Chapter 2. Implementation planning 85
As per existing security guidelines, the Security Officer of the CSI Corporation
imposes for this communication the same constraints defined for the
Endpoint/Gateway Proxy A architecture. In other words, communication
between the RC Controller Proxy A and the Relay A2 is set as bidirectional,
and between this Relay A2 and the RC Target Proxy A is set as
unidirectional. In this scenario, Controller 1 is able to contact Target 1 using
the A path.
Controllers in the External zone connecting Targets in the Servers zone:
Controller 1 needs also to be able to contact Target 2 in the Server zone. As
Target 2 is managed by a Tivoli Endpoint Gateway, placed in the same zone,
we need to deploy an RC Proxy Standalone solution. This means that RC
Controller Proxy B must be placed in the same zone as Target 2 and RC
Target Proxy B1 in the same zone as Controller 1.
However, in this case, two network zones separate the Controller 1 from the
Target 2. Thus, a TFST Relay must be installed in each zone in between.
They are Relay B1 and Relay B2 and are chained to create a direct link
between the two RC Proxies B. It is not possible to use Relay A2 already
installed for the first channel because the Parent and Child hierarchy is totally
different. For this second channel, we decided that the RC Controller Proxy B
is a Parent and, consequently, the RC Target Proxy B1 is the Child. This
choice is very important and it will be clear as soon as we explain how
Controller 2 contacts Target 2. The two Relays B in between will assume the
both roles, Parent and Child, at the same time.
Controllers in the Internal zone connecting Targets in the Servers zone:
AS CSI Corporation is keeping the Level 3 support responsibility, CSI
administrators need to have remote control access to Targets in both Internal
and Servers zone as well. As Controller 2 is in the same secure zone as
Target 1, the standard non-secure IBM Tivoli Remote Control process is
used. However, as Controller 2 is not able to contact Target 2 using Relay B2,
an RC Target Proxy needs to be installed in the Internal network zone. Target
Proxy B2 could either be installed on the same machine as the Relay B2 or as
a Standalone machine. Furthermore, there are two possibilities to connect
this RC Target Proxy B2 to the RC Controller Proxy B:
–Open a new connection in the firewall to let RC Target Proxy B2
communicate directly with RC Controller Proxy B.
–Connect RC Target Proxy B2 to the Relay B2 even if they are in the same
network zone.
The main advantage of the second option is that t here is no need to open
additional ports in the firewall as the communication occurs between the
Relay B2 and the RC Controller Proxy B. However, connecting the RC Target
B1 to the Relay B2 might decrease the performance of the session, because
Relay B2 also handles communication originated from Controller 1.