Deployment Guide: Network Architecture and Ports

Document created by RSA Information Design and Development on Oct 17, 2017Last modified by RSA Information Design and Development on Apr 29, 2019
Version 18Show Document
  • View in full screen mode
 

Refer to the following diagram and port table to ensure that all the relevant ports are opened for components in your NetWitness Platform deployment to communicate with each other.

See NetWitness Endpoint Architecture at the end of this topic for individual Endpoint Architectural diagrams.

NetWitness Platform Network Architecture Diagram

The following diagram illustrates the NetWitness Platform network architecture including all of its component products.

Note: NetWitness Platform core hosts must be able to communicate with the NetWitness Server (Primary Server in a multiple server deployment) through UDP port 123 for Network Time Protocol (NTP) time synchronization.

 

 

NetWitness Network (Packets) Network Architecture Diagram

The following diagram illustrates the NetWitness Network (Packets ) network architecture.

NetWitness Logs Network Architecture Diagram

The following diagram illustrates the NetWitness Logs network architecture.

Comprehensive List of NetWitness Platform Host, Service, and iDRAC Ports

Note: For ports used in event collection through the NetWitness Logs, see the "The Basics" in the RSA NetWitness Suite Log Collection Deployment Guide. Go to the Master Table of Contents to find all NetWitness Platform Logs & Network 11.x documents.

This section contains the port specifications for the following hosts.

                                 

NW Server Host

                                                                                                               

Source Host

Destination Host

Destination Ports

Comments

Admin Workstation NW ServerTCP 443, 80nginx - NetWitness UI

Admin Workstation

NW ServerTCP 15671RabbitMQ Management UI
Admin WorkstationNW ServerTCP 22 SSH

NW Hosts

NW Server

TCP 53
UDP 53

DNS

NW Hosts

NW Server

TCP 15671

RabbitMQ Management UI

NW HostsNW ServerTCP 4505, 4506 Salt Master Ports
NW HostsNW ServerTCP 443RSA Update Repository

NW Hosts

NW Server

TCP 5671

RabbitMQ-amqp

NW HostsNW ServerUDP 123 NTP

NW Hosts

NW ServerTCP 27017 MongoDB

NW Server

cloud.netwitness.com

TCP 443

Live

NW Server

cms.netwitness.comTCP 443

Live

NW Serversmcupdate.emc.comTCP 443

Live

NW Server

NFS Server

TCP 111, 2049,
UDP 111, 2049

iDRAC Installations

NW ServerNW HostsUDP 123 NTP

NW Server

NW Endpoint

TCP 443, 9443

For NW Endpoint 4.x integrations

Archiver Host

                                                                     

Source Host

Destination Host

Destination Ports

Comments

Admin WorkstationArchiverTCP 15671RabbitMQ Management UI

Archiver

NW Server

TCP 15671

RabbitMQ Management UI

Archiver

NW Server

TCP 443

RSA Update Repository

Admin WorkstationArchiver TCP 22 SSH
NW ServerArchiver TCP 50008 (Non-SSL), 56008 (SSL), 50108 (REST) Archiver Application Ports
NW ServerArchiver TCP 56006 (SSL), 50106 (REST) NetWitness Appliance Ports
NW ServerArchiver TCP 5671 RabbitMQ (AMQPS) message bus for all NW hosts.
NW ServerArchiverTCP 514, 6514, 50007 (Non-SSL) 56007 (SSL), 50107 (REST), UDP 514 Workbench Application Ports

Archiver

NFS Server

TCP 111 2049
UDP 111 2049

iDRAC Installations

Broker Host

                                                                           

Source Host

Destination Host

Destination Ports

Comments

Admin WorkstationBroker TCP 15671 RabbitMQ Management UI
BrokerConcentratorTCP 50005 (Non-SSL), 56005 Concentrator Application Port

Broker

NW Server

TCP 15671

RabbitMQ Management UI

Broker

NW Server

TCP 443

RSA Update Repository

Admin WorkstationBroker TCP 22SSH
NW ServerBroker TCP 50003 (Non-SSL), 56003 (SSL), 50103 (REST) Broker Application Ports
NW ServerBroker TCP 56006 (SSL), 50106 (REST)NetWitness Appliance Ports
NW ServerBroker TCP 5671 RabbitMQ (AMQPS) message bus for all NW hosts.
BrokerNW Server TCP 111 2049
UDP 111 2049
iDRAC Installations

