I have two questions about Agent Manager NW connectivity with other DC RUM components:
1. The Agent Manager service is listening on ports 9014 and 9015. When I add a new Child Agent Manager via the Synthetic Console, is the required NW access Parent -> TCP 9014,9015 -> Child or
Child -> TCP 9014,9015 -> Parent, or both ways?
2. CAS is polling data from the Agent Manager either via port 9014 or 9015. In case the RUM Console is installed on a separate server, does the firewall need to be open to the defined port 9014/9015 also from the RUM Console server? If so, why is that access needed - perhaps only to test that the Agent Manager is up and running, when adding a new device? Or is there some continued need for RUM to access the Agent Manager?
Answer by Carol O. ·
Parent <-> TCP 9014,9015 <-> Child
I hope this is helpful. Thanks!
Answer by Kalle L. ·
Hello again. Since I think this post covers pretty much all the required communication for Agent Managers, I'll add one more that's missing.
When registering an agent for agent-initiated communication using a Child Manager, the port 9018 needs to be open towards the Parent. Meaning:
Child Manager -> TCP 9018 -> Parent Manager
To my knowledge, this is only required during the registration process. If the port is blocked, it will result in this error:
Unable to register with Vantage Manager [AGENT_MANAGER_HOSTNAME:9018]: error 
Answer by Kalle L. ·
I'll just add one more note here, in case it could be of help for someone. CAS doesn't need TCP 9014/9015 access only to the Parent Agent Manager -> if and when the Transaction Trace reporting feature is used, CAS also needs that TCP 9014/9015 access to any Child Agent Managers. So even though the basic monitoring data is routed to CAS from the Child Managers via the Parent, CAS still needs that direct access in order to display the Trace reports.
This is just one of those things you might not realize when the servers are in the same VLAN, but in a more distributed environment it becomes something you need to make a note of.