I’m working with a client on a Windows XP standard operating environment (SOE) that includes service pack 2 (with Windows Firewall enabled). They use IBM Tivoli for remote control, inventory and software distribution but IBM do not currently support the Tivoli client on SP2 machines and some work was needed to get it working across the firewall. For reference, here are the firewall exceptions that were needed:
- IBM Tivoli Inventory Collector (C:\Program Files\Tivoli\lcf\inv\SCAN\wepmcoll.exe);
- IBM Tivoli JRE (C:\Program Files\Tivoli\lcf\bin\w32-ix86\tools\jre\1.3.0\bin\java.exe);
- IBM Tivoli Management Agent (C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe);
- IBM Tivoli Mobile Console (C:\Program Files\Tivoli\lcf\dat\1\mobile\mobile.exe);
- IBM Tivoli Mobile Console Distribution (C:\Program Files\Tivoli\lcf\dat\1\cache\bin\w32-ix86\TME\mobile\epnewdist.exe);
- IBM Tivoli Remote Control Target (C:\Program Files\Tivoli\lcf\PCREMOTE\w32-ix86\tgt\eqnrcmai.exe);
- IBM Tivoli Software Distribution Engine (C:\Program Files\Tivoli\lcf\dat\1\cache\bin\w32-ix86\TME\swdis\spde\spd_eng.exe).
Theoretically these would be the same whatever the personal firewall product in use; however all of the above should be configured as application exceptions (Tivoli uses randomly generated ports under certain circumstances and so simple packet filtering exceptions would be inappropriate). If the firewall in use only handles packet filtering, then you may have more difficultly getting this working (you may need to open big holes in the firewall to cover a range of possible ports – in this case I would suggest using the Windows Firewall instead as it does offer application filtering – see my earlier post about choosing whether to run the Windows Firewall, a third party firewall, or both).
Obviously installations of Tivoli (as for most enterprise management products) vary according to the features in use and if the exceptions above do not completely resolve the issue, James Dawson gave me the following advice:
- Run
netstat -ano | find "LISTENING"
. This will give a list of TCP ports that are listening for connections and the last column of the output is the ProcessID (PID) of the process actually listening. You can then use the PID to find what ports the Tivoli process(es) are running on, and then add these ports to the exceptions. - Use the PIDs from the output of step 1 to check whether Tivoli is using any UDP ports:
netstat -ano | find "PID"
(repeat for each Tivoli PID).