Securing connections
Applies To: Forefront Client Security
Any Client Security installation creates several connections. In addition, when you install Client Security server components on more than one computer, Client Security opens connections between various components.
Security methods for connections
The following table summarizes the methods available for securing the possible connections in all supported Client Security topologies. It is recommended that you secure all connections in your Client Security deployment. For information about securing a particular connection, see the topic referenced in the applicable row.
| Component | Connection to | Topologies | Security methods |
|---|---|---|---|
Collection server |
Collection database |
Five-server and six-server |
IPsec or Object Linking and Embedding Database (OLE DB) encryption (see Securing the collection server) |
Management server |
Collection server |
Four-server, five-server, and six-server |
IPsec or OLE DB encryption (see Securing the management server) |
Management server |
Collection database |
Four-server, five-server, and six-server |
IPsec or SSL (see Securing database servers) |
Management server |
Reporting server |
Three-server, four-server, five-server, and six-server |
SSL (see Securing the reporting server) |
Reporting database |
Collection database |
Three-server, four-server, and six-server |
IPsec or SSL (see Securing database servers) |
Reporting server |
Collection database |
Four-server, five-server, and six-server |
IPsec or SSL (see Securing database servers) |
Reporting server |
Reporting database |
Three-server, five-server, and six-server |
IPsec or SSL (see Securing database servers) |
Distribution server |
Microsoft Update or upstream WSUS server |
All |
SSL (see Securing the distribution server) |
Client computer (MOM agent) |
Collection server |
All |
Mutual authentication and encryption (see Securing the collection server) |
Client computer |
Distribution server or Microsoft Update |
All |
SSL (see Securing the distribution server) |
Client computer |
Reporting server |
All |
SSL (see Securing the reporting server) |
Ports used by Client Security components
You should verify that the required network ports are open on firewalls or other gateway devices.
The following table lists the network ports and protocols that are used for communications between Client Security components. Depending on the configuration and location of firewalls or other gateway devices in your network, you may need to open these ports.
| Component | Connection to | Topologies | Port (protocols) | Notes |
|---|---|---|---|---|
Collection server |
Collection database |
Five-server and six-server |
1433 (TCP and UDP) |
None. |
Management server |
Collection server |
Four-server, five-server, and six-server |
445 (TCP and UDP), 135 (TCP), and DCOM port range |
Using a firewall between these two servers is not supported. The MOM Administrator and Operator consoles on the management server require a connection to the collection server. |
Management server |
Collection database |
Four-server, five-server, and six-server |
1433 (TCP) and 1434 (UDP) |
None. |
Management server |
Reporting server |
Three-server, four-server, five-server, and six-server |
80 (TCP) or 443 (TCP) |
Port 80 is used for HTTP and port 443 is used for HTTPS. |
Reporting database |
Collection database |
Three-server, four-server, and six-server |
1433 (TCP) and 1434 (UDP) |
Using a firewall between these two databases is not supported. |
Reporting server |
Collection database |
Four-server, five-server, and six-server |
1433 (TCP) and 1434 (UDP) |
None. |
Reporting server |
Reporting database |
Three-server, five-server, and six-server |
1433 (TCP) and 1434 (UDP) |
None. |
Distribution server |
Microsoft Update or upstream WSUS server |
All |
80 (TCP) or 443 (TCP) |
To obtain updates from Microsoft Update, the distribution server uses port 80 for HTTP and port 443 for HTTPS. |
Client computer (MOM agent) |
Collection server |
All |
1270 (TCP) and 1270 (UDP) |
None. |
Client computer |
Distribution server or Microsoft Update |
All |
80 (TCP) or 443 (TCP) |
To obtain updates from Microsoft Update, the distribution server uses port 80 for HTTP and port 443 for HTTPS. |
Client computer |
Reporting server |
All |
80 (TCP) or 443 (TCP) |
None. |
Opening ports in Windows Firewall
For instructions about opening ports by using Group Policy, see Deploying Windows Firewall Settings for Microsoft Windows XP with Service Pack 2 (https://go.microsoft.com/fwlink/?LinkId=86556).
To open a port manually in Windows Firewall, you can follow the steps in the following procedure.
To open a port in Windows Firewall
Click Start, click Control Panel, and then double-click Windows Firewall.
Click the Exceptions tab, and then click Add Port.
In the Name box, type the name that you want.
In the Port number box, type the port number.
Select TCP or UDP, and then click OK.