Forescout FSCP Exam - Topic 1 Question 7 Discussion

Comprehensive and Detailed Explanation From Exact Extract of Forescout Platform Administration and Deployment:

According to theForescout Quick Installation Guideand official port configuration documentation,SecureConnector for Windows uses TCP port 10003, and the management packets should be captured from the host IP address reaching themanagement port(not the monitor port). Therefore, the correct command would usetcpdump filtering for tcp port 10003 traffic reaching the management port.

SecureConnector Port Assignments:

According to the official documentation:

SecureConnector Type

Port

Protocol

Function

Windows

10003/TCP

TLS (encrypted)

Allows SecureConnector to create a secure encrypted TLS connection to the Appliance from Windows machines

OS X

10005/TCP

TLS (encrypted)

Allows SecureConnector to create a secure encrypted TLS connection to the Appliance from OS X machines

Linux

10006/TCP

TLS 1.2 (encrypted)

Allows SecureConnector to create a secure connection over TLS 1.2 to the Appliance from Linux machines

Port 2200 is for Legacy Linux SecureConnector (older versions using SSH encryption), not for Windows.

Forescout Appliance Interface Types:

Management Port- Used for administrative access and SecureConnector connections

Monitor Port- Used for monitoring and analyzing network traffic

Response Port- Used for policy actions and responses

SecureConnector connections reach themanagement port, not the monitor port.

Troubleshooting SecureConnector Connectivity:

To verify that SecureConnector management packets from a Windows host are successfully reaching CounterACT, use the following tcpdump command:

bash

tcpdump -i [management_interface] -nn 'tcp port 10003 and src [windows_host_ip]'

This command:

Monitors the management interface

Filters for TCP port 10003 traffic

Captures packets from the Windows host IP address reaching the management port

Verifies bidirectional TLS communication

Why Other Options Are Incorrect:

A . tcp port 10005 from host IP reaching monitor port- Port 10005 is for OS X, not Windows; should reach management port, not monitor port

B . tcp port 2200 reaching management port- Port 2200 is for legacy Linux SecureConnector with SSH, not Windows

C . tcp port 10003 reaching monitor port- Port 10003 is correct for Windows, but should reach management port, not monitor port

D . tcp port 2200 reaching management port- Port 2200 is for legacy Linux SecureConnector, not Windows

SecureConnector Connection Process:

According to the documentation:

SecureConnector on the Windows endpoint initiates a connection to port 10003

Connection is established to the Appliance's management port

When SecureConnector connects to an Appliance or Enterprise Manager, it is redirected to the Appliance to which its host is assigned

Ensure port 10003 is open to all Appliances and Enterprise Manager for transparent mobility

Referenced Documentation:

Forescout Quick Installation Guide v8.2

Forescout Quick Installation Guide v8.1

Port configuration section: SecureConnector for Windows