IT Management Suite

Hello Experts!

Quick question:
we know from this link: Ports and Protocols for Symantec IT Management Suite (ITMS) 7.5, ITMS 7.5 SP1, 7.6, 8.0, 8.1 and 8.5 , that the ITMS uses a extensive variety of ports for all kind of tasks.

if we wish to exclude a few ports from being used , since we require them for other tools, where and how can we edit the ports?

Thanks,

Hagai

Hi Hagai!

1. 8080 port is used by UHS service "Unified Help System 7.0" which allows you to open offline in case if no internet is available on NS or if internet connection exists, then redirect to online ITMS Help.
If you click "F1" button in opened SMP Console (You have UHS installed as well as Documentation) then it will opens help page 


------------------------------
Software QA Engineer
Broadcom Inc.
------------------------------

Original Message:
Sent: 11-15-2020 11:44 AM
From: Hagai Nachmani
Subject: Port Exclusion from the ITMS

Hello Experts!

Quick question:
we know from this link: Ports and Protocols for Symantec IT Management Suite (ITMS) 7.5, ITMS 7.5 SP1, 7.6, 8.0, 8.1 and 8.5 , that the ITMS uses a extensive variety of ports for all kind of tasks.

if we wish to exclude a few ports from being used , since we require them for other tools, where and how can we edit the ports?

Thanks,

Hagai

Thank you Igor for this, I'm be sure to use for port 8080!!!

Will these instructions work for the other more important ports? (9090 and 9092) ?
I couldn't find them specifically being used in the post list link, but I know they are under the dynamic array:

NS Data Connector

TCP/UDP

Outbound

1024-65536

In case data sources like ODBC or OLEDB are used, outgoing connection may be required to specific services defined by driver used.

AexSvc, W3SVC

No

UNIX, Linux or Mac client computer

TCP

Outbound

Source ports 1024 and above

To the Notification Server, Package and Task  Servers.

No, the ports randomly selected when connection is established.

TFTP Server

TFTP over UDP

Inbound/Outbound

1024-65535

TFTP file download port. TFTP Server uses the first available free port for TFTP file download.

SymantecNetworkBootServiceTftp

No

SNMP TrapListener Protocol

UDP

1024-65536

Four additional UDP ports is opened by net-snmp open source library used by our code.

MetricProvider, AtrsHost

My concern is this:
I am not sure the ITMS uses ports 9090 / 9092, but i would like to prevent it from doing so, but from the ITMS side, and not from the network firewall side.

Thanks instructions you just sent, but to be a bit clearer to my question, let me ask this:

Amount the things the ITMS is listed above to use random ports from 1024-65535 , i wish to prevent the ITMS from using ports 9090 & 9092.
how is this possible to do from the ITMS side (and not from network and firewall side)

thanks again,

Hagai
Original Message:
Sent: 11-16-2020 04:39 AM
From: Igor Perevozchikov
Subject: Port Exclusion from the ITMS

Hi Hagai!

1. 8080 port is used by UHS service "Unified Help System 7.0" which allows you to open offline in case if no internet is available on NS or if internet connection exists, then redirect to online ITMS Help.
If you click "F1" button in opened SMP Console (You have UHS installed as well as Documentation) then it will opens help page

Solutions:
1. You can just stop/disable "SymHelp 7.0" service so it will never start up and doesn't consume 8080 port

2. If you don't need this help functionality and always can open direct help link https://help.symantec.com/cs/ITMS8.5/SMPlat/home/title?locale=EN_US in browser, then you can just uninstall "UHS" component and 8080 port will be free and not in use by UHS service

Execute uninstall.bat and then UHS service will be uninstalled on your Notification Server.

