Prepare network connections for MID Servers
-
- UpdatedAug 1, 2024
- 6 minutes to read
- Xanadu
- MID Server
Before you install the MID Server, perform the necessary prerequisites that it needs to connect to elements inside and outside your network. This includes network privileges and security considerations.
Security considerations
Sometimes computers or devices have additional security measures configured, and these measures may interfere with the MID Server's ability to run commands or queries on those systems.
- Update the configuration of those computers or devices to allow the desired MID Server to run commands or query them. For example, a network router may be configured to only allow the network management systems to query SNMP on it. In that case, add the MID Server as though it were another network management system.
- Install a MID Server on a computer that already has access to the computers or network devices with such restrictions. For example, to use Discovery within a DMZ (where communication from outside the DMZ will be severely restricted), install a MID Server on a computer that is already in the DMZ.
External connectivity requirements
These requirements are specifically for the use of MID Servers with the ServiceNow® Discovery and Orchestration products.
<source IP> to <any><source IP> to <ServiceNow> any established<source IP> to <instance_name.service-now.com> 443
Internal connectivity requirements
- SSH: For UNIX-like machines, Discovery and Orchestration use SSH protocol, version 2 to access target machines. SSH is a network protocol that allows data to be exchanged using a secure channel between two networked devices. SSH communicates on port 22 within an encrypted datastream and requires a login to access the targets using two available methods of authentication: a user name and password combination and a user name and shared private key. Specify SSH authentication information and type in the Credentials module. If multiple credentials are entered, the platform tries one after the other until a successful connection is established or all are ultimately denied. To provide for application relationships a limited number of SUDO commands must be available to be run. Additional details to these requirements can be found in UNIX/Linux commands requiring root privileges for Discovery and Orchestration.
- WMI: For Windows machines, Discovery uses the Windows Management Instrumentation (WMI) interface to query devices. Due to security restrictions for WMI, the MID Server application executing the WMI queries must run as a domain user with local (target) administrator privileges. When Discovery detects activity on port 135, it launches a WMI query. The response from the Windows device is sent over a Distributed Component Object Model (DCOM) port configured for WMI on Windows machines. This can be any port. Ensure that the MID Server application host machine has access to the targets on all ports due to the unique nature of the WMI requirements.
- Windows PowerShell: PowerShell is built on the Windows .NET Framework and is designed to control and automate the administration of Windows machines and applications. Orchestration uses PowerShell to run Workflow activities on Windows machines. PowerShell must be installed on any MID Server that executes these activities. MID Servers using PowerShell must be installed on a supported Windows operating system. ServiceNow supports PowerShell 3.0 to 5.1. Orchestration activities for PowerShell require a credentials Type of Windows.
- SNMP - Network: For network devices, Discovery uses an SNMP scan to get device specific MIBs and OIDs. SNMP is a common protocol used on most routers, switches, printers, load balancers and various other network enabled devices. Use a community string (password) for authentication when scanning a device via SNMP. Many devices have a default community string of public which Discovery uses by default when querying a target. Define additional community strings in the SNMP credentials form which are tried in succession, along with public, until a successful query returns. In addition to the credentials, the platform also requires the ability to make SNMP requests on port 161 from the MID Server to the target. If Access Control Lists (ACLs) are in place to control the IP addresses that can make these queries, ensure that the IP address of the MID Server is in the ACL. Discovery supports SNMP versions 1, 2c, and 3.
- WBEM: Web-Based Enterprise Management (WBEM) defines a particular implementation of the Common Information Model (CIM), including protocols for discovering and accessing each CIM implementation. WBEM requires either of two ports, 5989 or 5988 and uses the HTTP transport protocol. WBEM supports SSL encryption and uses CIM user name/password credentials. Discovery launches a WBEM port probe to detect activity on the target ports and to append gathered data to a classification probe that explores CIM Servers.
Configure MID Server network connectivity
Prepare the network for MID Servers to connect with the instance and access the download site. The network must be prepared before installing or configuring the MID Server. If computers or devices have additional security measures, that security may interfere with MID Servers on those systems.
Before you begin
 |
Make sure that the host machine meets the requirements specified in the MID Server system requirements.
About this task
The MID Server host computer must have access to the ServiceNow download site at install.service-now.com to upgrade automatically. If you have a self-hosted ServiceNow environment that blocks access to the download site, you must import the MID Server installer package into your MID Server hosts manually. For instructions, see KB0760123 in the Self-Hosted knowledge base.
Firewalls and proxy configurations may block calls to the OCSP Entrust and DigiCert servers, which prevents the MID Server from working. You may need to change your firewall permissions so that the OCSP traffic goes through. For more information and resolutions, see the HI Knowledge Base article [KB1216223].
- Firewall access: Configure any firewalls between the MID Server and the target devices to allow a connection. If your network uses a DMZ, and if your network security protocols limit port access from within the network to the DMZ, you might have to deploy a MID Server to a machine within the DMZ to probe the devices there.
- Network access: Configure target devices to allow the MID Server probe to connect. If network security prevents you from configuring new machines that can connect to the targets, install the MID Server on an existing machine with connection privileges.
- Network account: Install the MID Server with the proper account, either local or domain administrator.
- Network access to the ServiceNow instance: Configure the network that the MID Server uses to allow traffic over TCP port 443.
- A MID user: Create a ServiceNow user record for the MID Server to use. This user record must have the mid_server and import_admin roles.
Procedure
What to do next
After the network is prepared, proceed to Installing the MID Server.
On this page
Related Content
- Installing the MID Server
Download and install the MID Server on the host machine, test the connection, and then validate the MID Server. Use the manual procedures or the guided setup. Set up multiple MID Servers for load balancing and domain separation. These procedures prepare it for use with any application.
- Configuring MID Servers
After installing and validating your MID Servers, ensure that they have access to sufficient system resources, probe the proper targets, and communicate with the instance as expected. Configure MID Server selection criteria, create clusters for failover protection, and set up MID Servers in different domains to protect data.