Endpoint Broker

NW Server

TCP 443

RSA Update Repository

Concentrator Host

                                                                                 

Source Host

Destination Host

Destination Ports

Comments

Admin WorkstationConcentratorTCP 15671RabbitMQ Management UI
ConcentratorLog DecoderTCP 50002 (Non-SSL), 56002 (SSL)Concentrator Application Port
ConcentratorNetwork DecoderTCP 56004 Concentrator Application Port

Concentrator

NW Server

TCP 15671

RabbitMQ Management UI

Concentrator

NW Server

TCP 443

RSA Update Repository

Admin WorkstationConcentrator TCP 22 SSH
NW Server Concentrator TCP 50005 (Non-SSL), 56005 (SSL), 50105 (REST) Concentrator Application Ports
MalwareConcentrator TCP TCP 50005 (Non-SSL), 56005 (SSL)Malware
NW Server Concentrator TCP 56006 (SSL), 50106 (REST) NetWitness Appliance Ports
NW Server Concentrator TCP 5671 RabbitMQ (AMQPS) message bus for all NW hosts.

Concentrator

NFS Server

TCP 111 2049
UDP 111 2049

iDRAC Installations

Endpoint Log Hybrid

                                                                     
Source HostDestination HostDestination Ports Comments
Endpoint Agent Endpoint Log Hybrid

TCP 443

UDP 444

NGINX HTTPS

NGINX UDP. If UDP port 444 is not acceptable in your environment, see How to Change UDP Port for Endpoint Log Hybrid.

Endpoint AgentLog Decoder or Virtual Log Collector

TCP 514 (Syslog)

UDP 514 (Syslog)

TLS 6514

Windows Log Collection

Endpoint Log HybirdLog Decoder (External)

TCP 50102 (REST)

56202 (Protobuf SSL)

50202 (Protobuf)

To forward meta to an external Log Decoder

Endpoint Log Hybird

NW Server

TCP 443

RSA Update Repository

NW Server Endpoint Log Hybrid TCP 7050UI web traffic

Endpoint Log Hybrid

NW Server

TCP 5671

Message Bus

Endpoint Log HybirdNW ServerTCP 27017MongoDB
NW ServerEndpoint Log HybirdTCP 7054UI web traffic

NW Server

NFS Server

TCP 111, 2049
UDP 111, 2049

iDRAC Installations

Event Stream Analysis (ESA) Host

Note: The ports in this table are for the ESA Primary an ESA Secondary hosts. The Content Hub, Correlation and ESA Analytics services are co-located on the ESA Primary host. The Correlation and ESA Analytics services are co-located on the ESA Secondary host.

                                                                                                               

Source Host

Destination Host

Destination Ports

Comments

Admin WorkstationESA TCP 15671 RabbitMQ Management UI

ESA Primary and Secondary

NW Server

TCP 15671

RabbitMQ Management UI

ESA Primary and Secondary

NW Server

TCP 443

RSA Update Repository

Admin WorkstationESATCP 22 SSH
NW Server,
ESA Secondary
ESA Primary TCP 27017MongoDB
NW Server ESA Primary TCP 7005 Context Hub Launch Port - (ESA Primary)
NW Server ESA TCP 50030 (SSL) ESA Application Port
NW Server ESA TCP 50035 (SSL) ESA Application Port
NW Server ESATCP 50036 (SSL) ESA Application Port
NW ServerESATCP 5671 RabbitMQ (AMQPS) message bus for all NW hosts.
ESA Primary and Secondarycms.netwitness.comTCP 443Live

ESA Primary and Secondary

NFS Server

TCP 111 2049
UDP 111 2049

iDRAC Installations

ESA Primary and Secondary

Active Directory

636 (SSL)/389 (Non-SSL)

 

NW Server

ESA

80 (HTTP)/ 443 (HTTPS)(REST)

 

ESA Primary

Archer

443 (SSL)/80 (Non-SSL)

 

ESA Primary ESA Primary TCP 7007 Launch Port

iDRAC Ports

                                      
PortFunctionComments
22*SSH

Default, configurable port through which iDRAC listens for connections

443*HTTPDefault, configurable port through which iDRAC listens for connections
5900*Virtual Console keyboard and mouse redirection,
Virtual Media, Virtual Folders, and Remote File Share.