3. If you still need "UHS" service available/running on Notification Server, you can change its default 8080 port to another free port.
For example, change of UHS 8080 port to 8181
Modify "install.bat" file and change there 8080 port to another available port

Execute "uninstall.bat" to uninstall current UHS service

Modify "index.html" file from "C:\Program Files\Altiris\Documentation\Web\en\index.htm" and change there 8080 port to a new one

Now click "install.bat" to install UHS service back and on its start up it will listening your specified port

Restart IIS, Altiris Service & "Symhelp 7.0" services


2) For other ports which were mentioned, I don't see that they are used by ITMS so better at least execute this simple command line and check file to probably identify who is using these ports, of course if it will be able to gather their name info.
netstat -abnfq >> "C:\UsedPorts.log"

Thanks,
IP.

------------------------------
Software QA Engineer
Broadcom Inc.

Original Message:
Sent: 11-15-2020 11:44 AM
From: Hagai Nachmani
Subject: Port Exclusion from the ITMS

Hello Experts!

Quick question:
we know from this link: Ports and Protocols for Symantec IT Management Suite (ITMS) 7.5, ITMS 7.5 SP1, 7.6, 8.0, 8.1 and 8.5 , that the ITMS uses a extensive variety of ports for all kind of tasks.

if we wish to exclude a few ports from being used , since we require them for other tools, where and how can we edit the ports?

Thanks,

Hagai

Looks like for such case you will need to create a custom outbound/inbound Firewall rules which will include required applications and their blocked ports range 9090-9092, if you have such service installed/running:

• "Altiris Service" service -> "C:\Program Files\Altiris\Notification Server\Bin\AeXSVC.exe"
• "Altiris Object Host Service" service -> "C:\Program Files\Altiris\TaskManagement\AtrsHost.exe"
• "Altiris Monitor Agent" service -> "C:\Program Files\Altiris\Altiris Agent\Agents\Monitor Agent\AeXMetricProv.exe"
• "SymantecNetworkBootServicePxe" service -> "C:\Program Files\Altiris Agent\Agents\Deployment\SBS\SbsServer.exe"
• "SymantecNetworkBootServiceTftp" service -> "C:\Program Files\Altiris Agent\Agents\Deployment\SBS\SbsMtftp.exe"
• "ODBC" or "OLEDB" drivers in case if you are using "Data Connection" functionality in ITMS
• "W3SVC" service -> "C:\Windows\system32\svchost.exe -k iissvcs"

Because in ITMS there is no settings to set appropriate allowed ports range per required program and only such settings are available to control

Port settings for "Monitor Agent" which will be used by this MetricProvider service on windows server



------------------------------
Software QA Engineer
Broadcom Inc.
------------------------------

Original Message:
Sent: 11-16-2020 04:59 AM
From: Hagai Nachmani
Subject: Port Exclusion from the ITMS

Thank you Igor for this, I'm be sure to use for port 8080!!!

Will these instructions work for the other more important ports? (9090 and 9092) ?
I couldn't find them specifically being used in the post list link, but I know they are under the dynamic array:

NS Data Connector

TCP/UDP

Outbound

1024-65536

In case data sources like ODBC or OLEDB are used, outgoing connection may be required to specific services defined by driver used.

AexSvc, W3SVC

No

UNIX, Linux or Mac client computer

TCP

Outbound

Source ports 1024 and above

To the Notification Server, Package and Task  Servers.

No, the ports randomly selected when connection is established.

TFTP Server

TFTP over UDP

Inbound/Outbound

1024-65535

TFTP file download port. TFTP Server uses the first available free port for TFTP file download.

SymantecNetworkBootServiceTftp

No

SNMP TrapListener Protocol

UDP

1024-65536

Four additional UDP ports is opened by net-snmp open source library used by our code.

MetricProvider, AtrsHost

My concern is this:
I am not sure the ITMS uses ports 9090 / 9092, but i would like to prevent it from doing so, but from the ITMS side, and not from the network firewall side.

