Why do Nodinite use port 8000?
Fewer ports, less administration, more secure
From a Nodinite perspective, the Monitoring Agents require only one inbound TCP port to be opened for communication. This traffic is initiated from the Monitoring Service (outbound traffic). The port is required for the Monitoring Service to get aware of the state of the Resources and to issue manual or auto-healing related Remote Actions.
Stay secure with limited ports being used
We at Nodinite have designed our Monitoring Agents to require only 1 inbound TCP port for Nodinite related services. Depending on the service the Monitoring Agent provide, they most likely need ports to be opened according to their usage (please review the individual prerequisites)
- Limiting the number of TCP Ports means that your servers can stay more secure with fewer attack vectors
- Limiting the number of TCP ports also means less hassle and less administration
- All Monitoring Agents, when installed and updated, are configured to use port 8000 (default settings)
- Other solutions usually require a substantial amount of TCP ports to be opened, for example, RDP (3389), VPN and dynamic RPC ports.
Note
Each Monitoring Agent may have additional unique requirements on the ports required, depending on what service is being featured.
Connectivity Options
Navigate to the Administration, and then go to Manage Monitoring Agents in the Nodinite Web Client.
From the Connection tab for selected Monitoring Agent, you can configure some information that makes it possible for the Monitoring Service and Web API to communicate with the Monitoring Agent.
The Service URL is individually set for each instance of a Monitoring Agent, read more here.
If you have installed the agent on another network (customer, partner, cloud), then you can opt to use Microsoft Service Bus Relaying instead of the default TCP port 8000.
- TCP port 8000 (default) incoming.
- Service Bus Relaying alternative configuration.
Monitoring Service
Monitoring Agents
Monitoring
Web API - Remote Actions and Metrics
Web API
Monitoring Agents
Monitoring
TCP Ports between Monitoring Service and Web API
Nodinite shows the state of the Monitoring service for Users within the Web Client. The Web Client asks the Web API which in turn queries the Monitoring Service. The Monitoring Service uses the Web API to provide all its features.
Web API Monitoring Service
Web API Logging Service
How do I allow the service account to use the configured TCP port?
You must grant service accounts that are not local administrators, an allowance to use a port from the URL access control list.
Info
The local administrators should already have the right to use any TCP ports. If your account is local admin, then there's another problem, read further down on this page for further troubleshooting.
To display the registered URLACLs, run the following command from an elevated command-prompt:
netsh http show urlacl
To remove:
netsh http delete urlacl url=http://+:8000/Nodinite/
- Replace the
DOMAIN\USERpart with the account that you intend to use for the Monitoring. - Run the command in an elevated command prompt (with an account that is local administrator).
netsh http add urlacl url=http://+:8000/Nodinite user=DOMAIN\usernetsh http add urlacl url=http://+:8000/Nodinite user=DOMAIN\usernetsh http add urlacl url=http://+:8000/IM user=DOMAIN\usernetsh http add urlacl url=http://+:8000/IM user=DOMAIN\userDOS command that grants the service account DOMAIN\USER allowance to the URL access control list
What firewall settings do I need?
The firewall must allow whatever port(s) the Monitoring are configured to run with. All Monitoring Agents by default use a TCP/IP Port 8000 (inbound). This default port may be altered by an administrator (not recommended).
Service Section is from the configuration file: Nodinite.MonitorAgent.BizTalkHost.exe.config for the BizTalk Monitoring Agent.
<services>
<service behaviourConfiguration="MonitorAgentBehavior" name="IM.MonitorAgent.BizTalk.ServiceApi">
<endpoint address="http://localhost:8000/Nodinite/Monitor/Agent/BizTalk" binding="webHttpBinding" bindingConfiguration="MonitorAgentBinding" name="MonitorAgentEndPoint" contract="IM.MonitorAgent.BizTalk.Contracts.IBizTalkContract"/>
</service>
</services>
<services>
<service behaviourConfiguration="MonitorAgentBehavior" name="IM.MonitorAgent.BizTalk.ServiceApi">
<endpoint address="http://localhost:8000/IM/Monitor/Agent/BizTalk" binding="webHttpBinding" bindingConfiguration="MonitorAgentBinding" name="MonitorAgentEndPoint" contract="IM.MonitorAgent.BizTalk.Contracts.IBizTalkContract"/>
</service>
</services>
Note
If you change the TCP Port used by the Monitoring, you must also change the Monitoring Agents configuration for that agent for the Monitoring Service to be able to communicate with the agent again.
Troubleshooting
Service cannot start due to port restrictions
Startup problems for the Monitoring Agent are usually Security or Firewall related. The agents may also have additional requirements on specific 3rd party libraries that need to be installed before installation and configuration of the Monitoring.
A common problem is that this port is not allowed to be used by the service account since it is not local administrator. This right needs to be assigned by the local administrator.
HTTP could not register URL http://+:8000/IM/Monitor/Agent/Servicename/. your process does not have access rights to this namespace (see https://go.microsoft.com/fwlink/?LinkId=70353 for details).
Exception example from the diagnostics log file.
Next Step
Related
Microsoft Service Bus Relaying
Monitoring Service
Logon as Service Rights