Default, configurable port through which iDRAC listens for connections

111, 2049TCP

NetWitness Platform hosts to NFS Server

111, 2049UDP NetWitness Platform hosts to NFS Server

Log Collector Host

                                                                                             

Source Host

Destination Host

Destination Ports

Comments

Admin WorkstationLog Collector TCP 15671 RabbitMQ Management UI

Log Collector

NW Server

TCP 15671

RabbitMQ Management UI

Log Collector

NW Server

TCP 443

RSA Update Repository

Admin WorkstationLog CollectorTCP 22SSH
Log Collector Log Event Sources See Log Collection Configuration Guide. Go to the Master Table of Contents to find all NetWitness Platform Logs & Network 11.x documents.
Log Event Sources Log Collector TCP 514 (Syslog)
UDP 162 (SNMP), 514 (Syslog), 2055 (NetFlow),
4739 (NetFlow), 6343 (NetFlow), 9995 (NetFlow)"
Log Collection Ports
Log Event Sources Log Collector

TCP 21, 64000, 64001, 64002, 64003, 64004,
64005, 64006, 64007, 64008,64009

Log Collection FTP/S Ports
NW Server Log Collector

TCP 50001 (Non-SSL), 56001 (SSL), 50101 (REST)

Log Collector Application Ports
NW ServerLog Collector

TCP 56006 (SSL), 50106 (REST)

NetWitness Appliance Ports
NW ServerLog Collector TCP 5671RabbitMQ (AMQPS) message bus for all NW hosts.

Log Collector

NFS Server

TCP 111 2049
UDP 111 2049

iDRAC installations

Log CollectorVirtual Log CollectorTCP 5671In Pull Mode

Virtual Log Collector

Log Collector

TCP 5671

In Push Mode

Log Decoder Host

                                                                                       

Source Host

Destination Host

Destination Ports

Comments

Admin WorkstationLog Decoder TCP 15671RabbitMQ Management UI

Log Decoder

NW Server

TCP 443

RSA Update Repository

Admin WorkstationLog Decoder TCP 22SSH
Log Decoder Log Event Sources See Log Collection Configuration Guide. Go to the Master Table of Contents to find all NetWitness Platform Logs & Network 11.x documents. 
Log Event SourcesLog Decoder TCP 514 (Syslog), UDP 162 (SNMP), 514 (Syslog), 2055 (NetFlow), 4739 (NetFlow), 6343 (NetFlow), 9995 (NetFlow) Log Collection Ports
Log Event Sources Log Decoder TCP 21, 64000, 64001, 64002, 64003, 64004, 64005, 64006, 64007, 64008, 64009Log Collection FTP/S Ports
NW ServerLog Decoder TCP 50001 (Non-SSL),56001 (SSL), 50101 (REST) Log Collector Application Ports
NW ServerLog Decoder TCP 50002 (Non-SSL), 56002 (SSL),56202 (Endpoint), 50102 (REST) Log Decoder Application Ports

NW Server

Log Decoder

TCP 56006 (SSL), 50106 (REST)

NetWitness Appliance Ports

NW ServerLog Decoder TCP 5671 RabbitMQ (AMQPS) message bus for all NW hosts.
Log DecoderLog CollectorTCP 6514 

Log Decoder

NFS Server

TCP 111 2049
UDP 111 2049

iDRAC Installations

Log Hybrid Host

                                                                                             

