Gateway Network Setup

PreviousGateway Setup NextIT-Conductor Gateway Setup on Windows

Last updated 8 months ago

Gateway Network Setup

IT-Conductor Gateway is a reverse proxy and requires specific port configurations and network access.

Important

IT-Conductor Gateway does not require the incoming connections to be enabled aside for the following exceptions:

SSH (Port 22) access to the host from the tenant's internal network for gateway configuration and troubleshooting.
Remote Gateway Configuration (port 8080). Not recommended, instead, use SSH and the command line interface. (Optional)
API Server (Port 8889) for local IT-Conductor Alert API (Optional)
IT-Conductor RSyslog Server (Port 514 UDP or TCP) (Optional)

IT-Conductor Cloud

Ensure that firewall rules and routing are properly configured. You can test access from the gateway SSH session by executing the following command:

curl -I https://agents.itconductor.com/status

If all is working properly the following output should be produced:

HTTP/2 200
date: <Day of the Week>, <Day> <Month> <Year> <Time>
content-security-policy: default-src 'self' http://docs.itconductor.com ; script-src 'self' 'unsafe-inline' 'unsafe-eval' http://docs.itconductor.com ; style-src 'self' http://docs.itconductor.com  data: 'unsafe-inline' *.google.com *.googleapis.com; connect-src 'self' blob: https://*.google.com; form-action 'self' http://docs.itconductor.com ; frame-ancestors 'self' http://docs.itconductor.com ; img-src 'self' *.itconductor.com *.gstatic.com http://translate.google.com  blob: data: 'self' 'unsafe-inline'; font-src 'self' fonts.gstatic.com fonts.googleapis.com blob: https://*.google.com data: 'unsafe-inline'; report-uri /cspReportViolation;
x-xss-protection: 1
x-frame-options: SAMEORIGIN
x-content-type-options: nosniff
strict-transport-security: max-age=31536000
content-type: text/html
cache-control: no-store
content-length: 0

On-Premise Applications

In addition to connecting to IT-Conductor cloud services on the public network, the gateway needs to be able to access systems and applications on the private network. The routing to application-specific hosts may require configuration in the gateway host routing settings.

Depending on the application type, the firewall must have the appropriate hosts, protocols, and ports enabled for incoming connection to the respective application from the IT-Conductor gateway.

SAP NetWeaver (ABAP)

Name

Port Range

Rule

SAP Dispatcher

3200-3299

32<NN>

Gateway

3300-3399

33<NN>

Secured Gateway

4800-4899

48<NN>

Message Server

3600-3699

36<NN>

SAP J2EE

Name

Port Range

Rule

P4 (JMX)

50004-59904

5<NN>04

P4S (JMX Secure)

50006-59906

5<NN>06

HTTP

50000-59900

5<NN>00

HTTPS

50001-59901

5<NN>01

SAP HANA

Name

Port Range

Rule

SQL (SystemDB)

30013-39913

3<NN>13

SQL (Tenant DB Single)

30015-39915

3<NN>15

SQL (Tenant DB Multi)

30041-39998

3<NN>41[+3]

Host Agent

Name

Port Range

Rule

HTTP

50013-59913

5<NN>13

HTTPS

50014-59914

5<NN>14

DB/OS HTTP

1128

DB/OS HTTPS

1129

Other Systems and Applications

For other systems and applications, see port configurations below:

Name

Port

Cloud-based Applications and Platforms

HTTPS: 443

SAP BusinessObjects

Default: 6410 (SIA (Server Intelligence Agent) port)
Default: 6400 (Central Management Server (CMS) port)
For distributed clustered environments with multiple CMS, unique ports are assigned to each CMS and SIA node, normally 640<n> and 641<n>, respectively.

SAP BusinessObjects DataServices

Default: 6405 (REST API)

SAP Cloud Connector

Default: 8443 (REST API)

SAP DB

Default: 7210 (Unencrypted over TCP)
Default: 7260 (Unencrypted over SAP NI)
Default: 7270 (TLS over SAP NI)

SAP ASE

Default: 4901
JDBC client ports are configurable. Please consult your DBA.

InterSystems IRIS

Default: 1972 (JDBC)
JDBC client ports are configurable. Please consult your DBA.

Microsoft SQL Server

Default: 1433
JDBC client ports are configurable. Please consult your DBA.

Oracle (DBMS)

Default: 1521
JDBC client ports are configurable. Please consult your DBA.

