following output should be produced:

HTTP/2 200 date: Mon, 29 Jul 2024 20:58:25 GMT content-security-policy: default-src 'self' http://docs.itconductor.com ; script-src 'self' 'unsafe-inline' 'unsafe-eval' http://docs.itconductor.com ; style-src 'self' http://docs.itconductor.com data: 'unsafe-inline' *.google.com *.googleapis.com; connect-src 'self' blob: https://*.google.com; form-action 'self' http://docs.itconductor.com ; frame-ancestors 'self' http://docs.itconductor.com ; img-src 'self' *.itconductor.com *.gstatic.com http://translate.google.com blob: data: 'self' 'unsafe-inline'; font-src 'self' fonts.gstatic.com fonts.googleapis.com blob: https://*.google.com data: 'unsafe-inline'; report-uri /cspReportViolation; x-xss-protection: 1 x-frame-options: SAMEORIGIN x-content-type-options: nosniff strict-transport-security: max-age=31536000 content-type: text/html cache-control: no-store content-length: 0

 

On-premise Applications

In addition to connecting to IT-Conductor cloud services on the public network, the gateway needs to be able to access the systems and applications on the private network. Routing to Application-specific hosts may need to be configured in gateway host routing settings.

Depending on the application type the hosts, protocols and ports need to be enabled in the firewall for outgoing connections.

SAP NW (ABAP)

Name

Range

Rule

Name

Range

Rule

SAP Dispatcher

3200-3299

32<NN>

Gateway

3300-3399

33<NN>

Gateway secured

4800-4899

48<NN>

Message server

3600-3699

36<NN>

SAP J2EE

Name

Range

Rule

Name

Range

Rule

P4

50004-59904

5<NN>04

HTTP

50000-59900

5<NN>00

HTTPS

50001-59901

5<NN>01

HANA

Name

Range

Rule

Name

Range

Rule

SQL (SystemDB)

30013-39913

3<NN>13

SQL (Tenant DB Single)

30015-39915

3<NN>15

SQL (Tenant DB Multi)

30041-39998

3<NN>41[+3]

Host Agent

Name

Range

Rule

Name

Range

Rule

HTTP

50013-59913

5<NN>13

HTTPS

50014-59914

5<NN>14

DB/OS HTTP

1128

 

DB/OS HTTPS

1129

 

SAP BusinessObjects

Server Intelligence Agent (SIA) port, default 6410
Central Management Server (CMS) port, default 6400

for distributed clustered environments with multiple CMS, unique ports are assigned to each CMS and SIA nodes, normally 640<n> and 641<n> respectively

SAP BusinessObjects DataServices

default: 6405 (REST API)

SAP Cloud Connector

default: 8443 (REST API)

SAP DB

Defaults:

7210 - unencrypted over TCP

7260 - unencrypted over SAP NI

7270 - TLS over SAP NI

SAP ASE

JDBC Client ports are configurable - please consult your DBA

Default: 4901

ORACLE (DBMS)

JDBC Client ports are configurable - please consult your DBA

Default: 1521

Microsoft SQL Server

JDBC Client ports are configurable - please consult your DBA

Default: 1433

InterSystems IRIS

JDBC Client ports are configurable - please consult your DBA

Default: 1972 (JDBC)

Linux

Port 22 (SSH)

Windows

HTTP: 5985 (WinRM)

HTTPS: 5986 (WinRM)

CIFS (aka SMB, Windows FileServer protocol)

445 (TCP)

Veeam Backup Server

Default: 9419 (Rest API)

Syslog Server

default: 514 TCP and UDP (incoming)

Cloud Based Applications and Platforms

443 (HTTPS)

Other Systems and Applications

See specific system/application configuration for port ranges