Back to Contents Page

Dell OpenManage™ Security

Dell OpenManage™ Version 5.1 Installation and Security User's Guide

  Security Features

  Built-in Security Features

  Security Management



Security Features

The Dell OpenManage systems management software components provide the following security features:

NOTE: Telnet does not support SSL encryption.

Built-in Security Features

Ports

Table 2-1 lists the ports used by the Dell OpenManage systems management software, other standard operating system services, and other agent applications. Correctly configured ports are necessary to allow Dell OpenManage systems management software to connect to a remote device through firewalls. If the attempt to communicate with a remote device fails, you may have specified an incorrect port number.

NOTE: "Version" in Table 2-1 refers to the minimum product version that uses the port (or explicit version if specified).

Table 2-1. Dell OpenManage UDP/TCP Ports Default Locations 

Port #

Protocol

Port Type

Version

Max. Encryption Level

Direction

Usage

Configurable

Dell OpenManage Baseboard Management Controller - PowerEdge™ x8xx systems

623

RMCP

UDP

PowerEdge x800 systems only

None

In/Out

IPMI access via LAN

No

Dell OpenManage Baseboard Management Utility

623

Telnet

TCP

1.x

None

In/Out

Accepts incoming Telnet connections

Yes

623

RMCP

UDP

1.x

None

In/Out

Basic BMC commands: server status, power up/down, and so on.

No

623

RMCP

UDP

1.x

None

In/Out

Basic BMC commands and console redirection

No

Dell OpenManage Client Connector

135

RPC

TCP/UDP

2.0

None

In/Out

Viewing of client management data

No

389

LDAP

TCP

2.0

128 bit

In/Out

Domain authentication

No

4995

HTTPS

TCP

2.0

128 bit SSL

In/Out

Web GUI

Yes

1024 - 65535
(Dynamically assigned)

DCOM

TCP/UDP

2.0

None

In/Out

Viewing of client management data

Port range can be restricted.

Dell OpenManage Client Instrumentation

20

HTTP and FTP

TCP

6.x, 7.x

None

In/Out

Flash BIOS communication

No

21

HTTP and FTP

TCP

6.x, 7.x

None

In/Out

Flash BIOS communication

No

80

HTTP and FTP

TCP

6.x, 7.x

None

In/Out

Flash BIOS communication

No

135

DCOM

TCP/UDP

6.x, 7.x

None

In/Out

Monitoring and configuration via WMI

No

135

DCOM

TCP

7.x

None

Out

Event transmission via WMI

No

162

SNMP

UDP

6.x

None

Out

Event transmission via SNMP

No

1024-65535
(Dynamically assigned)

DCOM

TCP/UDP

6.x, 7.x

None

In/Out

Monitoring and configuration via WMI

 

> 32780
(Dynamically assigned)

DMI

TCP/UDP

6.x

None

In/Out

Monitoring and configuration via DMI

Varies from one system to another.

Dell OpenManage IT Assistant

20

FTP

TCP

6.x

None

In/Out

Flash BIOS

No

22

SSH

TCP

7.x

128 bit

In/Out

IT Assistant contextual application launch — SSH client

Remote software updates to Server Administrator — For systems supporting Linux

Yes

23

Telnet

TCP

7.x

None

In/Out

IT Assistant contextual application launch — Telnet to Linux device

No

25

SMTP

TCP

7.x

None

In/Out

Optional e-mail alert action from IT Assistant

No

68

UDP

UDP

6.x, 7.x

None

Out

Wake-on-LAN

Yes

80

HTTP

TCP

6.x

None

In/Out

Flash BIOS

No

80

HTTP

TCP

7.x

None

In/Out

IT Assistant contextual application launch — PowerConnect™ console

No

135

RPC

TCP

6.x, 7.x

None

In/Out

Event reception via CIM from Server Administrator — For systems supporting Windows®

