Question What are the ports used by a Notification Server Version 7, and what considerations are there for installing a Notification Server in the DMZ?
Answer NOTE: Currently (as 7.0 MR4 / 7.1 SP2) we don't support SMP 7.x on a DMZ. There are plans for this type of approach in a future release. ITMS 7.5 introduced Cloud Enabled Management (CEM) to provide this type of functionality. Please refer to the User Guide for that version (like DOC5330, section 5).
Notification Server / Symantec Management Platform Version 7.x will use most of the same ports as version 6.x. For detailed information and ongoing studies please see the references section at the end of this article.
Port Changes/Exceptions in 7.x:
pcAnywhere Solution please see the User Guide found here: DOC1799
*Note - In version 7 and greater, Carbon Copy has been replaced by pcAnywhere Solution.
The Altiris Agent communicates over Port 80, by default. Port 80 must be opened, or another port configured for communication with the Altiris Agent.
A DMZ does not utilize DNS. DNS is needed in order for the client to resolve the IP address of the Notification Server. Therefore it is necessary to put the Notification Server Name into the Client Hosts file.
Other items to consider:
Define an Notification Server Site for the DMZ subnets, and not assign any Package Server to that site (unless of course there is a Package Server in the DMZ).
UNC package code bases should be disabled to systems in the DMZ since those won't work across the DMZ firewall.
Another consideration in a DMZ is not using network throttling, since ICMP (ping) would be turned off there. The policies would try testing the network with ping and could not download its packages (Patch, Inventory...)
Monitoring Servers in this arena:
As long as all appropriate communication can take place between the Notification Server and the target machine, you can monitor servers that are located in a DMZ.
Ensure that the following minimum level communication can take place:
TCP Port 80 (2-way) to all target servers for Altiris Agent to Notification Server communication
TCP Port 1011 (2-way) to all target servers for Monitor Solution's Performance Monitor to Monitor Agent communication
Proper name resolution or hostname entries for all target servers from the Notification Server
If the servers in the DMZ are members of a different domain than the Notification Server, the trusts between both domains must be properly configured
References: HOWTO7229: Documents Helpful when setting up an Internet Facing NS DOC1094: Hardened Configuration - Server & ISS)