- 5 minutes to read

Why do Nodinite use port 8000?

Fewer ports, less administration, more secure

From a Nodinite perspective, the Monitoring Agents require only one inbound TCP port to be opened for communication. This traffic is initiated from the Monitoring Service (outbound traffic). The port is required for the Monitoring Service to get aware of the state of the Resources and to issue manual or auto-healing related Remote Actions.

Stay secure with limited ports being used

We at Nodinite have designed our Monitoring Agents to require only 1 inbound TCP port for Nodinite related services. Depending on the service the Monitoring Agent provide, they most likely need ports to be opened according to their usage (please review the individual prerequisites)

  • Limiting the number of TCP Ports means that your servers can stay more secure with fewer attack vectors
  • Limiting the number of TCP ports also means less hassle and less administration
  • All Monitoring Agents, when installed and updated, are configured to use port 8000 (default settings)
  • Other solutions usually require a substantial amount of TCP ports to be opened, for example, RDP (3389), VPN and dynamic RPC ports

Each Monitoring Agent may have additional unique requirements on the ports required, depending on what service is being featured

Connectivity Options

Navigate to the Administration, and then go to Manage Monitoring Agents in the Nodinite Web Client. From the Connection tab for selected Monitoring Agent, you can configure some information that makes it possible for the Monitoring Service and Web API to communicate with the Monitoring Agent.

ConnectionTab

The Service URL is individually set for each instance of a Monitoring Agent, read more here.

If you have installed the agent on another network (customer, partner, cloud), then you can opt to use Microsoft Service Bus Relaying instead of the default TCP port 8000.

  1. TCP port 8000 (default) incoming
  2. Service Bus Relaying alternative configuration
graph LR subgraph "Server A" ro(fal:fa-watch-fitness Monitoring Service) -->|8000|ro1(fal:fa-monitor-waveform Monitoring Agent A) ro -->|8000|ro2(fal:fa-monitor-waveform Monitoring Agent B) end subgraph "Server B" ro -->|8000|ro4(fal:fa-monitor-waveform Monitoring Agent A) end

Monitoring Service Monitoring Agents Monitoring Web API - Remote Actions and Metrics

graph LR subgraph "Server A" ro(fal:fa-cloud-sun Web API) -->|8000|ro1(fal:fa-monitor-waveform Monitoring Agent A) ro -->|8000|ro2(fal:fa-monitor-waveform Monitoring Agent B) end subgraph "Server B" ro -->|8000|ro4(fal:fa-monitor-waveform Monitoring Agent A) end

Web API Monitoring Agents Monitoring

TCP Ports between Monitoring Service and Web API

Nodinite shows the state of the Monitoring service for Users within the Web Client. The Web Client asks the Web API which in turn queries the Monitoring Service. The Monitoring Service uses the Web API to provide all its features.

graph LR subgraph "Windows Server" roMonitoringService(fal:fa-watch-fitness Monitoring Service) end subgraph "Windows Server" roLoggingService(fal:fa-hdd Logging Service) end subgraph "Web Server" roWebAPI(fal:fa-cloud-sun Web API) roWebAPI -->|8000| roMonitoringService roWebAPI -->|8000| roLoggingService end

Web API Monitoring Service
Web API Logging Service

How do I allow the service account to use the configured TCP port?

You must grant service accounts that are not local administrators, an allowance to use a port from the URL access control list.

The local administrators should already have the right to use any TCP ports. If your account is local admin, then there's another problem, read further down on this page for further troubleshooting

  1. Replace the DOMAIN\USER part with the account that you intend to use for the Monitoring.
  2. Run the command in an elevated command prompt (with an account that is local administrator).
netsh http add urlacl url=http://+:8000/Nodinite user=DOMAIN\user
netsh http add urlacl url=http://+:8000/Nodinite user=DOMAIN\user
netsh http add urlacl url=http://+:8000/IM user=DOMAIN\user
netsh http add urlacl url=http://+:8000/IM user=DOMAIN\user

DOS command that grants the service account DOMAIN\USER allowance to the URL access control list

What firewall settings do I need?

The firewall must allow whatever port(s) the Monitoring are configured to run with. All Monitoring Agents by default use a TCP/IP Port 8000 (inbound). This default port may be altered by an administrator (not recommended).

Service Section is from the configuration file: Nodinite.MonitorAgent.BizTalkHost.exe.config for the BizTalk Monitoring Agent

<services>
  <service behaviourConfiguration="MonitorAgentBehavior" name="IM.MonitorAgent.BizTalk.ServiceApi">
    <endpoint address="http://localhost:8000/Nodinite/Monitor/Agent/BizTalk" binding="webHttpBinding" bindingConfiguration="MonitorAgentBinding" name="MonitorAgentEndPoint" contract="IM.MonitorAgent.BizTalk.Contracts.IBizTalkContract"/>
  </service>
</services>

<services>
  <service behaviourConfiguration="MonitorAgentBehavior" name="IM.MonitorAgent.BizTalk.ServiceApi">
    <endpoint address="http://localhost:8000/IM/Monitor/Agent/BizTalk" binding="webHttpBinding" bindingConfiguration="MonitorAgentBinding" name="MonitorAgentEndPoint" contract="IM.MonitorAgent.BizTalk.Contracts.IBizTalkContract"/>
  </service>
</services>

If you change the TCP Port used by the Monitoring, you must also change the Monitoring Agents configuration for that agent for the Monitoring Service to be able to communicate with the agent again

Troubleshooting

Service cannot start due to port restrictions

Startup problems for the Monitoring Agent are usually Security or Firewall related. The agents may also have additional requirements on specific 3rd party libraries that need to be installed before installation and configuration of the Monitoring.

A common problem is that this port is not allowed to be used by the service account since it is not local administrator. This right needs to be assigned by the local administrator.

HTTP could not register URL http://+:8000/IM/Monitor/Agent/Servicename/. your process does not have access rights to this namespace (see https://go.microsoft.com/fwlink/?LinkId=70353 for details).

Exception example from the diagnostics log file.

Next Step

Monitoring Agents
Monitoring Agents

Microsoft Service Bus Relaying
Monitoring Service
Logon as Service Rights