12 Configuring Enterprise Manager for Firewalls

Firewalls protect a company's Information Technology (IT) infrastructure by providing the ability to restrict network traffic by examining each network packet and determining the appropriate course of action.

Firewall configuration typically involves restricting the ports that are available to one side of the firewall, for example the Internet. It can also be set up to restrict the type of traffic that can pass through a particular port such as HTTP. If a client attempts to connect to a restricted port (a port not covered by a security "rule") or uses a protocol that is incorrect, then the client will be disconnected immediately by the firewall. Firewalls can also be used within a company Intranet to restrict user access to specific servers.

You can deploy the components of Enterprise Manager Cloud Control on different hosts throughout your enterprise. These hosts can be separated by firewalls. This chapter describes how firewalls can be configured to allow communication between various Enterprise Manager components.

This chapter contains the following sections:

Planning to Configure a Firewall for the Enterprise Manager System

Firewall configuration should be the last phase of Enterprise Manager deployment. Before you configure your firewalls, verify that you are able to log in to the Enterprise Manager console and that your Oracle Management Agents (Management Agent) are up and are monitoring targets. After you verify, configure the firewall for the default ports described in What Ports Are Used for Installation?. The default ports are typically assigned while installing the Enterprise Manager system. However, while installing the Enterprise Manager system, if you had used any custom ports instead of the default ones, then make sure you configure the firewall for the custom ports.

If you are deploying the Enterprise Manager system in an environment where firewalls are already available, then make sure you open the default ports, or the custom ports that you want to use, until you have completed the installation and configuration processes and are certain that you are able to log in to Enterprise Manager and that your Management Agents are up and monitoring targets.

If you are enabling Enterprise Manager Framework Security for the Oracle Management Service (OMS), the final step in that configuration process is to restrict uploads from the Management Agents to secure channels only. Before completing that step, configure your firewalls to allow both HTTP and HTTPS traffic between the Management Agent and Management Repository and test to be sure that you can log in to Enterprise Manager and that data is being uploaded to the Management Repository. After you have confirmed that the OMS and Management Agents can communicate with both protocols enabled, complete the transition to secure mode and change your firewall configuration as necessary. If you incrementally configure your firewalls, it will be easier to troubleshoot any configuration problems.

Typical Firewall Configurations for the Enterprise Manager System

Your main task in enabling Enterprise Manager to work in a firewall-protected environment is to take advantage of proxy servers whenever possible, to make sure only the necessary ports are open for secure communications, and to make sure that only data necessary for running your business is allowed to pass through the firewall.

Figure 12-1 provides a topology of an Enterprise Manager environment that is using a firewall, and also illustrates the default ports that can be used.

Figure 12-1 Firewall Port Requirements (Default)

The conventions used in the preceding illustration are as follows:

Table 12-1 Conventions Used In Illustration

Convention	Description
C	Is the entity that is making the call.
*	Enterprise Manager will default to the first available port within an Enterprise Manager set range.
**	Enterprise Manager will default to the first available port.
***	Database listener ports.

Note:

Port 1159, 4898-4989 indicates that 1159 is the default. If this port is not available, the Oracle Management Service will search in the specified range (4889 - 4897).
To clone between two target hosts separated by a firewall, the agents will need to communicate to each other on the agent ports. The initiating Management Agent will make the call.
Allow ICMP (0) Echo Reply and ICMP (8) Echo Request in the firewall.

Configuring a Firewall Between the Web Browser and the Enterprise Manager System

Connections from your web browser to the Enterprise Manager system are performed over the default port used for the Oracle HTTP Server.

The default, non-secure port for the Oracle HTTP Server is 7788. If 7788 is not available, then the first available free port from the range 7788 - 7798 is selected. If you are accessing the Enterprise Manager Cloud Control Console using the following URL and port, then you must configure the firewall to allow the Enterprise Manager Cloud Control Console to receive HTTP traffic over port 7788:

http://omshost.example.com:7788/em

If you have enabled security for your Oracle HTTP Server, then the secure port for the Oracle HTTP Server is 7799. If 7799 is not available, then the first available free port from the range 7799 - 7809 is selected. If you are accessing the Enterprise Manager Cloud Control Console using the following URL and port, then you must configure the firewall to allow the Enterprise Manager Cloud Control Console to receive HTTPS traffic over port 7799:

https://omshost.example.com:7799/em

Configuring an OMS on a Host Protected by a Firewall

If your OMS is installed on a host that is protected by a firewall and the Management Agents that provide management data are on the other side of the firewall, you must perform the following tasks:

Configure the OMS to use a proxy server for its communication with the Management Agents, as described in Configuring the OMS to Use a Proxy Server to Communicate with Management Agents.
Configure the firewall to allow incoming HTTP and HTTPS traffic from the Management Agents on the Management Repository upload port.

