IT Optimize functionality
There are two conditions that cause IT Optimize to reach out to a server: discovery and polling.
Discovery
During discovery, for WMI, SSH, and VMware protocols, ITO performs a logon to the target server, and pulls a series of information from the host, including server make and model, IP, serial number, OS type, CPU details (make/model, cache, speed, etc.), Memory details (make/model, size, type, etc.). SNMP discovery is similar, except no physical logon to the host is required.
After initial discovery, a discovery of a Windows or Linux server only needs to occur if the physical hardware changes. Often, running discoveries less than once a month is enough, but must be based on server changes done in the data center.
Polling
Polling occurs when ITO contacts the target server to pull CPU utilization information. In this case, only previously discovered servers are polled.
By default, polls occur every five minutes. This value can be configured in DCO to occur as infrequently as every 30 minutes. Having 1000 discovered hosts, you can expect approximately 100k of polling data to be read from servers every 5 minutes.
Overall load on the target servers is low. In our labs, we have a large set of ITO configurations discovering and polling a set of live servers. They are all polling and discovering the same servers 24x365. The average CPU utilization of our idle lab servers with only ITO discovery and polling occurring on them is approximately 3%.
Protocol |
Transfer protocol |
Port(s) |
Network | Credentials/Access | Encryption | Commands |
---|---|---|---|---|---|---|
WMI |
TCP |
Request: 135 Response: 1024-65535 |
Discovery queries between 3K and 10K of data (on average) per discovered asset. Polling queries approx. 60 bytes of data per asset per poll. Polling interval can be configured in the external system configuration. |
WMI connections between hosts require valid user credentials on the remote system. The credentials should be encrypted on Linux (using j-Interop) as well as Windows (using the native Windows libraries). IT Optimize polls Windows server WMI namespace. The specified user account must have local administrator access to query disk related details from the namespace. |
Credential information is always encrypted using NTLM and/or Kerberos encryption. |
WMI Command Details |
SNMP |
TCP/UDP |
161, 162 |
Discovery queries between 3K and 10K of data (on average) per discovered asset. Polling queries approx. 60 bytes of data per asset per poll. Polling interval can be configured in the external system configuration. |
IT Optimize uses a read-only community string to pull values from a set of server OIDs or Blade Chassis OIDs |
No encryption is used for SNMP communication Both SNMP v1 and v2 are supported. |
SNMP Command Details |
VMware vSphere Web Service |
TCP |
80, 443 |
Discovery queries between 3K and 10K of data (on average) per discovered asset. Polling queries approx. 60 bytes of data per asset per poll. Polling interval can be configured in the external system configuration. Connections are made on port 443 by default |
SSL connections to VMware web services api's to pull ESX server and guest utilization information Password authentication is used, no keys are stored on the ITOserver. VMware protocol discoveries require a local user account on each ESX host. The account must belong to at least the readonly role. It does NOT require access to the ESX shell. |
Encrypted connection (SSL) to the default https port (443) key length is determined by server |
VMware vSphere Web Service command details |
SSH |
TCP |
22 |
Discovery queries between 3K and 10K of data (on average) per discovered asset. Polling queries approx. 60 bytes of data per asset per poll. Polling interval can be configured in the external system configuration. |
Discovery commands require root level access. "sudo" may be used to complete this task a guide can be found here. Polling of Linux and Unix clients is completed using SNMP.
|
Server determine cipher type and key length. SSH v2 is supported, v1 is not supported. |
SSH command details |
TCP ECHO |
TCP |
7 |
Echo functionality to make sure discovered device is alive | - | - | - |
ICMP ECHO |
IP |
N/A |
Ping/Echo functionality to make sure discovered device is alive | - | - | - |
IPMI |
UDP |
623 |
Discovery queries between 3K and 10K of data (on average) per discovered asset. Polling queries approx. 60 bytes of data per asset per poll. Polling interval can be configured in the external system configuration. |
IPMI connections between hosts require valid user credentials on the remote system. |
Depending on configuration and BMC interface | |
Postgres | UDP | 3306 | Localhost only - internal ITO database connection | Handled by ITO system | Yes | - |
HTTP | TCP | 8090 | Management Console interface for ITO | Handled by DCO/ITO integration interface | - | - |
HTTPs |
TCP |
8643 |
Management Console interface for Intel DCM |
Localhost only | - | - |
HTTP |
UDP |
8688 |
Management Console interface for Intel DCM | Localhost only | - | - |
Postgres |
UDP |
6443 |
Localhost only - internal Intel DCM database connection | Localhost only | - | - |
Server Access - related protocols | ||||||
VNC | RFB | 5900 (default) | Bandwidth usage is very depended on screen activity and usage | More info can be found here | The encryption is depended on the OS and the installed VNC application | - |
SSH | TCP | 22 | Since text only is transferred the bandwidth requirement is very limited. | More info can be found here | Server determine cipher type and key length | - |
RDP | TCP | 3389 (default) | Bandwidth usage is very depended on screen activity and usage | More info can be found here | The encryption is depended on the OS and the installed application. Default 128-bit encryption, using the RC4 encryption algorithm | - |
A 1024-bit RSA key is generated and used for SSL communication. The key is self- signed and will generally require the user to trust the signing authority. When connecting to an ITO server, DCO presents a dialog asking the user to trust the certificate. The keystore where the RSA key is stored is password protected.
Packages being used in IT Optimize server
Packages and their version numbers being used in IT Optimize server can be found here.
Firewall configuration
IT Optimize does not contain any firewall in the installation. The firewall must be allowing ports as needed from the above table of ports and protocols.
Software Vulnerability, Scan(s) and Certifications
Status in terms of general known vulnerabilities can be found here.
Antivirus
Antivirus tools are not provided with the IT Optimize server installation. Antivirus is allowed on the IT Optimize server and target client. It is recommended to exclude the data folders for the databases to maintain performance and reduce problems when installing and upgrading ITO software.
Logging
Log files can be found in the .log folder in the installation directory of the IT Optimize server
Database architecture
IT Optimize database technology is MariaDB version 5.2.14 and cannot be exchanged with any other database type or technology.
Tip
If you want to check if the port 8090 is responding from DCO to ITO, use this command:
netstat -aln | awk '$6 == "LISTEN" && $4 ~ "8090$"'
Network protocol and ports