Preparing for Deployment
  • 27 Feb 2023
  • 4 Minutes to read
  • Dark
    Light
  • PDF

Preparing for Deployment

  • Dark
    Light
  • PDF

Article summary

Preparing Your Environment

Netreo uses existing manufacturer APIs to collect data from systems without having to install additional agents. Whenever practical, Netreo recommends installing Netreo on a core network, inside of any firewalls used for perimeter protection. Because Netreo uses a wide variety of protocols for management (including direct connections to applications for monitoring and management), implementation is greatly simplified by this approach. Additionally, there are a few things you can do before installing Netreo to make your evaluation as easy as possible.

Resource Requirements

Please make sure that your environment is able to provide Netreo with the minimum resources required for operation. See the Hardware Performance Guide for the Netreo Virtual Appliance for applicable resource requirements.

Passwords

Having the necessary credentials for your network handy while configuring Netreo will make the initial setup go much more quickly and smoothly. Here’s a list of credentials to gather before you begin:

  • Any relevant SNMP read-only strings for devices on your network.
  • WMI/WinRM credentials to access Windows devices.
  • SSH/Telnet credentials for configuration management.

SNMP

SNMP (Simple Network Management Protocol) is the main protocol used for Linux servers and network devices (such as routers, switches, firewalls, and load balancers). It provides a simple, efficient, standardized way of collecting data from devices. SNMP uses the concept of a "community string" (which functions much like a password) to authorize connections to the device.

Recommendations

  • Netreo recommends the use of SNMPv2c for most customer environments.
  • Configure the SNMP community string with read-only permissions.
  • Restrict SNMP access by using the filter or access-list functionality of the device under management to limit access to the specific IP address of the Netreo appliance.
    • Note: In "High-Availability" environments, you will want to make sure that all of the Netreo appliance IP addresses are included on this list.
  • Read-write access is not generally required for Netreo to fully monitor devices and should not be left enabled.
  • Ensure your edge routers or firewalls are blocking SNMP traffic from the Internet and from non-controlled networks.

Although SNMPv2c does not provide encryption, as long as you are monitoring internal systems from inside your security perimeter, this generally does not create a significant security threat, as the information that can be gathered with read-only permissions is fairly limited.

If you are monitoring systems over the public Internet or other shared networks (where packet capture and eavesdropping is a potential security risk), Netreo supports the use of SNMPv3 for greater security. Under these conditions, Netreo recommends the use of AUTHPRIV mode only. Be sure to check that the devices you wish to manage support SNMPv3 in the AUTHPRIV mode. Other SNMPv3 modes add overhead without enhancing security.

Due to the higher overhead and lower performance offered by SNMPv3, customers should consider the implications carefully before deciding to standardize on SNMPv3. For assistance and advice specific to your environment and configuration, please review the article SNMP Security Best Practices or feel free to contact Netreo Support.

Firewall Notes

  • SNMP uses port UDP/161 for polled data collection and port UDP/162 for Trap messages (originating from the device to Netreo).

See Credentials and Connectivity Test to check ports for connectivity from within Netreo.

WMI/WSMAN

WMI and WSMAN are protocols used to collect data from Windows servers. WMI is enabled by default on all versions of Windows since 2003. WSMAN is installed by default on Windows servers since 2008, but must be enabled manually. The primary difference is that WSMAN uses an encrypted web API for data collection—which is much simpler to configure if the traffic has to traverse a firewall.

Either of these requires an account with administrator privileges or DCOM permissions on the device to be managed. See How to Create a Non-Administrator-Based Service Account in Windows for more information on how to use non-administrator accounts to access Windows statistics.

Firewall Notes

  • WMI: TCP/135 and all high ports (1024-65535), bidirectionally.
  • WSMAN: Port TCP/5985 originating from Netreo.

See Credentials and Connectivity Test to check ports for connectivity from within Netreo.

Security and Access

Netreo can operate without Internet access, however; licensing, software updates, and remote support are greatly simplified with some basic Internet access. The following is a list of IP addresses and ports that can be configured on your outbound firewall to safely allow Netreo the access it needs.

For remote technical support and customization, allow:

  • FQDN: charon.netreo.net
  • Port: TCP/443

If the above port is not available, the system can be configured to use these alternate ports instead by contacting Netreo Support:

  • Port: TCP/5000
  • Port: UDP/1194

(Application-aware firewalls will need to configure this as SSL/TLS and OpenVPN.)

For automatic Netreo licensing, allow:

  • FQDN: activation.netreo.net
  • Port: TCP/443

(Application-aware firewalls will need to configure this as SSL/TLS or HTTPS.)

For software update support, allow:

  • FQDN: updates.netreo.net
  • Port: TCP/80
  • Port: TCP/443

For Netreo Mobile and Cloud features: Netreo uses a wide variety of dynamic technologies to route and assign users to the best or closest cloud-hosted server, so it is not possible to restrict access to a group of IP addresses. Netreo recommends allowing outbound access for SSL/TLS or HTTPS on port 443. If your firewall allows you to restrict access by domain name, you can use the following destinations (all are port TCP/443):

  • *.api.netreo.com
  • rr.netreo.com
  • *.rr.netreo.com

For geocoding information used by the Netreo Geographic Map feature, allow:

  • api.geonames.org
  • dev.virtualearth.net

Was this article helpful?