No

135

RPC

TCP/UDP

6.x

None

In/Out

DMI discovery of remote systems

No

135

RPC

TCP/UDP

7.x

None

In/Out

Remote software update transfer to Server Administrator — For systems supporting Windows

Remote Command Line — For systems supporting Windows

No

161

SNMP

UDP

6.x, 7.x

None

In/Out

SNMP query management

No

162

SNMP

UDP

6.x, 7.x

None

In

Event reception via SNMP

No

162

SNMP

UDP

7.x

None

Out

SNMP trap forwarding action from IT Assistant

No

389

LDAP

TCP

7.x

128 bit

In/Out

Domain authentication for IT Assistant log on

No

1433

Proprietary

TCP

7.x

None

In/Out

Optional remote SQL server access

Yes

2606

Proprietary

TCP

6.x, 7.x

None

In/Out

Network monitoring service communication port

Yes

2607

HTTPS

TCP

7.x

128 bit SSL

In/Out

IT Assistant web GUI

Yes

3389

RDP

TCP

7.x

128 bit SSL

In/Out

IT Assistant contextual application launch — Remote desktop to Windows terminal services

Yes

11487/11489

Proprietary

TCP/UDP

6.x

None

Out

Flash BIOS

No

443

Proprietary

TCP

8.0

None

In/Out

EMC Storage discovery and inventory

No

623

RMCP

UDP

8.0

None

In/Out

IPMI access via LAN

No

6389

Proprietary

TCP

8.0

None

In/Out

Enables communication between a host system (through NaviCLI/NaviSecCLI or Navisphere Host Agent) and a Navisphere Array Agent on a Storage system.

No

Dell OpenManage Server Administrator

22

SSH

TCP

2.0

128 bit

In/Out

Remote Server Administrator Command Line (for IT Assistant). Remote Software Update feature (for Linux).

Yes

25

SMTP

TCP

2.0

None

In/Out

Optional e-mail alert messages from Server Administrator

No

135

RPC

TCP/UDP

2.0

None

In/Out

CIM management queries

No

135

RPC

TCP/UDP

2.0

None

In/Out

Remote Server Administrator Command Line (for IT Assistant). Remote software update feature (for Windows).

No

139

NetBIOS

TCP

2.0

None

In/Out

Remote Server Administrator Command Line (for IT Assistant). Remote Software Update (for Windows).

No

161

SNMP

UDP

1.x, 2.0

None

In/Out

SNMP query management

No

162

SNMP

UDP

1.x, 2.0

None

Out

SNMP trap event

No

445

NetBIOS

TCP

2.0

None

In/Out

Remote software updates to Server Administrator (for Windows)

