Security Zones: Private vs. Public

The Advanced Remote Management (ARM) system is deployed over a single server and there are two zones, Public/DMZ and Private/Admin. Public zone components include Admin and Anchor Services and Connection Proctor while Private zone components include Database and Data Services.

Security zones should be separated by hardware and/or software firewalls only allowing specific traffic on specific ports in the prescribed direction.

In a multiple server environment, the servers hosting the components within the private zone will be on their own LAN segment or VLAN without access to the outside world. Ports between servers within the private zone should be opened per firewall rules, defined in the next section.

Internal Ports

The chart below summarizes what ports are utilized by which services.

Port # Incoming Components/Services Outgoing Components/Services
53/389/636

Active Directory (AD)

Directory Services (DS)

Domain Name Service (DNS)

Data Tier Proxy (DTP)

Service Coordinator (SVC)

Aetherpal Tool Controller (ACS)

1433 Database Server (DB) Admin/Anchor (ADM/ANC)
8865 Data Tier Proxy (DTP)

Admin/Anchor (ADM/ANC)

Management Entity (ME)

Connection proctor (CP)

Service Coordinator (SVC)

AetherPal Tool Controller (ACS)

8866 Messaging Entity (MSG) Admin/Anchor (ADM/ANC)
8867 Data Access Proxy (DAP) Data Tier Proxy (DTP)
8870 Service Coordinator (SVC)

Admin/Anchor (ADM/ANC)

Management Entity (ME)

Connection Proctor (CP)

12780 Connection Procter (CP) Management Entity (ME)

Public Ports

Incoming web traffic for Admin/Anchor and the Connection Proctor require that the following ports be open.

443 – Admin/Anchor (ADM/ANC)

8446 – Connection Proctor (CP)

Note:

If devices and the CP server are located internally and can access these services, then these ports do not need to be publicly available.