IBM 3.8 Implementation planning case study overview

Chapter 2. Implementation planning 81

This section provides some examples of the implementation planning that can be

implemented for that particular scenario. It is meant to help systems

administrators to understand the different solutions for using IBM Tivoli Remote

Control across firewalls. However, it does not provide all details needed for a

complete implementation. Complete details and more realistic implementations

will be provided in Chapter 3, “Implementation scenario: Standalone Proxies” on

page 93 and Chapter 4, “Implementation scenario: Tivoli Firewall Security

Too l b ox ” on page 115. Additional information can also be found in the

, SC23-4842 and in 1.2, “IBM Tivoli Remote Contr ol

sessions overview” on page 12.

Implementation planning case study overview

This case scenario provides a fictitious example of an Enter prise, named CSI

Corporation, who decided to outsource its first and second level support, for both

workstations and servers, to IBM Switzerland.

In fact, some Endpoint parts of the Tivoli Management Re gion of the CSI

Corporation are installed in the IBM office, which is linked to the customer site

with a 128 MB WAN access. These Endpoints will act as the Cont rollers.

However, as these Endpoints in the IBM site are located in the External network

zone, and their respective Tivoli Endpoint Gateways are located in the Internal

zone, a connection from the Endpoints to their Tivoli Endpoint Gateway must

cross a DMZ to be completed. For this reason, the following components have to

be installed:

򐂰A Gateway Proxy in the External zone

򐂰A second instance of the Relay in the DMZ

򐂰An Endpoint Proxy connected to a dedicated Tivoli Gateway for IBM

Endpoints, in the Internal zone.

All workstations of the customer are placed in the Internal network zone. The

Security Officer of the CSI Corporation has defined a secure network zone inside

the enterprise to protect most of the enterprise servers. In this case, all IBM

Switzerland Administrators thus need to have Remote Control access to both the

Internal and the Servers network zones.

Furthermore, in order to maximize security, the Security Officer has decided o n

the following communication types:

򐂰Bidirectional between the Endpoint Proxy and the Relay — that is, between

the Internal network zone and the DMZ

򐂰Restricted to unidirectional between the Relay and the Gateway Proxy — that

is, between the DMZ and the External network zone