Chapter 10 449
Tuning, Troubleshooting, Security, and Maintenance
ITO Security
NOTE Although the allowed port range of given managed nodes may differ if
the managed nodes are connected to the ITO management server
through a different router, all managed nodes that use the same router
must use the same port range.
Figure 10-2 Compulsory Firewall Port Ranges in ITO
The DCE environment variable RPC_RESTRICTED_PORTS controls
the DCE RPC server runtime’s tendency occasionally to open additional
ports outside the range specified in ITO, when called by clients using
UDP. Since the managed nodes may make DCE RPC calls (using UDP) to
the rpcd on the management server, it is important that the rpcd/dced
runs in an environment (on the management server) where the value of
RPC_RESTRICTED_PORTS is set to match the port range defined both
on the ITO management server and at the firewall. The value of
RPC_RESTRICTED_PORTS needs to be set in the following way in the
DCE system startup files. For example:
NOTE Whatever protocol you choose in the ITO GUI for RPC connections, the
allowed port range you define must always be open for TCP in both
directions at the firewall to allow for bulk data transmission.
ITO Management Server
ITO Managed Node
Range 2
Range 1