No

1311

HTTPS

TCP

1.x

128 bit SSL

In/Out

Web GUI

Yes

11487

Proprietary

UDP

1.x

None

In

Remote Flash BIOS update initiation from IT Assistant

Yes

11489

Proprietary

TCP

1.x

None

In

Remote Flash BIOS update file transfer from IT Assistant

Yes

1024 -65535

DCOM

TCP/UDP

2.0

None

In/Out

CIM/WMI query management

Yes

Dell Remote Access Controller (DRAC): DRAC III, DRAC III/XT, ERA, and ERA/O

21

FTP

TCP

1.0

None

In/Out

Firmware update via FTP and certificate upload/download

No

23

Telnet

TCP

1.0

None

In/Out

Optional Telnet-based CLI management

No

25

SMTP

TCP

1.0

None

In/Out

Optional e-mail alert messages

No

68

DHCP

UDP

1.2

None

In/Out

DHCP assigned IP address

No

69

TFTP

UDP

1.0

None

In/Out

Firmware update via Trivial FTP.
Remote floppy boot via TFTP

No

80

HTTP

TCP

1.0

None

In/Out

Web GUI redirected to HTTPS

No

162

SNMP

UDP

1.0

None

Out

SNMP trap event

No

443

HTTPS

TCP

1.0

128 bit SSL

In/Out

Web management GUI

No

443

HTTPS

TCP

3.2

128 bit SSL

In/Out

Remote racadm CLI utility

No

5869

Proprietary

TCP

1.0

None

In/Out

Remote racadm CLI utility

No

5900

VNC

TCP

1.0

56 bit DES

In/Out

Video redirection

Yes

5900

VNC

TCP

3.2

128 bit RC

In/Out

Video redirection

Yes

5981

VNC

TCP

1.0

None

In/Out

Video redirection

Yes

random and > 32768

Proprietary

TCP

1.0

None

In/Out

Firmware update from the Web GUI

No

DRAC 4

22

SSHv2

TCP

1.30

128 bit

In/Out

Optional Secure Shell (SSH) CLI management

Yes

23

Telnet

TCP

1.0

None

In/Out

Optional Telnet CLI management

Yes

25

SMTP

TCP

1.0

None

In/Out

Optional e-mail alert messages

No

53

DNS

UDP

1.20

None

In/Out

Dynamic Domain name server (DNS) registration of the host name assigned within DRAC

No

68

DHCP

UDP

1.0

None

In/Out

DHCP assigned IP address

No

69

TFTP

UDP

1.0

None

In/Out

Firmware update via Trivial FTP

No

80

HTTP

TCP

1.0

None

In/Out

Web GUI redirected to HTTPS

Yes

161

SNMP

UDP

1.0

None

In/Out

SNMP query management

No

162

SNMP

UDP

1.0

None

Out

SNMP trap event

No

443

HTTPS

TCP

1.0

128 bit SSL

In/Out

Web management GUI and remote racadm CLI utility

Yes

636

LDAPS

TCP

1.0

128 bit SSL

In/Out

Optional Active Directory Services (ADS) authentication

No

3269

LDAPS

TCP

1.0

128 bit SSL

In/Out

Optional Active Directory Services (ADS) authentication

No

3668

Proprietary

TCP

1.0

None

In/Out

CD/diskette virtual media service

Yes

5869

Proprietary

TCP

1.0

None

In/Out

Remote racadm

No

5900

Proprietary

TCP

1.0

128bit RC4, Keyboard/mouse traffic only

In/Out

Video redirection

Yes

DRAC/MC

23

Telnet

TCP

1.0

None

In/Out

Optional Telnet CLI management

Yes

25

SMTP

TCP

1.0

None

In/Out

Optional e-mail alert messages

No

53

DNS

UDP

1.0

None

In/Out

Dynamic DNS registration of host name assigned within DRAC

No

68

DHCP

UDP

1.0

None

In/Out

DHCP assigned IP address

No

69

TFTP

UDP

1.0

None

In/Out

Firmware update via Trivial FTP

No

80

HTTP

TCP

1.0

None

In/Out

Web GUI redirected to HTTPS

Yes

161

SNMP

UDP

1.0

None

In/Out

SNMP query management

No

162

SNMP

UDP

1.0

None

Out

SNMP trap event

No

389

LDAP

TCP

1.0

None

In/Out

Optional Active Directory Services (ADS) authentication

No

443

HTTPS

TCP

1.0

128 bit SSL

In/Out

Web management GUI and remote racadm CLI utility

No

636

LDAPS

TCP

1.0

128 bit SSL

In/Out

Optional Active Directory Services (ADS) authentication

No

3269

LDAPS

TCP

1.0

128 bit SSL

In/Out

Optional Active Directory Services (ADS) authentication

No

Digital KVM

2068

Proprietary

TCP

1.0

128 bit SSL

In/Out

Video Redirection — Keyboard/Mouse

No

3668

Proprietary

TCP

1.0

None

In/Out

Virtual Media

No

8192

Proprietary

TCP

1.0

None

In/Out

Video redirection to client viewer

No

NOTE: CIM ports are dynamic. See the Microsoft knowledge base at support.microsoft.com for information on CIM port usage.
NOTE: If you are using a firewall, you must open all of the ports listed in Table 2-1 to ensure that IT Assistant and other Dell OpenManage applications function properly.

