ITM 6.X - Ports to open across a firewall

ITM 6.X - Ports to open across a firewall: "Multiple ITM components on the same server will assign ports based on the startup sequence and a well known algorithm."

Resolving the problem
Any TEMSs or TEMAs that are communicating across a firewall will require that you know which ports need to be open on the firewall. Administrators will only want to open the minimum number of ports
First, when dealing with firewall issues, make sure that you pick IP.PIPE as the communication protocol.

TEMS uses 1918 as the main communication port. (1918 is the default but you can specify something else).

It also uses 1920 for access to the service console - for dynamically starting/stopping traces (not an issue for your agents outside the firewall)

IBM Tivoli Monitoring 6.1 or 6.2 component startup on a single server (host system) example follows this sequence:
1. The Warehousing Proxy starts first: port 6014 (1918 + 1*4096)
2. The remote TEMS starts second: port 1918 (always reserved for TEMS)
3. The Windows OS Agent starts third: port 10110 (1918 + 2*4096)
4. The Universal Agent starts fourth: port 14206 (1918 + 3*4096)

So your agents if warehousing data from outside the firewall would need to have port 6014 open, however it is possible in some circumstances for the WPA to take a different port, so to prevent this you can fix the port with the COUNT and SKIP parameters if this is an issue.
The commonly used convention is to get the Data Warehouse Agent to use port 6014 and to ensure that no other ITM agents on the box where the Data Warehouse Agent are running use port 6014

Ensuring that the Data Warehouse Agent only uses port 6014 is done by coding the configuration parameter KDC_FAMILIES=IP.PIPE COUNT:1 for the Data Warehouse Agent. Ensuring that port 6014 is not used by other components is done by coding the configuration parameter KDC_FAMILIES=IP.PIPE SKIP:2 for any TEMAs that are running on the same box as the Data Warehouse Agent. If you perform these configuration tasks then you can be assured that port 6014 will be used by your Data Warehouse Agent and that will be the only port that will need to be opened.

I am assuming we are not talking about TEP clients but Port 15001 is the default port that the TEPS uses for CORBA traffic to its TEP clients. TEP clients use HTTP to set up the Java application, which then uses CORBA IOR between client and server over port 15001.

Finally, each component binds a random TCP port on the loopback address. Since the loopback address is not accessible outside the server there are no firewall considerations for these ports. The components issue a select on their respective loopback ports to monitor for shutdown requests.

The ports 1918 and 6014 will normally need to be open across the firewall. If all your agents are on the public side of the firewall and all these agents report to a single TEMS, then only one port needs to be permitted: 1918. You would open 6014 for warehousing.

The firewall KDE Gateway function is for more complex firewall environments that use NAT,
and were agents traverse multiple firewalls.

Here is the list of key 6.1 component's port assignments

IBM Tivoli Monitoring 6.1 Component Listening Port
Tivoli Enterprise Monitoring Server (IP.PIPE) 1918/TCP
Tivoli Enterprise Monitoring Server (IP.SPIPE) 3660/TCP
Tivoli Enterprise Monitoring Server (IP) 1918/udp
Tivoli Enterprise Portal Server 1920/TCP - 15001/TCP
Tivoli Enterprise Console 5529/TCP
Tivoli Warehouse Proxy agent 6014/tcp1

Tip: Do not deviate from the default listening ports without a valid reason, even though this is supported. Listening port modification was not tested by IBM Tivoli Software Group. .