DS Remote Control TCP Port
When trying to remote control a PC with Altiris Client as a network administrator I can connect to any PC.
Problem I have is that the PC picks a random TCP port to connect back to me after the initial request. This is problematic as I don't want to open up our firewall to randomly generated TCP ports as these cleint PC's are on an untrusted curriculum schools network (I am connecting from a trusted admin network).
What I essentially want to know is whether there is any way we can tie Altiris to a specific TCP port when connecting back after the initial client request rather than the client picking a random TCP port?
I have had a look at the Altiris agent properties but nothing appears evident. Can it be altered using a registry command or something similar?
Any help would be greatly appreciated.
Regards,
Ed
Comments
The DS Remote control feature
The DS Remote control feature uses the Altiris Client Service (Aclient.exe) not the Altiris Agent so you wouldn't see anything there. The port used should be 402, unless the default port was changed. Check out kb.altiris.com/display/1n/articleDirect/index.asp for a list fo the ports used by DS.
Stu
ITS Partners
LinkedIn
Port 402 is used to connect,
Port 402 is used to connect, but the client uses a random port to connect back... I found this information in the documentation;
'Remote control via Console to Deployment Agent for Windows (AClient)
This process uses IP and doesnít use a specific port. The Windows
operating system picks a free port number to use. That port number is
sent to the client and the client makes another connection back to the
console on that port. Remote control uses dynamic ports much the same
as file copy. Consequently, if file copy works, remote control should also
work.'
This doesn't help me as it is an untrusted network we are connecting to. It would conflict our (and I would imagine most other organisations) security policies in order to allow TCP connectivity on random ports back from this network. This is why I want to restrict the connectivity back to a specified port.
By default, these comms are
By default, these comms are on dynamic ports. When performing a remote control task , the server sends a request to the aclient on port 402 to indicate that a session has been requested. This AClient communication also contains the tcp port the server has selected for the remote control session.
This way, the server and the client can communicate on the correct port.
For servers behind firewalls, this can be a problem. Altiris provides for this by allowing you to fix the tcp comms to a static port.
In the Console, navigate to Tools -> Options. On the Global tab, you'll find the option to set the Primary and Secondary Remote Control Ports. In this tab, notice this is where the Client/Server file transfer port is also configured.
Kind Regards,
Ian./
Ian Atkin, Senior Developer for the ICT Support Team, Oxford University, UK
Connect Etiquette: "Mark as Solution" those posts which resolve your problem, and give a thumbs up to useful comments, articles and downloads&
Hi there, I followed Stu's
Hi there,
I followed Stu's link to the knowledge base and set the DC comms port to be TCP 1505. I then allowed this port back through the firewall from the curriculum network to our adminstrator network range. This allowed connectivity back on the specified port.
I used wireshark to make sure the destination port was always 1505 and tested various different client connections to make sure that this worked correctly, which it did...
I also set the file transfer/copy port to a designated port also and updated the agents to see if this also worked, which again it did...
Thanks for your help on this, the connections are now tied to ports and as a PIX admin I am happier with this way than allowing random ports above TCP 1024!
Cheers,
Ed
Would you like to reply?
Login or Register to post your comment.