Thanks instructions you just sent, but to be a bit clearer to my question, let me ask this:

Amount the things the ITMS is listed above to use random ports from 1024-65535 , i wish to prevent the ITMS from using ports 9090 & 9092.
how is this possible to do from the ITMS side (and not from network and firewall side)

thanks again,

Hagai
Original Message:
Sent: 11-16-2020 04:39 AM
From: Igor Perevozchikov
Subject: Port Exclusion from the ITMS

Hi Hagai!

1. 8080 port is used by UHS service "Unified Help System 7.0" which allows you to open offline in case if no internet is available on NS or if internet connection exists, then redirect to online ITMS Help.
If you click "F1" button in opened SMP Console (You have UHS installed as well as Documentation) then it will opens help page

Solutions:
1. You can just stop/disable "SymHelp 7.0" service so it will never start up and doesn't consume 8080 port

2. If you don't need this help functionality and always can open direct help link https://help.symantec.com/cs/ITMS8.5/SMPlat/home/title?locale=EN_US in browser, then you can just uninstall "UHS" component and 8080 port will be free and not in use by UHS service

Execute uninstall.bat and then UHS service will be uninstalled on your Notification Server.

3. If you still need "UHS" service available/running on Notification Server, you can change its default 8080 port to another free port.
For example, change of UHS 8080 port to 8181
Modify "install.bat" file and change there 8080 port to another available port

Execute "uninstall.bat" to uninstall current UHS service

Modify "index.html" file from "C:\Program Files\Altiris\Documentation\Web\en\index.htm" and change there 8080 port to a new one

Now click "install.bat" to install UHS service back and on its start up it will listening your specified port

Restart IIS, Altiris Service & "Symhelp 7.0" services


2) For other ports which were mentioned, I don't see that they are used by ITMS so better at least execute this simple command line and check file to probably identify who is using these ports, of course if it will be able to gather their name info.
netstat -abnfq >> "C:\UsedPorts.log"

Thanks,
IP.

------------------------------
Software QA Engineer
Broadcom Inc.

Original Message:
Sent: 11-15-2020 11:44 AM
From: Hagai Nachmani
Subject: Port Exclusion from the ITMS

Hello Experts!

Quick question:
we know from this link: Ports and Protocols for Symantec IT Management Suite (ITMS) 7.5, ITMS 7.5 SP1, 7.6, 8.0, 8.1 and 8.5 , that the ITMS uses a extensive variety of ports for all kind of tasks.

if we wish to exclude a few ports from being used , since we require them for other tools, where and how can we edit the ports?

Thanks,

Hagai

Original Message:
Sent: 11/16/2020 6:02:00 AM
From: Igor Perevozchikov
Subject: RE: Port Exclusion from the ITMS

Looks like for such case you will need to create a custom outbound/inbound Firewall rules which will include required applications and their blocked ports range 9090-9092, if you have such service installed/running:

• "Altiris Service" service -> "C:\Program Files\Altiris\Notification Server\Bin\AeXSVC.exe"
• "Altiris Object Host Service" service -> "C:\Program Files\Altiris\TaskManagement\AtrsHost.exe"
• "Altiris Monitor Agent" service -> "C:\Program Files\Altiris\Altiris Agent\Agents\Monitor Agent\AeXMetricProv.exe"
• "SymantecNetworkBootServicePxe" service -> "C:\Program Files\Altiris Agent\Agents\Deployment\SBS\SbsServer.exe"
• "SymantecNetworkBootServiceTftp" service -> "C:\Program Files\Altiris Agent\Agents\Deployment\SBS\SbsMtftp.exe"
• "ODBC" or "OLEDB" drivers in case if you are using "Data Connection" functionality in ITMS
• "W3SVC" service -> "C:\Windows\system32\svchost.exe -k iissvcs"

Because in ITMS there is no settings to set appropriate allowed ports range per required program and only such settings are available to control

"Connection Profile" where you can specify required port per Protocol which will be used in "Network Discovery" tasks, "Virtual Machine Management" solution, "Monitor Solution" for an agentless monitoring of devices in network, etc.

