2019-04-09 05:48 AM
Deployment: Network Architecture and Ports
After looking at the ports on the table I noticed that the only appliance needing to access LIVE is ESA.
Further looking at the diagram, it does NOT show that ESA can directly access LIVE.
Which of the two is correct and why does the NW server not need to access LIVE? This doesn't make any sense
Then for NTP ports, none of the core appliances need an open connection to NW server but only to itself.
Archiver | Archiver | UDP 123 | NTP |
Broker | Broker | UDP 123 | NTP |
Concentrator | Concentrator | UDP 123 | NTP |
So Broker to Broker, Concentrator to Concentrator etc. No Concentrator to NW server. So how would this work exactly?
2019-04-09 08:54 AM
The NW head unit (node 0) does need to access Live
2019-04-09 09:02 AM
Thanks Dave, that makes perfect sense.
What about the NTP that only need to connect to own host and never to NW server?
How would I trust that everything else is correct when even customers can tell that something is wrong?
For every client-server connection you need a client and a server:) So which is the NTP server? every appliance??!
Can someone correct this randomized document that has been out for more than a year?
RSA have a history were they were struggling to populate the equivalent architecture document for 10.4. I would have thought that RSA would be a bit more mature 3-4 years later when they talk about Gartner and the likes.
We can't just raise change requests based on random information that haven't been proofread (no surprise here sorry). Please correct this joke document, it's damaging your brand.
2019-04-11 07:12 AM
I had a support case regarding this issue last year which was closed with a promise to correct the port requirements in the documentation and in the application configuration. As a result, only now, after over a half a year, I can see the requested amendments in the newly released documentation of 11.3.
NTP port requirement seems to be fixed along with a nonsensical requirement for UDP 50514 on every host, which has been in the documentation and iptables since the SA Audit was introduced many years ago. I hope in v11.3 this rule will be removed from iptables.
It is a shame RSA does not update the documentation of already released versions.
2019-04-11 07:30 AM
Regarding your original question, there was another case early last year where I have suggested that the requirements for the Internet access for each host with a definite list of URLs should be added to deployment documentation. Unfortunately, I still cannot see this information published.
2019-04-11 08:36 AM
They might suggest to raise an RFE:)
2019-04-11 09:05 AM
True but actually it’s my bad this time. I just missed it. Live resources were added to the ports sheets.
2019-04-11 09:13 AM
Yeah, they were added to the wrong server(ESA) and then they have this green box on top saying that all core should be able to communicate with NW host on 123 and in the table they only list that core communicate with themselves only.
I don't blame them, they are still learning. It's difficult to put 1+1 sometimes.
2019-04-11 09:33 AM
I cannot find online documentation of 11.3 but in the PDF doc ports sheets look better. The diagram is still not perfect.