01-16-2012 03:31 AM - edited 03-17-2019 10:44 PM
Hi Everyone,
Hi have a TMS in a DMZ and a coupple of C20 in LAN;
I have open from DMZ to C20 the following port : 80,443 TCP and 161 UDP. But TMS can't reach the C20.
what are the correct ports to open in the firewall for add the C20 in the TMS?
thansk,
Carlo
01-16-2012 05:35 AM
Carlo,
You should refer to the Cisco TMS Admin Guide, in parituclar the section that discusses Support for Remote Systems/SoHo systems on what is required when adding a remote system to the Cisco TMS:
01-17-2012 05:07 AM
Hi, I have checked that the ports required in the Manual: tcp 80, 443 and UDP 161
are open in my Firewall.
any suggestions?
01-17-2012 05:18 AM
If possible, the easiest way to add a remote system to Cisco TMS is to first have the system registered in Cisco TMS before you bring it to the remote location. Before you unplug it, go to Edit Settings in the Settings tab for the system and click Enforce Management Settings. If the system will be behind a firewall that is not open or doesn’t have HTTP or HTTPS ports opened up, you also have to go to the Connection tab on that endpoint and change System Connectivity to Behind Firewall. Cisco TMS will then set the management address on that system to Cisco TMS external management address. When the system is plugged in from the remote location, the system will then send a boot event to Cisco TMS and from then on the system will be available from Cisco TMS, i.e. heartbeat.
If the above isn't possible, then you'll need to set the external management address of Cisco TMS on the endpoint. Note that this is the address that you've configured in TMS at Admin Tools > Configuration > Network Settings > Advanced Network Settings for Systems on Public Internet/Behind Firewall. When this has been set, the endpoint will send a register event to Cisco TMS, and when Cisco TMS receives this and notices that the system is not already in Cisco TMS, it will add it to a list. One must then add the system to Cisco TMS afterwards.
If your system is in public, not behind a firewall or behind a firewall that has opened up the HTTP or HTTPS ports, it is advised to change the system connectivity on the system to Reachable on Public Internet. This way it will also be possible for Cisco TMS to set up calls where the endpoint is calling out, and not only being called to.
01-17-2012 03:11 PM
Hi Dale!
Btw, what is the difference in between the communication of "on public internet" vs. "on lan"?
Does public internet skip snmp traps and use https preferred or what happens there?
Martin
Please remember to rate helpful responses and identify
01-19-2012 01:15 AM
The two Reachable On connectivities are pretty much the same, except for the management URL they get when you enforce management settings, they both pick a different address from the ones configured in the Network Settings. In both cases systems can be reached directly and the same protocol will be used for both.
Behind FW is different because TMS cannot reach these systems, they will communicate with TMS using the SOHO heartbeat mechanism as described in the Admin guide.
01-19-2012 03:18 AM
ok, sure, the FQN under "Advanced Network Settings for Systems on Public Internet/Behind Firewall".
Anyhow, it might be handy if that config would extended to have a:
* on external communication allow only secure communication
which also should disallow unencrypted http, snmp, ftp, ... from and to the endpoint
Please remember to rate helpful responses and identify
01-19-2012 02:28 PM
It may be that you endpoint is configured for the DNS name of TMS and does not have DNS configured or a proxy sits between your C20 and TMS that requires authentication.
Can you browse to the feedback URL ( can get it from and xstatus feed command) from a PC that is on the same subnet as the C20
01-17-2012 03:08 PM
Hi Carlo!
I would assume you have done something not 100% correct.
You said DMZ, do you have any kind of NAT in between?
How does it look when you try to add a system, some screenshots would be handy.
I would do a tcpdump/wireshark on the endpoint/on the TMS and compare what is send/received.
A look inside the logfiles has also never harmed :-)
Did you try to access the http and https interface of the endpoint from the TMS?
Btw, for sysadmin reasons I would also open ssh from the TMS to the endpoints.
Please vote the answers!
Please remember to rate helpful responses and identify
01-20-2012 01:59 AM
Hi ,
thanks to all.
I resolved this issue by open udp 161. The firewall wasn't configure ok.
the last question: if the port 161 udp was blocked by firewall, why when I add the the c20 in tms with
"Discover Non-SNMP Systems" checked, the TMS response is : system no found?
01-20-2012 02:57 AM
Good to hear that you resolved it Carlo and thanks for the feedback As far as your question, could be the IP address, DNS name or IP Range you entered and TMS simply couldn't resolve it because of the FW. At any rate, case resolved. Happy trails with the Cisco TMS
01-20-2012 02:31 PM
This should work without SNMP for the SOHO featue. I have C20 working to TMS server with only port 80/443 open to the TMS server.
01-21-2012 09:51 AM
The max. you can do if behind firewall is to more or less "pre register" the endpoint in TMS.
If he added the system in TMS it might not work as it failed and so it might not have set up the TMS parameters on the
endpoint. In this case he would have had to set the parameters on the endpoint so the system tries to connect to
the TMS, then it should have shown up as "behind firewall".
But this would be a bad workaround as we already know the issue here, wrong firewall settings.
So if it is expected to work then the network is most likely a good way to start to look into.
Besides that the recomandation to check the DNS entries is also valid and should be done anyhow.
Also to check on the TMS network settings page that the FQDN are properly set.
Martin
Please remember to rate helpful responses and identify
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide