The Windows agent must be able to send requests to and receive requests from Core Services and all endpoints managed by proxy. When a request from Core Services cannot reach the Windows agent, Secure Configuration Manager makes multiple attempts to connect before reporting a communication failure. For more information about Core Services retry attempts, see the User’s Guide for Secure Configuration Manager and the Core Services Configuration Utility help.
The Windows agent communicates with Core Services using encrypted SSL protocol.
Open the ports listed in the following table to ensure proper communication among the Windows agent, Core Services, Secure Configuration Manager consoles, and remote computers. The ports must also be open to ensure communication through network and personal computer firewalls. For more information about communicating with remote computers, see Deployment Requirements and Understanding Management by Proxy. For more information about required firewall settings, see Understanding Firewall Requirements.
|
Port Number |
Component Computer |
Port Use |
|---|---|---|
|
700 |
|
During deployment, used by the Deployment Agent and target computers for inbound and outbound communications. |
|
1622 |
|
Used by the Windows agent computer to listen for communications from Core Services. |
|
1626 |
|
Used by the Core Services computer to listen for communication from Security Agent for Windows 5.8 Service Pack 2 or older. |
|
1627 |
|
Used by the Core Services computer to listen for communication from the Windows agent. |
In general, network and personal computer firewalls can block data transmission when you deploy the agent and during day-to-day communications among the agent, endpoints, and Secure Configuration Manager Core Services.
Ensure that your environment meets the following requirements for communicating through firewalls:
When using a high-security firewall in a network, such as for a demilitarized zone, install agents on the same side of the firewall as the endpoints and install Core Services on the other side of the firewall.
When you deploy the agent to a remote computer, File and Printer Sharing must be enabled in the Windows firewall settings on the remote computer.
Enable Remote Administration and Windows Remote Management in the Windows firewall settings for inbound and outbound communication on endpoints managed by proxy. Typically, firewall settings do not include exceptions for the proxy agent, which blocks the agent from gathering data and might cause security checks to report endpoints as Offline. Enabling Remote Administration and Windows Remote Management in the firewall settings for endpoints ensures more accurate security check reporting of your endpoints.
Secure Configuration Manager supports Federal Information Processing Standard (FIPS) 140-2 communication among the product components, including between the Windows agent and managed endpoints. To configure the Windows agent to function in FIPS communication mode, you can enable the GPO setting for System Cryptography: Use FIPS Compliant Algorithms for Encryption, Hashing, and Signing. You must restart the Windows agent service after you change the GPO setting.
You can also configure the Windows agent to function in FIPS mode without configuring a global setting on the computer. You must restart the agent service when you change the registry setting.
NOTE:You do not need to enable FIPS in the Core Services Configuration Utility for Core Services to communicate with a FIPS-enabled agent. However, to be compliant with FIPS standards, all components must communicate in FIPS mode. For more information, see the User’s Guide for Secure Configuration Manager.
To configure FIPS mode for the Windows agent only:
(Conditional) For a Windows agent running on 64-bit computer, set the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\NetIQ\VigilEnt\vigilent_adapter\useFipsMode (REG_DWORD: 1)
(Conditional) For a Windows agent running on 32-bit computer, set the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\NetIQ\VigilEnt\vigilent_adapter\useFipsMode (REG_DWORD: 1)
Restart the Windows agent service.