ServiceNow Discovery Prerequisites before implementing

It is always good practice to discuss prerequisites before starting any new implementation.
In this post i am going to share some prerequisites on discovery implementation. If you are planning to implement the discovery in ServiceNow then you must discuss prerequisites points which i am going to explain below in this post with your client in your kick-off meeting.

Mid Server
Windows
Linux
Macintosh
ESX (via vCenter)
Software Instance(s)
Mid Server

Topic Specification
Number of MID server 1 Per Data centers/Remote sites/DMZ ( Based on connectivity)
Type Physical or Virtual Machine
OS Windows 2012 Standard edition
Memory 8 GB RAM
CPU speed Above 2.5 GHz
Processor 1 Quad Core or 4 V CPU
HDD 40GB
Connectivity Internet outbound on port 443 (open internet)
User account to access MID User account(Domain/Local) with Local Admin privileges
Proxy (if any) Credentials to authenticate
Others • .Net 3.5 and 4
• Latest version of the Microsoft SQL Server management library (SMO)
• Powershell 2.0 or aboveBelow 3rd party freeware binaries for troubleshooting
(portqueryui, PuTTY, ireasoning, pinginfoview)

Windows

Subject Credential Permissions
Domain servers For Active Directory environment, a user account on all target Windows
servers (Domain wide account) for discovery is required with following
privileges:
– local admin rights on target windows hosts.
– It should be a service account.
– It should have access to execute remote ‘WMI queries’  on the target servers.
– Password should be set to never expire and not require a change at first login
Non-domain servers For non-domain Windows servers, a local user account on all target Windows
Servers with the following privileges:
– local admin rights on target windows hosts.
– It should be a service account.                                                                                                                                                                                                                                                             – It should have access to execute remote ‘WMI queries’  on the target servers.
– Password should be set to never expire and not require a change at first login
Ports From MID Server to all target Windows Servers:
– TCP 135, 80, 443, 445, 139, DCOM port range
– UDP 137, 53
– ICMP ping

Linux

Subject Credential Permissions
Account A regular user account with following specifications:
– Password set to never expire and not ask for change at first login.
– Write access to the home directory.
– Sudo rights on below commands (with NOPASSWD option in /etc/sudoers file)
dmidecode, lsof, fdisk, dmsetup, multipath
– Read permission on below files is required –
/etc/*release, /etc/bashrc, /etc/profile, /proc/cpuinfo,
/proc/vmware/sched/ncpus, /var/log/dmesg/etc/sudoers line example
ALL=(root) NOPASSWD:/sbin/dmidecode
ALL=(root) NOPASSWD:/sbin/lsof
Ports TCP22
UDP 53
ICMP ping
Shell bash/sh only

Macintosh

Subject Credential Permissions
Account A regular user account with following specifications:
– Password set to never expire and not ask for change at first login.
– Write access to the home directory.
– Sudo rights on below commands (with NOPASSWD option in /etc/sudoers file)
dmidecode, lsof, fdisk, dmsetup, multipath
– Read permission on below files is required –
/etc/*release, /etc/bashrc, /etc/profile, /proc/cpuinfo, /proc/vmware/sched/ncpus, /var/log/dmesg/etc/sudoers line example
ALL=(root) NOPASSWD:/sbin/dmidecode
ALL=(root) NOPASSWD:/sbin/lsof
Ports TCP 22
UDP 53
ICMP ping
Shell bash/sh only

ESX (via vCenter)

Subject Credential Permissions
Account Three sets of credentials are needed to run a complete Discovery of vCenter/ESX servers:

a. Windows credentials: Allows Discovery to access the Windows host on which the vCenter server runs
b. vCenter credentials: Allows a vCenter probe to explore a vCenter server
c. VMWare CIM credentials: Allows Discovery to access the serial numbers of discovered ESX servers

1. Windows pre-requisites should be fulfilled for the host hosting vCenter.
2. Discovery user should have read rights on the vCenter process.
3. A user on each VMWare host with ‘CIM interaction’ role to access each WBEM service for serial number discovery.

