Ports needed through the firewall

For operation and monitoring point access to the PCA, the following ports and protocols need to be permitted through a firewall:

Allow Direction Protocol Port Domain Why?
Web user interface Inbound TCP 80 or 443 Allow inbound connections to the PCA on port 80 or 443 so that users can connect the PCA from outside your network. The PCA is pre-configured to listen on one of these ports, based on a selection made during purchase.
AppNeta monitoring points Inbound TCP 443 Allow inbound connections to the PCA on port 443 so that monitoring points outside your network can connect to the PCA.
Maintenance server Outbound TCP 443 pca-maint.pathviewcloud.com Allow outbound connections to the maintenance server so that your PCA can receive system updates and Customer Care can provide remote assistance.
NTP server Outbound UDP 123 pool.ntp.org Unless you have your own NTP server, the PCA needs an outbound connection for NTP to ensure precise time stamping.

Email server

The PCA can send users emails, called event notices, which contain information about changes in monitoring point availability and path service quality. To enable this function, you need to specify the SMTP server through which the PCA should send emails.

SMTP mail host
What’s the hostname of your SMTP server?
from address
Make up an email address for the PCA, like pca-01@yourcompany.com.
port
On which communication port is your SMTP server is listening?
enable ssl
Secure SMTP communication using ssl.
host requires authentication
Does the PCA need to log on to the SMTP server to send emails?

System branding

On the PCA, system-level branding is available in addition to org-level branding via > System Branding. These settings become the default and will be inherited by all organizations unless org level branding is in place. In addition, system level branding applies to the login page and the cross-org summary page.

TACACS+ authentication

By default users are authenticated locally using passwords that are stored in their user profiles. You can instead configure the PCA to authenticate users using TACACS+; the advantage of using an external server for authentication is that you can leverage existing user credentials, rather than maintaining a separate set of credentials.

Implementation information

  • TACACS+ authentication is available for the AppNeta web interface in a PCA only. It is also available for web admin access of AppNeta monitoring points.
  • Only authentication is supported; authorization and accounting are not.
  • Cisco Secure ACS 4.2 is the only supported TACACS+ server.
  • The following authentication methods are supported: pap, chap, and ascii.
  • A secondary server can be configured; the secondary server is tried if the primary is unavailable or if login fails.

TACACS+ authentication for the web interface

To enable TACACS+ user authentication for the web interface:

  1. Navigate to settings > configure TACACS+.
  2. Select ‘Enable TACACS+’.
  3. Under ‘primary server’, for each parameter, enter a value or keep the default (pre-filled).
    • Server port, shared secret, and authentication method should match the server configuration.
    • This specified port must also be open on any firewalls between the PCA and the tacacs+ server.
  4. (Optional) Specify a secondary server: click ‘secondary server’ and then for each parameter, enter a value or keep the default.
    • Server port, shared secret, and authentication method should match the server configuration.
    • The secondary server uses the authentication method and timeout from the primary server configuration.
    • This specified port must also be open on any firewalls between the PCA and the TACACS+ server.
  5. Click ‘save’.
  6. Every user that will be authenticated against the tacacs+ server must have a user account; in those users’ profiles, choose tacacs+ for the ‘authenticate using’ field (this field is shown only if TACACS+ is enabled).

TACACS+ authentication for monitoring point administration

To enable TACACS+ authentication for monitoring point web administration, see web admin.