PM10.10 unable to connect to Web Ports: 80, 8080, 8081

KG-Admin
KG-Admin Posts: 6 Security Scout

I am hoping that one of you can help me figure out why this connection is failing. I have recently attempted to update our existing Policy Manager 10.01 server to the newer 10.10 version. 

 

But after the installation completes succesfully, the PM console on the server is unable to connect, reporting that the service is unavailble for localhost.

 

Loocking at the server status screen I can see that it is unable to connect to ports 8080, 80 and 8081 fo r the various modules. 

 

PM 10.01 has no issue here and reports the connections are green and good.

 

The server that PM is on is also an internal web serving servicing several information screens around the school, but its service runs on other ports and has never been an issue before. 

 

I am looking for some helps\tips on figuring out why PM 10.10 is not connecting as it should. 

 

 

Comments

  • KG-Admin
    KG-Admin Posts: 6 Security Scout

    Oh - forgot to state that installing with defualt settings and keeping the existing settings of the server.

  • etomcat
    etomcat Posts: 1,172 Firewall Master

    Hello,

     

    I do not know why port 80, 8080, 8081 are the defaults in FSPM, as they are certainly not the recommended settings! F-Secure education PowerPoints usually show ports 85, 8085 and 8086 used for installation.

     

    The thing is, TCP ports 80 and 8080 are usually occupied by IIS on Windows or Apache web server on Linux, making them unavailable for FSPM. Even if those ports are free as of now, it is better not to install on them. What if your boss decides next month that you must place Exchange on the same server? That needs IIS, meaning FSPM would be in the way, necessitating the reinstallation of central management and the FSAV clients.

     

    I really don't buy the story that potential routing problems are the reason FSPM installer keeps the defaults at ports 80, 8080, 8081. Modifications for ports 85... are not that difficult in the gateway level firewalls.

     

    Sincerely: Tamas Feher, Hungary.

  • tylerhen
    tylerhen Posts: 3 Security Scout

    I had this same problem.  Major screw up on F-Secure to be using these ports.  I paid for Premium Support and they wouldn't even help me figure out what the problem was.  

     

    They told me to change the ports for Policy Manager and then none of course none of my clients or servers could connect then.  They were not helpful with this either.

     

    I finally figured out it was the World Wide Web Publishing Service, even though I couldn't tell by netstat that it was using or listening on port 80.  I disabled that service and I was able to get back into the Policy Manager.  In order to change the ports and keep my clients connected, I changed the port back to 80 and tried to distribute a policy telling the clients to use 85.  That did not work.  The policies would not update.  

     

    So I've had to leave the WWW Publishing service turned off and leave the ports on 80, 8081, and 8080.  Otherwise I would have had to reinstall to all clients, or manually change the port on all clients.  Unbelievable.  

     

    Policy Manager is turning out to be pretty buggy.  

  • Costas-Inter
    Costas-Inter Posts: 35 Security Scout

    I finally figured out it was the World Wide Web Publishing Service, even though I couldn't tell by netstat that it was using or listening on port 80.  I disabled that service and I was able to get back into the Policy Manager.  In order to change the ports and keep my clients connected, I changed the port back to 80 and tried to distribute a policy telling the clients to use 85.  That did not work.  The policies would not update.

     

    This part needed a bit more 'care' I think and it should work. When you sent a policy to client to change the port of communication, make sure that it is locked setting. And when the workstation receives it, tries to connect to port 85. Port 85 is not availeble and thus reverts back (tempoarirly) in using the old good known settings (safety mechanism in case you 'redirect' your workstation to dummy PMS). But periodically it will still try the new communication settigns, and once it finds response it will start using those.
     I know that it is not trivial, but with a bit plannig and test can be done.

     

    Regarding the ports, I know that if defaults ports change to non standard http ports, then the 'firewall'-ed guys will start complaining...

     

    The installation wizard allows to change the settings, so a good planning ahead on what else you might install on this machine, and testing each step of installation if it went OK, keeps you out of trouble.

     

    My humble opinion...

    Costas

This discussion has been closed.

Categories