Linux

SSH: 22

Windows

WinRM/HTTP: 5985
WinRM/HTTPS: 5986

CIFS (aka SMB, Windows File Server protocol)

TCP: 445

Veeam Backup Server

Default: 9419 (REST API)

Syslog Server

TCP and UDP (Incoming): 514

PreviousGateway Setup NextIT-Conductor Gateway Setup on Windows

Last updated 8 months ago

IT-Conductor Gateway is a reverse proxy and requires specific port configurations and network access.

Important

IT-Conductor Gateway does not require the incoming connections to be enabled aside for the following exceptions:

SSH (Port 22) access to the host from the tenant's internal network for gateway configuration and troubleshooting.
Remote Gateway Configuration (port 8080). Not recommended, instead, use SSH and the command line interface. (Optional)
API Server (Port 8889) for local IT-Conductor Alert API (Optional)
IT-Conductor RSyslog Server (Port 514 UDP or TCP) (Optional)

IT-Conductor Cloud

The gateway is using HTTPS port 443 to communicate with IT-Conductor cloud services hosted on the public network as DNS name:

Ensure that firewall rules and routing are properly configured. You can test access from the gateway SSH session by executing the following command:

curl -I https://agents.itconductor.com/status

If all is working properly the following output should be produced:

HTTP/2 200
date: <Day of the Week>, <Day> <Month> <Year> <Time>
content-security-policy: default-src 'self' http://docs.itconductor.com ; script-src 'self' 'unsafe-inline' 'unsafe-eval' http://docs.itconductor.com ; style-src 'self' http://docs.itconductor.com  data: 'unsafe-inline' *.google.com *.googleapis.com; connect-src 'self' blob: https://*.google.com; form-action 'self' http://docs.itconductor.com ; frame-ancestors 'self' http://docs.itconductor.com ; img-src 'self' *.itconductor.com *.gstatic.com http://translate.google.com  blob: data: 'self' 'unsafe-inline'; font-src 'self' fonts.gstatic.com fonts.googleapis.com blob: https://*.google.com data: 'unsafe-inline'; report-uri /cspReportViolation;
x-xss-protection: 1
x-frame-options: SAMEORIGIN
x-content-type-options: nosniff
strict-transport-security: max-age=31536000
content-type: text/html
cache-control: no-store
content-length: 0

On-Premise Applications

Depending on the application type, the firewall must have the appropriate hosts, protocols, and ports enabled for incoming connection to the respective application from the IT-Conductor gateway.

SAP NetWeaver (ABAP)

Name

Port Range

Rule

SAP Dispatcher

3200-3299

32<NN>

Gateway

3300-3399

33<NN>

Secured Gateway

4800-4899

48<NN>

Message Server

3600-3699

36<NN>

SAP J2EE

Name

Port Range

Rule

P4 (JMX)

50004-59904

5<NN>04

P4S (JMX Secure)

50006-59906

5<NN>06

HTTP

50000-59900

5<NN>00

HTTPS

50001-59901

5<NN>01

SAP HANA

Name

Port Range

Rule

SQL (SystemDB)

30013-39913

3<NN>13

SQL (Tenant DB Single)

30015-39915

3<NN>15

SQL (Tenant DB Multi)

30041-39998

3<NN>41[+3]

Host Agent

Name

Port Range

Rule

HTTP

50013-59913

5<NN>13

HTTPS

50014-59914

5<NN>14

DB/OS HTTP

1128

DB/OS HTTPS

1129

Other Systems and Applications

For other systems and applications, see port configurations below:

Name

Port

Cloud-based Applications and Platforms

HTTPS: 443

SAP BusinessObjects

Default: 6410 (SIA (Server Intelligence Agent) port)
Default: 6400 (Central Management Server (CMS) port)
For distributed clustered environments with multiple CMS, unique ports are assigned to each CMS and SIA node, normally 640<n> and 641<n>, respectively.

SAP BusinessObjects DataServices

Default: 6405 (REST API)

SAP Cloud Connector

Default: 8443 (REST API)

SAP DB

Default: 7210 (Unencrypted over TCP)
Default: 7260 (Unencrypted over SAP NI)
Default: 7270 (TLS over SAP NI)

SAP ASE

Default: 4901
JDBC client ports are configurable. Please consult your DBA.

InterSystems IRIS

Default: 1972 (JDBC)
JDBC client ports are configurable. Please consult your DBA.

Microsoft SQL Server

Default: 1433
JDBC client ports are configurable. Please consult your DBA.

Oracle (DBMS)

Default: 1521
JDBC client ports are configurable. Please consult your DBA.

Linux

SSH: 22

Windows

WinRM/HTTP: 5985
WinRM/HTTPS: 5986

CIFS (aka SMB, Windows File Server protocol)

TCP: 445

Veeam Backup Server

Default: 9419 (REST API)

Syslog Server

TCP and UDP (Incoming): 514