Chapter 2. Implementation planning 81
This section provides some examples of the implementation planning that can be
implemented for that particular scenario. It is meant to help systems
administrators to understand the different solutions for using IBM Tivoli Remote
Control across firewalls. However, it does not provide all details needed for a
complete implementation. Complete details and more realistic implementations
will be provided in Chapter 3, “Implementation scenario: Standalone Proxies” on
page 93 and Chapter 4, “Implementation scenario: Tivoli Firewall Security
Too l b ox ” on page 115. Additional information can also be found in the
IBM Tivoli
Remote Control User’s Guide
, SC23-4842 and in 1.2, “IBM Tivoli Remote Contr ol
sessions overview” on page 12.
Implementation planning case study overviewThis case scenario provides a fictitious example of an Enter prise, named CSI
Corporation, who decided to outsource its first and second level support, for both
workstations and servers, to IBM Switzerland.
In fact, some Endpoint parts of the Tivoli Management Re gion of the CSI
Corporation are installed in the IBM office, which is linked to the customer site
with a 128 MB WAN access. These Endpoints will act as the Cont rollers.
However, as these Endpoints in the IBM site are located in the External network
zone, and their respective Tivoli Endpoint Gateways are located in the Internal
zone, a connection from the Endpoints to their Tivoli Endpoint Gateway must
cross a DMZ to be completed. For this reason, the following components have to
be installed:
A Gateway Proxy in the External zone
A second instance of the Relay in the DMZ
An Endpoint Proxy connected to a dedicated Tivoli Gateway for IBM
Endpoints, in the Internal zone.
All workstations of the customer are placed in the Internal network zone. The
Security Officer of the CSI Corporation has defined a secure network zone inside
the enterprise to protect most of the enterprise servers. In this case, all IBM
Switzerland Administrators thus need to have Remote Control access to both the
Internal and the Servers network zones.
Furthermore, in order to maximize security, the Security Officer has decided o n
the following communication types:
Bidirectional between the Endpoint Proxy and the Relay — that is, between
the Internal network zone and the DMZ
Restricted to unidirectional between the Relay and the Gateway Proxy — that
is, between the DMZ and the External network zone