Network Security Considerations

For maximum security, n-Command MSP should be deployed in a DMZ behind a firewall. The following considerations should be made to ensure proper operation when deployed in this manner.

Inbound connections are necessary for the n-Command MSP user interface, as well as device management. The following ports should be configured to allow inbound connections for proper operation (inbound traffic can be restricted to management subnets and those containing AOS devices):

• TCP 80 (Auto-link and user interface over HTTP; optional if using HTTPS)

• TCP 443 (Auto-link and user interface over HTTPS)

• TCP 8443 (Auto-link over HTTPS)

• TCP 5060 (VQM reporter; optional if not using VQM reporter)

• UDP 5060 (VQM reporter; optional if not using VQM reporter)

• UDP 161 (SNMP agent; optional if not using the SNMP functionality of n-Command MSP)

• UDP 162 (SNMP trap proxy; optional if not using the SNMP trap proxy functionality of n-Command MSP)

Additionally, the following outbound ports are required to allow access to your configured NTP servers, SMTP servers, and AOS devices:

• UDP port 123 (NTP)

• TCP port 25 (SMTP)

• TCP port 80 (Used to force device check-ins)

• TCP port 443 (Used to force device check-ins)