Ports Windows discovery ports
TCP 443, 5989, 5988
Assumption vCenter is hosted on Windows

Software Instance(s)

Application File or Directory Access Required
Apache httpd.conf Read
Hbase hbase-site.xml Read
JBoss jboss-service.xml Read
JBoss home directory Read
web.xml Read
MySQL my.cnf Read
NGINX nginx.conf Read
Oracle oratab Read
Associated (s) pfiles Read
Oracle Listener lsnrctl Execute
listener.ora Read
Tomcat catalina.jar Read
server.xml Read
web.xml Read
Unix /etc/*release Read
/etc/bashrc Read
/etc/profile Read
/proc/cpuinfo Read
/proc/vmware/sched/ncpus Read
/var/log/dmesg Read
APD directory Read
WebSphere cell.xml Read
server.xml Read
serverindex.xml Read
Microsoft SQL Servers ON MID Server
Install .Net 3.5 and 4 from Microsoft
Install the latest version of the Microsoft SQL Server management library (SMO).
Note: The SMO requires the Common Language Runtime (CLR) library to be installed first. Both libraries can be downloaded from the Microsoft website.
Install PowerShell v2.0 and above.
Microsoft SQL Server Host
– Install the Remote Registry Service on target computers running Microsoft SQL Server 2000.
Credentials
Ensure credentials have the public access level to the following:
– The target Windows host.
– The Microsoft SQL Server instance on the target Windows host. You must add the user to the SQL Server configuration.
– The MID Server host. The SMO libraries locally impersonate the credentials for the target system prior to connecting to the Microsoft SQL Server. This behavior is enforced by Active Directory. Authentication only succeeds if the domain requirements specified here are met.Domains
Install the MID Server host and the Microsoft SQL Server host on the same domain or, if they are on different domains, enable a trust relationship between the domains such that users in the Microsoft SQL Server host domain are trusted by the MID Server host domain.
If a domain trust relationship is in place, do not install the MID Server on a domain controller.
IIS IIS Management Scripts and Tools must be installed to enable discovery

Network Devices
Storage
Port summary
Network Devices

Requirements
1. Method used is SNMP, supported protocol is v1, v2c & v3

2. MID server should be added in ACL of network device.
3.1. Read only community string in case of SNMP v1 & 2c.
3.2. In case of version 3
* SNMP username
* Authentication protocol (MD5/SHA)
* Authentication key
* Privacy protocol (3DES/AES128/AES192/AES256/DES)
* Port – UDP 161

Supported devices
Routers
Switches
Printers
UPS
Load balancers (Supported ->) A10
Apache mod_jk and Apache mod_proxy
Big-IP F5 Traffic Manager
Citrix Netscaler
HAProxy
NGINX
Alteon
ACE
Radware

Storage

Discovering storage via host
* Supported configurations are DAS or NAS with FC or
iSCSI.* Install the fcinfo.exe tool on Windows 2008 and 2012 servers that attach
to storage via FC and environment variables should have its path
specified.*Optionally, install Windows Remote Management (WinRM) on the host server
to discover Fibre Channel information. WinRM is on by default for Windows
2012 machines, but not for Windows 2008.
Windows
For Linux, use one of the following supported host
configurations:
* Solaris, DAS, NAS, or SAN with iSCSI
* CentOS, DAS, NAS, or SAN with FC or iSCSI
* Ubuntu Server, DAS, NAS, or SAN with iSCSI
Linux
Storage Discovery
via SMI-S and CIM
These are the requirements for storage discovery via SMI-S and
CIM.1. A CIM server using SMI-S 1.5 or later.
2. NAS and SAN systems from major vendors such as EMC, Hitatchi, HP, and
NetApp. SAN storage devices must use FC.
3. FC switches from major vendors such as Brocade and Cisco.
4. The CIM credentials must be available for SMI-S configuration. The CIM
credentials can be different than the credentials for the system hosting the
CIM server.
Note: Because the SMI-S
Provider caches storage device information, the Discovery query to the
provider does not affect storage device performance.Port – SLP 427, TCP 5989, 5988

Port summary

Source Target Protocol Port number ( which needs to be opened) Description
MID server Windows servers TCP 135, 445 WMI for Windows
TCP 80/443 potential web servers
TCP 443 vCenter hosted on windows
TCP DCOM port range DCOM for Windows
UDP 137 NetBIOS (Local domain WINS)
MID server Unix/Linux servers TCP 22 SSH for Non Windows
TCP 80/443 potential web servers
MID server Instance TCP 80 HTTP
TCP 443 HTTPS
MID server Target Network devices UDP 161 SNMP for network devices
MID server DNS server UDP 53 DNS
MID server Local domain WINS UDP 137 NetBIOS
MID server Storage device TCP & UDP 427 SLP
MID server Storage device TCP 5989, 5988 CIM
MID server vCenter server appliance TCP 5480 vCenter Server Appliance Web Interface using https

LEAVE A REPLY

Please enter your comment!
Please enter your name here