Remote Connectivity
dbWatch Control Center is designed with secure, certificate-based remote communication in mind. All remote connectivity between server nodes, clients, and external monitors is protected by multiple layers of authentication, encryption, and access control.
Default Communication Port
By default, dbWatch Control Center listens for incoming connections on:
- Port: 7100/TCP
- Purpose: Client-to-server and server-to-server (node-to-node) communication
- Encrypted: Yes — using TLS encryption over AES/GCM with 256-bit keys
- Protocol behavior: Certificate-authenticated TLS resembling HTTPS traffic
Read more:
Network Ports and Services
Encryption Overview
Node and Client Authentication
Remote communication is only permitted for authorized and registered nodes or clients. Trust is established through the Domain Certificate Infrastructure, which includes:
- A unique certificate for each node, issued by the Domain CA
- Enforced certificate validation before any connection is accepted
- Configuration of trusted nodes through the domain controller or node connection files
Unregistered or improperly signed nodes will be rejected by the system automatically.
Read more:
Certificate Infrastructure
Controlling Remote Access
dbWatch includes built-in tools to restrict and secure remote access even further:
- The internal firewall can filter traffic based on:
- IP address or subnet
Read more:
Network Controls and Firewall
Internal Control Center Firewall
Remote Deployment Scenarios
The remote communication model supports several use cases:
- Remote DBA monitoring from external offices or cloud VMs
- Multi-site architecture with central monitoring across network zones
- Hybrid environments: on-prem + cloud instances
- Managed Service Provider (MSP) scenarios where client infrastructure is isolated
In these cases, configuration of node communication, encryption, firewall rules, and port access must be handled carefully for secure operation.
Best Practices
- Only allow port 7100 from trusted IPs or VPN ranges
- Keep web access (port 8080) disabled unless dashboards are in use
- Use the built-in firewall to limit incoming traffic to known subnets
- Validate that all external nodes have certificates signed by your Domain CA
- Monitor connection activity and certificate status using the Help → Debug → Connection Info view
Related Topics
- Security – Network Ports and Services
- Encryption
- Certificate Infrastructure
- Internal Firewall
- Audit Logging
For assistance with configuring remote access, hardening connections across zones, or managing trusted node registration, contact:
support@dbwatch.com