Retour
-
Titre
What ports are required to run ChangeAuditor Agent through firewall? -
Description
What ports are required to run ChangeAuditor Agent through firewall?
-
Cause
N/A -
Résolution
There are two options to deploy a ChangeAuditor Agent to a firewalled machine.
- Manually install the agent (likely the preferred method) - This can be done by copying the agent MSI (located in the extracted downloaded files \installation\msi folder) to the target server and install the file manually
- Open specific firewall ports to deploy the agent via the deployment wizard - File & Printer Sharing ports (TCP 135, UDP 137, UDP 138, TCP 139, & TCP 445). On Modern versions of Windows, only TCP port 445 is necessary.
Once the ChangeAuditor Agent is installed the following ports are required for the Agent to communicate with Coordinator / SQL / Active Directory:- SQL port 1433 (inbound) (required for 5.x Agents only)
- Change Auditor Agent port (inbound) (found by looking at the ChangeAuditor.Coordinator SCP object in AD or by viewing the Coordinator Status from the Coordinator System Tray icon)
- LDAP 389 (to all available DC\GC in the domain CA is installed and the root domain)
- Global Catalog (GC) 3268 (to all available GCs in the domain CA is installed and the root domain)
Example:Agent (originating port: RPC (dynamic)) => Coordinator (destination port from RPC range selected automatically during Coordinator installation (dynamic))
Agent (originating port: RPC (dynamic)) => SQL (destination port for SQL 1433 (Default))
Agent (originating port: RPC (dynamic)) => LDAP (destination port for LDAP (389) on available DC)
Agent (originating port: RPC (dynamic)) => GC (destination port for GC (3268) on available GC)How to find the Coordinator Agent and Client port:Coordinator Status method (version 6.9.5 and later):- Open the System Tray on the Coordinator server
- Right click The Coordinator icon and select Coordinator Status
- The Agent and Client Port are listed at the bottom of the page
ADSIEdit.msc method:- Open ADSI Edit and connect to the Default naming context
- Browse to the computer object for the ChangeAuditor Coordinator
- Expand the computer object, right-click on the ChangeAuditor.Coordinator SCP object and select "Properties"
- Double click serviceBindingInformation
- Scroll to the right
- The Client port is show as Port="xxxxx"
- The Agent port is listed as "<property key="APort" value='xxxxx' />
Agent Status method (version 6.x and later:
- Log onto a machine with a Change Auditor Agent that is currently connected
- Run the following application: C:\Program Files\QuestChangeAuditor\Agent\ServiceStatusTray.exe
- Right click on the new Change Auditor Agent icon in the system tray, and select Agent Status
- Towards the bottom of the window it will list the connected Coordinators, as well as the port.
-
Informations supplémentaires
For additional information pertaining to port requirements for non-critical functionality within the CA Client involving Agents (such as forcing a configuration refresh to an Agent (requires port 135 open from Client==>Agent) outside the normal 15 minute auto update which the Agent performs) please see "ChangeAuditor Network Communcations" section of the "Technical Insight Guide" pdf included with the ChangeAuditor installation package.