The default, non-secure upload port is 4889. If 4889 is not available, then the first available port in the range 4889 - 4897 is selected.

If you have enabled Enterprise Manager Framework Security, then the secure upload port is 1159. If 1159 is not available, then the first available free port from the range 4899 to 4908 is selected.

Figure 12-2 illustrates the connections the Management Agent must make when it is protected by a firewall.

Figure 12-2 Configuration Tasks When the Management Service Is Behind a Firewall

Description of "Figure 12-2 Configuration Tasks When the Management Service Is Behind a Firewall"

Configuring the OMS to Use a Proxy Server to Communicate with Management Agents

This section describes how to configure the OMS to use a proxy server for its communication with Management Agents outside the firewall.

Note:

You can also configure the OMS to use multiple proxies for its communication with Management Agents. For information about configuring OMS and Management Agent, see Configuring Proxies for OMS and Management Agent Communication.

To configure the OMS to use a proxy server, do the following:

From the Setup menu, select Proxy Settings, then select Agents.

Note:

The Proxy Settings for Agents page enables you to configure a proxy server that can be used for communication only from the OMS to the Management Agent, and not from the Management Agent to the OMS. Any proxy server you configure will be used for the communication between the OMS and all the Management Agents.
Select Manual proxy configuration.
Specify values for Protocol, Proxy Server Host, Port, and No Proxy for. If the specified proxy server has been configured using a security realm, login credentials, or both, then specify values for Realm, User Name, and Password.
Under the Test URL section, specify a Management Agent URL for URL, then click Test to test if the OMS can communicate with the specified Management Agent using the specified proxy server.
If the connection is successful, click Apply to save the proxy settings to the repository.
Restart the OMS. If you are using a multi-OMS setup, restart all the OMSes.

To restart an OMS that runs on a Unix based platform, run the following commands:
```
<ORACLE_HOME>/bin/emctl stop oms
<ORACLE_HOME>/bin/emctl start oms
```
To restart an OMS that runs on a Microsoft Windows platform, follow these steps:
1. Right-click My Computer, then select Manage.
2. In the Computer Management window, in the left pane, expand Services and Applications, then select Services.
3. Select the OracleManagementServer_EMGC_OMS* service, then click the restart button.

Configuring a Management Agent on a Host Protected by a Firewall

If a Management Agent is installed on a host that is protected by a firewall and the OMS is on the other side of the firewall, you must perform the following tasks:

Configure the Management Agent to use a proxy server for its uploads to the OMS, as described in Configuring a Management Agent to Use a Proxy Server.
Configure the firewall to allow incoming HTTP and HTTPS traffic from the OMS on the Management Agent port.

The default upload port for Management Agent is 3872. The same port is used for both HTTP and HTTPS. If 3872 is not available, then the first available free port from the range 1830 to 1849 is selected.

Figure 12-3 illustrates the connections the Management Agent must make when it is protected by a firewall.

Figure 12-3 Configuration Tasks When the Management Agent Is Behind a Firewall

Description of "Figure 12-3 Configuration Tasks When the Management Agent Is Behind a Firewall"

Configuring a Management Agent to Use a Proxy Server

You can configure a Management Agent to use a proxy server for its communications with an OMS outside the firewall, or to manage a target outside the firewall. To do so, follow these steps:

From the Setup menu, select Agents.
Click the Agent you want to configure in the Name column in the Management Agents table. The target home page for the Management Agent opens.
Select Properties from the Agent menu.
Select Advanced Properties from the pull down menu.
Supply the correct values for the REPOSITORY_PROXYHOST and REPOSITORY_PROXYPORT properties.
Click Apply to save your changes, which will be saved to the AGENT_HOME/sysman/config/emd.properties file.

Note:

The proxy password will be obfuscated when you restart the Management Agent.

