Preparing Your Environment
OmniCenter uses existing manufacturer APIs to collect data from systems without having to install additional agents. Whenever practical, Netreo recommends installing OmniCenter on a core network, inside of any firewalls used for perimeter protection. Because OmniCenter uses a wide variety of protocols for management (including direct connections to applications for monitoring and management), implementation is greatly simplified by this approach. Additionally, there are a few things you can do before installing OmniCenter to make your evaluation as easy as possible.
Please make sure that your environment is able to provide OmniCenter with the minimum resources required for operation. See the Hardware Performance Guide for the OmniCenter Virtual Appliance for applicable resource requirements.
Having the necessary credentials for your network handy while configuring OmniCenter will make the initial setup go much more quickly and smoothly. Here’s a list of credentials to gather before you begin:
- Any relevant SNMP read-only strings for devices on your network.
- WMI/WinRM credentials to access Windows devices.
- SSH/Telnet credentials for configuration management.
Click here for a helpful list of allowable password characters.
SNMP (Simple Network Management Protocol) is the main protocol used for Linux servers and network devices (such as routers, switches, firewalls, and load balancers). It provides a simple, efficient, standardized way of collecting data from devices. SNMP uses the concept of a “community string” (which functions much like a password) to authorize connections to the device.
- Netreo recommends the use of SNMPv2c for most customer environments.
- Configure the SNMP community string with read-only permissions.
- Restrict SNMP access by using the filter or access-list functionality of the device under management to limit access to the specific IP address of the OmniCenter appliance.
- Note: In “High-Availability” environments, you will want to make sure that all of the OmniCenter appliance IP addresses are included on this list.
- Read-write access is not generally required for OmniCenter to fully monitor devices and should not be left enabled.
- Ensure your edge routers or firewalls are blocking SNMP traffic from the Internet and from non-controlled networks.
Although SNMPv2c does not provide encryption, as long as you are monitoring internal systems from inside your security perimeter, this generally does not create a significant security threat, as the information that can be gathered with read-only permissions is fairly limited.
If you are monitoring systems over the public Internet or other shared networks (where packet capture and eavesdropping is a potential security risk), OmniCenter supports the use of SNMPv3 for greater security. Under these conditions, Netreo recommends the use of AUTHPRIV mode only. Be sure to check that the devices you wish to manage support SNMPv3 in the AUTHPRIV mode. Other SNMPv3 modes add overhead without enhancing security.
Due to the higher overhead and lower performance offered by SNMPv3, customers should consider the implications carefully before deciding to standardize on SNMPv3. For assistance and advice specific to your environment and configuration, please review the article SNMP Security Best Practices or feel free to contact Netreo Support.
- SNMP uses port UDP/161 for polled data collection and port UDP/162 for Trap messages (originating from the device to OmniCenter).
WMI and WSMAN are protocols used to collect data from Windows servers. WMI is enabled by default on all versions of Windows since 2003. WSMAN is installed by default on Windows servers since 2008, but must be enabled manually. The primary difference is that WSMAN uses an encrypted web API for data collection—which is much simpler to configure if the traffic has to traverse a firewall.
Either of these requires an account with administrator privileges or DCOM permissions on the device to be managed. See Limiting WMI permissions for more information on how to use non-administrator accounts to access Windows statistics.
- WMI: TCP/135 and all high ports (1024-65535), bidirectionally.
- WSMAN: Port TCP/5985 originating from OmniCenter.
Security and Access
OmniCenter can operate without Internet access, however; licensing, software updates, and remote support are greatly simplified with some basic Internet access. The following is a list of IP addresses and ports that can be configured on your outbound firewall to safely allow OmniCenter the access it needs.
For remote technical support and customization, allow:
- Port: TCP/443
If the above port is not available, the system can be configured to use these alternate ports instead by contacting Netreo Support:
- Port: TCP/5000
- Port: UDP/1194
(Application-aware firewalls will need to configure this as SSL/TLS and OpenVPN.)
For automatic OmniCenter licensing, allow:
- Port: TCP/443
(Application-aware firewalls will need to configure this as SSL/TLS or HTTPS.)
For software update support, allow:
- Port: TCP/80
- Port: TCP/443
For OmniCenter Mobile and Cloud features:
Netreo uses a wide variety of dynamic technologies to route and assign users to the best or closest cloud-hosted server, so it is not possible to restrict access to a group of IP addresses. Netreo recommends allowing outbound access for SSL/TLS or HTTPS on port 443. If your firewall allows you to restrict access by domain name, you can use the following destinations (all are port TCP/443):
For geocoding information used by the OmniCenter Geographic Map feature, allow: