Windows Agent port range?
58 views
Skip to first unread message
John
May 14, 2017, 2:39:43 PM5/14/17
to Wazuh mailing list
Hi everyone,
I'm trying to add a windows agent, which is inside a home network (192.168..) so I need to set up the router's port forwarding.
The issue is that I cannot find what port the agent uses.
I looked at ossec-agent.exe for a while and it is constantly changing ports, it grabbed 64892, 58615, 51508, 51509. I'm guessing since it cannot get a response from the manager it's trying to change ports, but I cannot set up the port forward if it doesn't stay put!
I looked into ossec.conf, but the <client><port>1514 setting is for the manager, not the agent.
I searched the web and this group but couldn't find a response.
summary: I need to know on what port(range) the windows agent listens so I can set up port forwarding.
Thank you!
I'm trying to add a windows agent, which is inside a home network (192.168..) so I need to set up the router's port forwarding.
The issue is that I cannot find what port the agent uses.
I looked at ossec-agent.exe for a while and it is constantly changing ports, it grabbed 64892, 58615, 51508, 51509. I'm guessing since it cannot get a response from the manager it's trying to change ports, but I cannot set up the port forward if it doesn't stay put!
I looked into ossec.conf, but the <client><port>1514 setting is for the manager, not the agent.
I searched the web and this group but couldn't find a response.
summary: I need to know on what port(range) the windows agent listens so I can set up port forwarding.
Thank you!
Victor Fernandez
May 15, 2017, 3:12:28 AM5/15/17
to Wazuh mailing list
Hi John,
actually you should not need to set up port forwarding if your agent is in a home network. Agents do not listen to a port, but they connect to manager using destination port 1514 (by default) and wait a response on the same port. Your router's NAT should deal with internal and external ports.
I mean, your manager is placed outside your local network and listens to port 1514. So the agent connects to port 1514 using an ephemeral port, for instance 64001. The router's NAT forwards the packet using another port such 50010 and maps both ports. In summary:
Agent (port 64001) → Router-LAN (port 1514) | Router-WAN (port 50010) → Manager (port 1514)
You should only configure your router in the opposite case: when the router is placed inside a local area network.
How did you add the agent to the manager? Please tell us what steps you followed so we could help you with this.
Best regards.
John
May 15, 2017, 3:51:40 PM5/15/17
to Wazuh mailing list
Hi Victor, thank you for your response.
I understand what you are saying, and you are right. I need to brush up on my ports knowledge!
After your message I went back to basics and took a look at everything again, and I'm really ashamed to admit that the error was a typo in the IP. The agent is now registered and all is good.
Thank you for your help, I appreciate it very much.
I understand what you are saying, and you are right. I need to brush up on my ports knowledge!
After your message I went back to basics and took a look at everything again, and I'm really ashamed to admit that the error was a typo in the IP. The agent is now registered and all is good.
Thank you for your help, I appreciate it very much.
Reply all
Reply to author
Forward
0 new messages