Security Management

Dell provides security and access administration through role-based access control (RBAC), authentication, and encryption, or through Active Directory for both the Web-based and command line interfaces.

Role-Based Access Control (RBAC)

RBAC manages security by determining the operations that can be executed by users in specific roles. Each user is assigned one or more roles, and each role is assigned one or more user privileges that are permitted to users in that role. With RBAC, security administration can correspond closely to an organization's structure. For information about setting up Dell OpenManage users, see "Assigning User Privileges."

User Privileges

Server Administrator grants different access rights based on the user's assigned group privileges. The three user levels are User, Power User, and Administrator.

Users can view most information.

Power Users can set warning threshold values, run diagnostic tests, and configure which alert actions are to be taken when a warning or failure event occurs.

Administrators can configure and perform shutdown actions, configure Auto Recovery actions in case a system has a hung operating system, and clear hardware, event, and command logs. Administrators can also send e-mail.

Server Administrator grants read-only access to users logged in with User privileges; read and write access to users logged in with Power User privileges; and read, write, and administrator access to users logged in with Administrator privileges. See Table 2-2.

Table 2-2. User Privileges 

User Privileges

Access Type

 

Admin

Write

Read

User

 

 

X

Power User

 

X

X

Administrator

X

X

X

Admin access allows you to shut down the managed system.

Write access allows you to modify or set the values on the managed system.

Read access allows you to view the data reported by Server Administrator. Read access does not allow you to change or set the values on the managed system.

Privilege Levels to Access Server Administrator Services

Table 2-3 summarizes which user levels have privileges to access and manage Server Administrator Services.

Table 2-3. Server Administrator User Privilege Levels 

Service

User Privilege Level Required

 

View

Manage

Instrumentation

U, P, A

P, A

Remote Access

U, P, A

A

Update

U, P, A

A

Storage Management

U, P, A

A

Table 2-4 defines the user privilege level abbreviations used in Table 2-3.

Table 2-4. Legend for Server Administrator User Privilege Levels 

U

User

P

Power User

A

Administrator

Authentication

The Server Administrator authentication scheme ensures that the correct access types are assigned to the correct user privileges. Additionally, when you invoke the CLI, the Server Administrator authentication scheme validates the context within which the current process is running. This authentication scheme ensures that all Server Administrator functions, whether accessed through the Server Administrator home page or CLI, are properly authenticated.

Microsoft Windows Authentication

For supported Windows operating systems, Server Administrator authentication uses Integrated Windows Authentication (formerly called NTLM) to authenticate. This authentication system allows Server Administrator security to be incorporated in an overall security scheme for your network.

Red Hat® Enterprise Linux and SUSE® Linux Enterprise Server Authentication

For supported Red Hat Enterprise Linux and SUSE Linux Enterprise Server operating systems, Server Administrator authentication is based on the Pluggable Authentication Modules (PAM) library. This documented library of functions allows an administrator to determine how individual applications authenticate users.

Encryption

Server Administrator is accessed over a secure HTTPS connection using secure socket layer (SSL) technology to ensure and protect the identity of the system being managed. Java Secure Socket Extension (JSSE) is used by supported Windows, Red Hat Enterprise Linux, and SUSE Linux Enterprise Server operating systems to protect the user credentials and other sensitive data that is transmitted over the socket connection when a user accesses the Server Administrator home page.

Microsoft Active Directory

The Active Directory service software acts as the central authority for network security, letting the operating system readily verify a user's identity and control that user's access to network resources for Dell OpenManage applications running on supported Windows platforms. Dell provides schema extensions for customers to modify their Active Directory database to support remote management authentication and authorization. IT Assistant, Server Administrator, and Dell remote access controllers can now interface with Active Directory to add and control users and privileges from one central database. For information about using Active Directory, see "Using Microsoft® Active Directory®."


Back to Contents Page