Starting and Setting Up RTR

2.9 Network Transports

2.9.2 Using RTR with DHCP and Internet Tunnels

When using RTR with DHCP or an Internet tunnel, a nodename may not be fully known; special naming techniques are provided for these conditions.

Anonymous Clients

RTR allows the use of wild cards when specifying the frontends that a router is permitted to accept connections from (that is, in the facility definition on the router). Valid wild card characters are ``*'', ``%'' and ``?''. The result of using a wild card character at facility configuration time is the creation of a template link.

When operating RTR in conjunction with the Compaq Internet Personal Tunnel, a client system outside of the corporate firewall uses tunnel software to obtain a secure channel from the Internet to inside the corporate domain. The tunnel client is assigned an address by the tunnel server from a pool when the tunnel software starts up.

When an RTR router receives a connection request from RTR running on this client, the source of the address is the address assigned by the tunnel server. There is no longer a fixed relationship between the client and its address. The method of configuring the router to accept such a connection is to define the frontends nodes with all the possible addresses that the tunnel server can assign to tunnel clients; you can do this with wildcards. For example,

RTR> create facility . . ./frontend=*.pool.places.dec.com

This command enables all nodes connecting through the tunnel to connect as frontends. The anonymous client feature may also be used with frontends that are using DHCP for TCP/IP address assignment.

Using the Tunnel Prefix

By using the node name prefix ``tunnel.'', it is possible to configure RTR to accept a network connection from a particular remote node even if it is connecting via a Internet tunnel using an unknown pseudoadapter address. This method allows stricter access control than the anonymous client feature where wild cards may be used when specifying a remote node name. For example, on the router node behind a firewall, the facility definition could include:

RTR> create facility . . ./router=router.rtr.dec.com - /frontend=tunnel.client.rtr.dec.com

The definition on the frontend could be

RTR> create facility /router=router.rtr.dec.com - /frontend=client.rtr.dec.com

Troubleshooting Tunnel and Wildcard Connections

To assist in diagnosing connect acceptance problems, use the monitor picture ACCFAIL. This picture displays the recent history of those links from which the local node has refused to accept connections. It displays the failed link name as provided by the network transport, and can assist in rapidly identifying any problems.

TCP Services File

RTR uses the TCP/IP port number 46000 for the network communication daemon rtr rtrd.

On UNIX platforms, you should edit the file /etc/services to add the line

rtracp 46000/tcp

2–14Starting and Setting Up RTR

Page 32
Image 32
Compaq AA-Q88CE-TE manual Anonymous Clients, Using the Tunnel Prefix, Troubleshooting Tunnel and Wildcard Connections