Source Host

Destination Host

Destination Ports

Comments

Admin WorkstationLog Hybrid TCP 15671RabbitMQ Management UI

Log Hybrid

NW Server

TCP 15671

RabbitMQ Management UI

Log Hybrid

NW Server

TCP 443

RSA Update Repository

Admin WorkstationLog Hybrid TCP 22SSH
Log Collector Log Event Sources See Log Collection Configuration Guide. Go to the Master Table of Contents to find all NetWitness Platform Logs & Network 11.x documents. 
Log Event SourcesLog Hybrid TCP 514 (Syslog), UDP 162 (SNMP), 514 (Syslog), 2055 (NetFlow), 4739 (NetFlow), 6343 (NetFlow), 9995 (NetFlow) Log Collection Ports
Log Event Sources Log Hybrid TCP 21, 64000, 64001, 64002, 64003, 64004, 64005, 64006, 64007, 64008, 64009Log Collection FTP/S Ports
NW ServerLog Hybrid TCP 50001 (Non-SSL), 56001 (SSL), 50101 (REST) Log Collector Application Ports
NW ServerLog Hybrid TCP 50002 (Non-SSL), 56002 (SSL), 56202 (Endpoint), 50102 (REST) Log Decoder Application Ports
NW ServerLog Hybrid TCP TCP 50005 (Non-SSL), 56005 (SSL), 50105 (REST) Concentrator Application Ports

NW Server

Log Hybrid

TCP 56006 (SSL), 50106 (REST)

NetWitness Appliance Ports

NW ServerLog Hybrid TCP 5671 RabbitMQ (AMQPS) message bus for all NW hosts.

Log Hybrid

NFS Server

TCP 111 2049
UDP 111 2049

iDRAC Installations

Malware Host

                                                                                       

Source Host

Destination Host

Destination Ports

Comments

Admin WorkstationMalware TCP 15671RabbitMQ Management UI

Malware

NW Server

TCP 15671

RabbitMQ Management UI

Malware

NW Server

TCP 443

RSA Update Repository

Admin WorkstationMalware TCP 22 SSH
NW ServerMalware TCP 60007 Malware Application Ports
NW ServerMalware TCP 56006 (SSL), 50106 (REST) NetWitness Appliance Ports

NW Server

Malware TCP 5671RabbitMQ (AMQPS) message bus for all NW hosts.
NW ServerMalware TCP 5432 Postgresql
NW ServerMalware TCP 56003 (SSL), 50103 (REST)Broker Application Ports
Malwarepanacea.threatgrid.comTCP 443Threatgrid
Malwarecloud.netwitness.com TCP 443Community evaluation / Opswat

Malware

NFS Server

TCP 111 2049
UDP 111 2049

iDRAC Installations

Network Decoder Host

                                                               

Source Host

Destination Host

Destination Ports

Comments

Admin WorkstationNetwork Decoder TCP 15671RabbitMQ Management UI

Network Decoder

NW Server

TCP 15671

RabbitMQ Management UI

Network Decoder

NW Server

TCP 443

RSA Update Repository

Admin WorkstationNetwork Decoder TCP 22SSH
NW ServerNetwork Decoder TCP 56004 (SSL), 50104 (REST) Network Decoder Application Ports

NW Server

Network Decoder

TCP 56006 (SSL), 50106 (REST)

NetWitness Appliance Ports
NW ServerNetwork Decoder TCP 5671

RabbitMQ (AMQPS) message bus for all NW hosts.

Network Decoder

NFS Server

TCP 111 2049
UDP 111 2049

iDRAC Installations

Network Hybrid Host

                                                                     

Source Host

Destination Host

Destination Ports

Comments

Admin WorkstationNetwork Hybrid TCP 15671RabbitMQ Management UI
Network Hybrid

NW Server

TCP 15671

RabbitMQ Management UI

Network Hybrid

NW Server

TCP 443

RSA Update Repository

Admin WorkstationNetwork Hybrid TCP 22SSH
NW ServerNetwork Hybrid TCP 56004 (SSL), 50104 (REST) Network Decoder Application Ports
NW ServerNetwork Hybrid TCP TCP 50005 (Non-SSL), 56005 (SSL), 50105 (REST) Concentrator Application Ports

NW Server

Network Hybrid

TCP 56006 (SSL), 50106 (REST)

NetWitness Appliance Ports
NW ServerNetwork Hybrid TCP 5671

RabbitMQ (AMQPS) message bus for all NW hosts.

