Securing connections

Applies To: Forefront Client Security

Any Client Security installation creates several connections. In addition, when you install Client Security server components on more than one computer, Client Security opens connections between various components.

Security methods for connections

The following table summarizes the methods available for securing the possible connections in all supported Client Security topologies. It is recommended that you secure all connections in your Client Security deployment. For information about securing a particular connection, see the topic referenced in the applicable row.

Component Connection to Topologies Security methods

Collection server

Collection database

Five-server and six-server

IPsec or Object Linking and Embedding Database (OLE DB) encryption (see Securing the collection server)

Management server

Collection server

Four-server, five-server, and six-server

IPsec or OLE DB encryption (see Securing the management server)

Management server

Collection database

Four-server, five-server, and six-server

IPsec or SSL (see Securing database servers)

Management server

Reporting server

Three-server, four-server, five-server, and six-server

SSL (see Securing the reporting server)

Reporting database

Collection database

Three-server, four-server, and six-server

IPsec or SSL (see Securing database servers)

Reporting server

Collection database

Four-server, five-server, and six-server

IPsec or SSL (see Securing database servers)

Reporting server

Reporting database

Three-server, five-server, and six-server

IPsec or SSL (see Securing database servers)

Distribution server

Microsoft Update or upstream WSUS server

All

SSL (see Securing the distribution server)

Client computer (MOM agent)

Collection server

All

Mutual authentication and encryption (see Securing the collection server)

Client computer

Distribution server or Microsoft Update

All

SSL (see Securing the distribution server)

Client computer

Reporting server

All

SSL (see Securing the reporting server)

Ports used by Client Security components

You should verify that the required network ports are open on firewalls or other gateway devices.

The following table lists the network ports and protocols that are used for communications between Client Security components. Depending on the configuration and location of firewalls or other gateway devices in your network, you may need to open these ports.

Component Connection to Topologies Port (protocols) Notes

Collection server

Collection database

Five-server and six-server

1433 (TCP and UDP)

None.

Management server

Collection server

Four-server, five-server, and six-server

445 (TCP and UDP), 135 (TCP), and DCOM port range

Using a firewall between these two servers is not supported. The MOM Administrator and Operator consoles on the management server require a connection to the collection server.

Management server

Collection database

Four-server, five-server, and six-server

1433 (TCP) and 1434 (UDP)

None.

Management server

Reporting server

Three-server, four-server, five-server, and six-server

80 (TCP) or 443 (TCP)

Port 80 is used for HTTP and port 443 is used for HTTPS.

Reporting database

Collection database

Three-server, four-server, and six-server

1433 (TCP) and 1434 (UDP)

Using a firewall between these two databases is not supported.

Reporting server

Collection database

Four-server, five-server, and six-server

1433 (TCP) and 1434 (UDP)

None.

Reporting server

Reporting database

Three-server, five-server, and six-server

1433 (TCP) and 1434 (UDP)

None.

Distribution server

Microsoft Update or upstream WSUS server

All

80 (TCP) or 443 (TCP)

To obtain updates from Microsoft Update, the distribution server uses port 80 for HTTP and port 443 for HTTPS.

Client computer (MOM agent)

Collection server

All

1270 (TCP) and 1270 (UDP)

None.

Client computer

Distribution server or Microsoft Update

All

80 (TCP) or 443 (TCP)

To obtain updates from Microsoft Update, the distribution server uses port 80 for HTTP and port 443 for HTTPS.

Client computer

Reporting server

All

80 (TCP) or 443 (TCP)

None.

Opening ports in Windows Firewall

For instructions about opening ports by using Group Policy, see Deploying Windows Firewall Settings for Microsoft Windows XP with Service Pack 2 (https://go.microsoft.com/fwlink/?LinkId=86556).

To open a port manually in Windows Firewall, you can follow the steps in the following procedure.

To open a port in Windows Firewall

  1. Click Start, click Control Panel, and then double-click Windows Firewall.

  2. Click the Exceptions tab, and then click Add Port.

  3. In the Name box, type the name that you want.

  4. In the Port number box, type the port number.

  5. Select TCP or UDP, and then click OK.