Port settings for "Monitor Agent" which will be used by this MetricProvider service on windows server

------------------------------
Software QA Engineer
Broadcom Inc.
------------------------------

Original Message:
Sent: 11-16-2020 04:59 AM
From: Hagai Nachmani
Subject: Port Exclusion from the ITMS

Thank you Igor for this, I'm be sure to use for port 8080!!!

Will these instructions work for the other more important ports? (9090 and 9092) ?
I couldn't find them specifically being used in the post list link, but I know they are under the dynamic array:

NS Data Connector

TCP/UDP

Outbound

1024-65536

In case data sources like ODBC or OLEDB are used, outgoing connection may be required to specific services defined by driver used.

AexSvc, W3SVC

No

UNIX, Linux or Mac client computer

TCP

Outbound

Source ports 1024 and above

To the Notification Server, Package and Task  Servers.

No, the ports randomly selected when connection is established.

TFTP Server

TFTP over UDP

Inbound/Outbound

1024-65535

TFTP file download port. TFTP Server uses the first available free port for TFTP file download.

SymantecNetworkBootServiceTftp

No

SNMP TrapListener Protocol

UDP

1024-65536

Four additional UDP ports is opened by net-snmp open source library used by our code.

MetricProvider, AtrsHost

My concern is this:
I am not sure the ITMS uses ports 9090 / 9092, but i would like to prevent it from doing so, but from the ITMS side, and not from the network firewall side.

Thanks instructions you just sent, but to be a bit clearer to my question, let me ask this:

Amount the things the ITMS is listed above to use random ports from 1024-65535 , i wish to prevent the ITMS from using ports 9090 & 9092.
how is this possible to do from the ITMS side (and not from network and firewall side)

thanks again,

Hagai
Original Message:
Sent: 11-16-2020 04:39 AM
From: Igor Perevozchikov
Subject: Port Exclusion from the ITMS

Hi Hagai!

1. 8080 port is used by UHS service "Unified Help System 7.0" which allows you to open offline in case if no internet is available on NS or if internet connection exists, then redirect to online ITMS Help.
If you click "F1" button in opened SMP Console (You have UHS installed as well as Documentation) then it will opens help page

Solutions:
1. You can just stop/disable "SymHelp 7.0" service so it will never start up and doesn't consume 8080 port

2. If you don't need this help functionality and always can open direct help link https://help.symantec.com/cs/ITMS8.5/SMPlat/home/title?locale=EN_US in browser, then you can just uninstall "UHS" component and 8080 port will be free and not in use by UHS service

Execute uninstall.bat and then UHS service will be uninstalled on your Notification Server.

3. If you still need "UHS" service available/running on Notification Server, you can change its default 8080 port to another free port.
For example, change of UHS 8080 port to 8181
Modify "install.bat" file and change there 8080 port to another available port

Execute "uninstall.bat" to uninstall current UHS service

Modify "index.html" file from "C:\Program Files\Altiris\Documentation\Web\en\index.htm" and change there 8080 port to a new one

Now click "install.bat" to install UHS service back and on its start up it will listening your specified port

Restart IIS, Altiris Service & "Symhelp 7.0" services


2) For other ports which were mentioned, I don't see that they are used by ITMS so better at least execute this simple command line and check file to probably identify who is using these ports, of course if it will be able to gather their name info.
netstat -abnfq >> "C:\UsedPorts.log"

Thanks,
IP.

------------------------------
Software QA Engineer
Broadcom Inc.

Original Message:
Sent: 11-15-2020 11:44 AM
From: Hagai Nachmani
Subject: Port Exclusion from the ITMS

Hello Experts!

Quick question:
we know from this link: Ports and Protocols for Symantec IT Management Suite (ITMS) 7.5, ITMS 7.5 SP1, 7.6, 8.0, 8.1 and 8.5 , that the ITMS uses a extensive variety of ports for all kind of tasks.

if we wish to exclude a few ports from being used , since we require them for other tools, where and how can we edit the ports?

Thanks,

Hagai