I've recently gone through setting up remote collectors in a semi-lockded down network. I was incredibly disappointed with the documentation around what port requirements you need to open. I went through way to much back and forth around firewall requests with our security team, because I didnt know what to ask for up front. Reading through some of the other forums, sounds like others have been equally challenged to get this information. Dropping this here hoping it might help someone else in the future (or maybe even myself when I need to add a new collector to a new VLAN).
In our environment we have a large number of VLANS, all of which are isolated by firewalls. I am excluding any firewall rules you would need to open for protocal specific monitoring from one VLAN to another. IE If you use JMX, or SNMP to monitor apps/device, that is not included. This is just a list of what Zenoss seems to need to work amongst itself.
This data is all put together via Trial and Error, so take it with a grain of salt, and do be afraid to update any inaccurate information.
The entity on the left is the one initiating the connection, while the entities across the top are what are being connected to.
| Users | ZenHub/Master/UI | Remote Collector | |
|---|---|---|---|
| Users | N/A | HTTP:8080 HTTP:8090 | HTTP:8091* |
| ZenHub/Master/UI | None |
N/A | HTTP:8091* SSH:22 (With Trusted keys) |
| Remote Collector | None | ZeoDB:8100 MySQL:3306 ZenHub:8789 | N/A |
* I found that using the distrubuted collectors ZenPack, the render URL is created to the remote collector on port 8091. What's more, clients actually make calls (when clicking on device graphs) to the render URL. IMHO this is a bug, but none the less, the client makes the calls. That requirement can be avoided by using HTTP-8090 to the ZenHub and let it proxy those requests over the persistence ZenHub connection that the collector will open to the ZenHub at startup
