Hi have a TMS in a DMZ and a coupple of C20 in LAN;
I have open from DMZ to C20 the following port : 80,443 TCP and 161 UDP. But TMS can't reach the C20.
what are the correct ports to open in the firewall for add the C20 in the TMS?
You should refer to the Cisco TMS Admin Guide, in parituclar the section that discusses Support for Remote Systems/SoHo systems on what is required when adding a remote system to the Cisco TMS:
If possible, the easiest way to add a remote system to Cisco TMS is to first have the system registered in Cisco TMS before you bring it to the remote location. Before you unplug it, go to Edit Settings in the Settings tab for the system and click Enforce Management Settings. If the system will be behind a firewall that is not open or doesn’t have HTTP or HTTPS ports opened up, you also have to go to the Connection tab on that endpoint and change System Connectivity to Behind Firewall. Cisco TMS will then set the management address on that system to Cisco TMS external management address. When the system is plugged in from the remote location, the system will then send a boot event to Cisco TMS and from then on the system will be available from Cisco TMS, i.e. heartbeat.
If the above isn't possible, then you'll need to set the external management address of Cisco TMS on the endpoint. Note that this is the address that you've configured in TMS at Admin Tools > Configuration > Network Settings > Advanced Network Settings for Systems on Public Internet/Behind Firewall. When this has been set, the endpoint will send a register event to Cisco TMS, and when Cisco TMS receives this and notices that the system is not already in Cisco TMS, it will add it to a list. One must then add the system to Cisco TMS afterwards.
If your system is in public, not behind a firewall or behind a firewall that has opened up the HTTP or HTTPS ports, it is advised to change the system connectivity on the system to Reachable on Public Internet. This way it will also be possible for Cisco TMS to set up calls where the endpoint is calling out, and not only being called to.
The two Reachable On connectivities are pretty much the same, except for the management URL they get when you enforce management settings, they both pick a different address from the ones configured in the Network Settings. In both cases systems can be reached directly and the same protocol will be used for both.
Behind FW is different because TMS cannot reach these systems, they will communicate with TMS using the SOHO heartbeat mechanism as described in the Admin guide.
ok, sure, the FQN under "Advanced Network Settings for Systems on Public Internet/Behind Firewall".
Anyhow, it might be handy if that config would extended to have a:
* on external communication allow only secure communication
which also should disallow unencrypted http, snmp, ftp, ... from and to the endpoint
It may be that you endpoint is configured for the DNS name of TMS and does not have DNS configured or a proxy sits between your C20 and TMS that requires authentication.
Can you browse to the feedback URL ( can get it from and xstatus feed command) from a PC that is on the same subnet as the C20
I would assume you have done something not 100% correct.
You said DMZ, do you have any kind of NAT in between?
How does it look when you try to add a system, some screenshots would be handy.
I would do a tcpdump/wireshark on the endpoint/on the TMS and compare what is send/received.
A look inside the logfiles has also never harmed :-)
Did you try to access the http and https interface of the endpoint from the TMS?
Btw, for sysadmin reasons I would also open ssh from the TMS to the endpoints.
Please vote the answers!
The max. you can do if behind firewall is to more or less "pre register" the endpoint in TMS.
If he added the system in TMS it might not work as it failed and so it might not have set up the TMS parameters on the
endpoint. In this case he would have had to set the parameters on the endpoint so the system tries to connect to
the TMS, then it should have shown up as "behind firewall".
But this would be a bad workaround as we already know the issue here, wrong firewall settings.
So if it is expected to work then the network is most likely a good way to start to look into.
Besides that the recomandation to check the DNS entries is also valid and should be done anyhow.
Also to check on the TMS network settings page that the FQDN are properly set.