Network Hybrid

NFS Server

TCP 111 2049
UDP 111 2049

iDRAC Installations

UEBA Host

                                                         

Source Host

Destination Host

Destination Ports

Comments

UEBA Server

NW Server

TCP 443

RSA Update Repository

UEBA ServerBroker TCP 56003 (SSL), 50103 (REST) Broker Application Ports
UEBA ServerConcentrator TCP TCP 50005 (Non-SSL), 56005 (SSL), 50105 (REST) Concentrator Application Ports
Admin WorkstationUEBA Server443UEBA Monitoring
Admin WorkstationUEBA Server22SSH

UEBA Server

NW Server

15671

UEBA Alerts forwarding to Respond

NW Server

NFS Server

TCP 111, 2049
UDP 111, 2049

iDRAC Installations

 

NetWitness Endpoint Architecture

NetWitness Endpoint 4.4 Integration with NetWitness Platform

For more information on the services running on Endpoint Log Hybrid, see RSA NetWitness Endpoint Configuration Guide.

How to Change UDP Port for Endpoint Log Hybrid

The following steps tell you how to change the Endpoint Log Hybrid default UDP port 444 if it is not acceptable in your environment. 555 is the example this procedures uses as a replacement for 444 UDP port.
There are two tasks you need to o change the Endpoint Log Hybrid default UDP port 444:

Task 1 - Tell All Agents to Use a New UDP Port

Task 2 - Update the Port on All Endpoint Log Hybrid Hosts in Your Environment

Note: If you did not select the custom firewall rules option when you ran the nwsetup-tui, NetWitness platform overwrites the firewall rules are overwritten after a period of time. Please refer to the following Knowledge Base Article 00036446 (https://community.rsa.com/docs/DOC-93651) if this is the case.

Task 1 - Tell All Agents to Use a New UDP Port

Complete the following steps to update the UDP port in the default Enterprise Data Replication (EDR) policy, and all other policies you have, to tell all agents to use a new UDP port.

  1. In the NetWitness Platform menu, select ADMIN > Endpoint Sources > Policies.
    The Policies view is displayed.

  2. Select the Default EDR Policy and click Edit from the toolbar.
  3. roll down to find the UDP PORT and change the value (for example, change from 444 to 555).
  4. Click Publish Policy at the bottom of the view.

Task 2 - Update the Port on All Endpoint Log Hybrid Hosts in Your Environment

SSH to o each Endpoint Log Hybrid host in your environment with admin credentials and make the following updates.

  1. Update the iptables rules to allow 555 in place of 444.
    1. Replace 444 with 555 in the following file.
      vi /etc/sysconfig/iptables
    2. Restart iptables with the following command string.
      systemctl restart iptables
    3. Verify the change with the following command string.
      iptables -L -n
      The following is an example of what is displayed for a correct change.
      ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp multiport dports 555 /* EndpointNginxPort */ ctstate NEW
  2. Update the SELinux policy. 555 is a privileged port, so you must update SELinux policy to allow this port.
    1. Run the following command string.
      semanage port -a -t http_port_t -p udp 555
      If you received any python errors or warnings, ignored them.
    2. Verify the change with the following command string.
      semanage port -l | grep http_port_t
      The following is an example of what is displayed for a correct change.
      http_port_t udp 555, 444
    3. (Optional) Remove 444.
  3. Update nginx config.
    1.  Edit the following file.
      vi /etc/nginx/nginx.conf
    2.  Search for the following string.
      listen 444 udp;
    3.  Replace 444 with 555.
    4.  Restart nginx with the following command string.
      systemctl restart nginx
  4. Verify that agents are communicating over the new port.
    1. Run the following command string.
      tcpdump -i eth0 port 555
    2. Wait for 30 seconds because the port sends out a beacon every 30 seconds. If t everything is working correctly, information similar to the following will be displayed.
      09:20:12.571316 IP 10.40.15.103.60807 > NiranjanEPS1.rsa.lab.emc.com.dsf: UDP, length 20
      09:20:12.572433 IP NiranjanEPS1.rsa.lab.emc.com.dsf > 10.40.15.103.60807: UDP, length 1

      Both lines must be returned. One is the size request (20 bytes) and the other is the response size (1 byte).

 

Previous Topic:Deployment Options
You are here
Table of Contents > Network Architecture and Ports

Attachments

    Outcomes