Configuring Firewalls Between the OMS and the Management Repository

Secure connections between the OMS and the Management Repository are performed using features of Oracle Advanced Security. As a result, if the OMS and the Management Repository are separated by a firewall, you must configure the Oracle Net firewall proxy to allow the OMS to access the repository. Also, if you have configured a timeout for this firewall, ensure that you tune the SQLNET.EXPIRE_TIME parameter for Dead Connection Detection (DCD) at the database side, and set this parameter (in $ORACLE_HOME/network/admin/sqlnet.ora) to a value smaller than the value of the timeout configured for the firewall.

Configuring Firewalls Between the Enterprise Manager Cloud Control Console and a Managed Database Target

When you are using the Enterprise Manager Cloud Control Console to manage a database, you must log in to the database from the Enterprise Manager console in order to perform certain monitoring and administration tasks. If you are logging in to a database on the other side of a firewall, you will need to configure the firewall to allow Oracle Net firewall proxy access.

Specifically, to perform any administrative activities on the managed database, you must be sure that the firewall is configured to allow the OMS to communicate with the database through the Oracle Listener port.

You can obtain the Listener port by reviewing the Listener home page in the Enterprise Manager console.

Configuring Firewalls for Multiple OMS Instances

Enterprise Manager supports the use of multiple OMS instances that communicate with a common Management Repository. For example, using more than one OMS can be helpful for load balancing as you expand your central management capabilities across a growing e-business enterprise.

When you deploy multiple OMS instances in an environment protected by firewalls, be sure to consider the following:

Each Management Agent is configured to upload data to one OMS. As a result, if there is a firewall between the Management Agent and its OMS, you must configure the firewall to allow the Management Agent to upload data to the OMS using the upload URL.

See Also:

Configuring a Management Agent on a Host Protected by a Firewall

Configuring an OMS on a Host Protected by a Firewall
In addition, each OMS must be able to contact any Management Agent in your enterprise so it can check for the availability of the Management Agent. As a result, you must be sure that your firewall is configured so that each OMS you deploy can communicate over HTTP or HTTPS with any Management Agent in your enterprise.

Otherwise, an OMS without access to a particular Management Agent may report incorrect information about whether or not the Management Agent is up and running.

Enabling the OMS to Access My Oracle Support

Unless online access to the Internet is strictly forbidden in your environment, OMS should be enabled to access My Oracle Support. This access is necessary to enable updates and patches to be downloaded, for example.

At minimum, the following URLs should be made available through the firewall:

aru-akam.oracle.com
ccr.oracle.com
login.oracle.com
support.oracle.com
updates.oracle.com

Ensure that the default ports, that is, port 80 for HTTP connectivity and port 443 for HTTPS connectivity, are used to connect to the mentioned URLs.

Configuring the dontProxyfor Property

When you configure the OMS or a Management Agent to use a proxy server, it is important to understand the purpose of the dontProxyFor property, which identifies specific URL domains for which the proxy will not be used.

For example, suppose the following were true:

You have installed the OMS and several Management Agents on hosts that are inside the company firewall. These hosts are in the internal .example.com and .example.us.com domains.
You have installed several additional Management Agents on hosts that are outside the firewall. These hosts are installed in the .example.uk domain.
You have configured Enterprise Manager to automatically check for critical software patches on My Oracle Support.

In this scenario, you want the OMS to connect directly to the Management Agents inside the firewall without using the proxy server. On the other hand, you want the OMS to use the proxy server to contact the Management Agents outside the firewall, as well as the My Oracle Support site, which resides at the following URL:

http://support.oracle.com

The following properties will prevent the OMS from using the proxy server for connections to the Management Agents inside the firewall. Connections to My Oracle Support and to Management Agents outside the firewall will be routed through the proxy server:

proxyHost=proxy42.example.com
proxyHost=80
dontProxyFor=.example.com, .example.us.com

Configuring Firewalls to Allow ICMP and UDP Traffic for Oracle Beacons

Oracle Beacons provide application performance availability and performance monitoring. They are part of the features of Enterprise Manager.

Enabling ICMP Echo Requests on Firewalls

OMS uses the Internet Control Message Protocol (ICMP) Echo Request to check the status target host machines. If the ICMP Echo Request is blocked by the firewall, a host machine will appear to be down.

To determine the status of any machine in the environment, ICMP Echo Requests must be enabled on the firewall. If the ICMP Echo Request is enabled, the ping command can be issued by the OMS to check the status of the machine.

Ensure that you allow ICMP (0) Echo Reply and ICMP (8) Echo Request in the firewall.