Author Topic: ADNM through a Firewall  (Read 7285 times)

0 Members and 1 Guest are viewing this topic.

Duncan F

  • Guest
ADNM through a Firewall
« on: October 24, 2006, 12:25:05 PM »
Hi guys,

I've read the ADNM docs but it doesn't quite cover what I am after, namely this: is there any way to offer full control of clients in our company's DMZ?

We have existing servers which have been relocated to the DMZ and have now gone "off radar" to ADNM. Also we will want to deploy new servers there and roll out our Avast! server package.

The ADNM manual says to open tcp/16111 and udp/6000 inbound from the DMZ to allow the agents to talk to ADNM. What about for ADNM to initially find/deploy to new machines?

I guess what I want to achive is to make it appear to ADNM/Avast Agents that there is no firewall between the ADNM server and the DMZ located servers.

Thanks,

Duncan

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11655
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re: ADNM through a Firewall
« Reply #1 on: October 24, 2006, 12:53:27 PM »
Hi Duncan, and welcome to the avast forums.

As you figured out, it's not exactly trivial to set this up. The reason is that there is a number of services in use by ADNM, and these communicate using different ports.

The following table summarizes most:

AMS
  • tcp/16111 - basic communication client -> AMS. Without this, nothing will work
  • tcp/5033 - update mirror access.  Necessary to get VPS and program updates from the local mirror (as opposed to getting them directly from the Internet)
  • tcp/16102 - console access. No need to open this from DMZ (actually, a bad idea IMHO)
  • udp/6000 - AMS discovery. Used only if currently selected AMS is unreachable

Managed machines
  • tcp/16109 - "Apply to..." feature. That is, this port is used to push new policies from AMS to the client when an admin uses the "Apply to computer" or "Apply to group" feature in the console
  • tcp/16108 - Remote Virus chest access
  • tcp/135, tcp/139, tcp/445, udp/137, udp/138 - these are standard RPC and NETBIOS ports necessary for remote deployment of the agents. For more info, please refer to MS website.

Morover, the "Verify offline status" feature uses standard ping (ICMP) packets to do its job, so if you want to use this feature, pinging from the AMS to the managed machines must not be blocked...

Hope this helps,
Vlk
« Last Edit: October 24, 2006, 01:01:38 PM by Vlk »
If at first you don't succeed, then skydiving's not for you.

Duncan F

  • Guest
Re: ADNM through a Firewall
« Reply #2 on: October 24, 2006, 12:57:09 PM »
Excellent! Thanks Vlk. I'll get our network guy to plan the changes and report back.

Thanks again,

Duncan

HomeNet

  • Guest
Re: ADNM through a Firewall
« Reply #3 on: November 16, 2006, 04:59:09 PM »
I know I may be late but I'll drop this in here anyway.  Furthermore, I think this should be put into the install somehow.  Perhaps a few lines of code in the install could eliminate some of the issues.  That's just my opinion and we all know how they go...  ;)

This is a sample of a little batch file I made.  It saves me some time when punching holes in the MS-Windows Firewall.

Code: [Select]
netsh firewall set portopening protocol=TCP port=135 name=AVAST_NETBIOS_AND_RPC_PORT mode=ENABLE profile=All
netsh firewall set portopening protocol=TCP port=16108 name=AVAST_VIRUS_LISTENER_PORT mode=ENABLE profile=All
netsh firewall set portopening protocol=TCP port=16109 name=AVAST_APPLY_TO_PORT mode=ENABLE profile=All
netsh firewall set service type = fileandprint mode=ENABLE profile=All

Following the same syntax, one can add as many holes as they want.

11-16-06
1059 EDT
Rob @ HomeNet
« Last Edit: November 16, 2006, 05:27:33 PM by HomeNet »

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11655
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re: ADNM through a Firewall
« Reply #4 on: November 16, 2006, 07:39:45 PM »
Yeah, you're right, something like this will be included in one of the next updates of avast managed clients...
If at first you don't succeed, then skydiving's not for you.