Hi all,
I'm trying to troubleshoot an issue whereby the N-Command MSP server is behind a Cisco ASA firewall and is not taking backups. The N-Command server is using a different https port than the standard 443 one (http is blocked).
Can anyone describe how the system pulls (or devices push) the configurations and files so that I can troubleshoot further?
Thank you for asking this question in the support community. Below are some recommendations from the n-Command MSP Quick Start Guide:
NETWORK SECURITY CONSIDERATIONS
For maximum security, n-Command MSP should be deployed in a DMZ behind a firewall. The following considerations should be made to ensure proper operation when deployed in this manner.
Inbound connections are necessary for the n-Command MSP user interface, as well as device management. The following ports should be configured to allow inbound connections for proper operation (inbound traffic can be restricted to management subnets and those containing AOS devices):
Additionally, the following outbound ports are required to allow access to your configured NTP servers, SMTP servers and AOS devices):
If you have allowed the HTTPS port through the firewall, and changed the HTTPS port on the n-Command MSP server, then you will need to change the HTTPS port the clients push to the server with the following command:
(config)# auto-link server <hostname | ip address>: <port>
Here is an example of the command:
(config)# auto-link server 10.1.1.1:4443
More information can be found in the guide below:
Please, do not hesitate to reply to this post with any additional questions or information, I will be happy to assist you in any way I can.
Levi
Thank you for asking this question in the support community. Below are some recommendations from the n-Command MSP Quick Start Guide:
NETWORK SECURITY CONSIDERATIONS
For maximum security, n-Command MSP should be deployed in a DMZ behind a firewall. The following considerations should be made to ensure proper operation when deployed in this manner.
Inbound connections are necessary for the n-Command MSP user interface, as well as device management. The following ports should be configured to allow inbound connections for proper operation (inbound traffic can be restricted to management subnets and those containing AOS devices):
Additionally, the following outbound ports are required to allow access to your configured NTP servers, SMTP servers and AOS devices):
If you have allowed the HTTPS port through the firewall, and changed the HTTPS port on the n-Command MSP server, then you will need to change the HTTPS port the clients push to the server with the following command:
(config)# auto-link server <hostname | ip address>: <port>
Here is an example of the command:
(config)# auto-link server 10.1.1.1:4443
More information can be found in the guide below:
Please, do not hesitate to reply to this post with any additional questions or information, I will be happy to assist you in any way I can.
Levi
Thanks levi, some helpfull information there.
I'm looking for way that the N-Command server gets the backup files from the devices (e.g. NV7100). Does it request the files or does the device send them up to the server and on which ports does it use for this process? the relevant ports on the firewall have already been opened up so I wish to debug the connectivity on the firewall to try eliminate it.
the N-Command MSP server I'm using is on version 4.2.7-7366.
ADTRAN products use the auto-link command to enable the auto-link feature and to specify the communication method between an AOS device and the n-Command MSP server. This feature is configured using the command line interface (CLI) and is configured in four basic steps: enabling auto-link, specifying the auto-link server, specifying the recontact interval, and specifying the communication method. Auto-link must be configured on the AOS product before the unit will be able to communicate with or be managed by the server. Without auto-link enabled and configured, the n-Command MSP server cannot automatically detect the AOS product for management. Communication can be either via Hypertext Transfer Protocol (HTTP) or Hypertext Transfer Protocol over Secure Socket Layer (HTTPS).
The Troubleshooting n-Command MSP Missed Check-In document will walk you through troubleshooting the steps to determine why the AOS device and MSP server are not communicating.
Levi
I went ahead and flagged this post as “Assumed Answered.” If any of the responses on this thread assisted you, please mark them as either Correct or Helpful answers with the applicable buttons. This will make them visible and help other members of the community find solutions more easily. If you still need assistance, I would be more than happy to continue working with you on this - just let me know in a reply.
Levi
I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post and unmark it and select another in its place with the applicable buttons. If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.
Thanks,
Levi
I actually don't think pbm's last question was answered.
The session between a device and nCommand is initiated by the device, that's why it works fine if the device is behind NAT/PAT and/or a dynamic IP address. nCommand needs to have a static IP, translation is OK as long as all the required ports are redirected. Also be sure the outbound IP of nCommand is being translated to the same IP address as used for the inbound connection. One thing I liked was that nCommand determines which device is which based on the device serial number. So the name, and even the IP, of the device can change and nCommand will know that it is not a new device and update the existing information. This differs from products like Plixers Scrutinizer which identifies a device based on it's source IP address, which can really cause problems with multiple devices behind PAT and/or dynamic IPs.
On your ASA you should only need to put in the inbound and outbound translation and then permit the correct TCP and UDP ports for inbound traffic. You shouldn't need to worry about opening any ports for outbound through the ASA. By default the ASA will permit traffic from a higher security ratting (LAN=100) to a lesser (Internet=0), by creating a temporary ACL that will allow responses but not expose any additional open ports for inbound traffic.