IBM 3.8 4.2.2 Data flow description

Chapter 4. Implementation scenario: Tivoli Firewall Security Toolbox 121

򐂰Since there is a Relay placed in the DMZ to allow the proxies communication

across multiple firewalls (Endpoint Proxy in the more secure side and the

Gateway Proxy in the less secure side), we need to define an extra Relay

instance on this network that will allow the communication between the RC

Target Proxy and the RC Controller Proxy. This Relay will be configured as a

Child of the RC Target Proxy and a Parent of the RC Controller Proxy.

򐂰An RC Controller Proxy needs to be installed on the same machine as the

Gateway Proxy. This RC Controller Proxy will be configured to be a Child of

the second instance of the Relay. Because the RC Controller Proxy is running

on the Gateway Proxy machine, its label should be exactly the same as the

Gateway Proxy.

򐂰Since the communication is defined as unidirectional, and the RC Target

Proxy is the initiator, the RC Controller Proxy will be defined as listener.

Table4-1 shows a sum mary of the configuration of our environment, providing

hostname, operating system, and related Tivoli resources installed.

Table 4-1 Summary of Framework and Remote Control resources

4.2.2 Data flow description

This section provides a description of the data flow in our network topology,

based on our testing scenario, and also highlights the ports used for the

communication between each RC Proxy and TFST component, preparing the

basis for 4.2.3, “Firewall configuration tables” on page124 .

The schema reported in Figure 4-3 shows an overview of the data flow in our

Non-Standalone case study scenario.

Hostname Operating system Tivoli resource Remote control

resource

tic01010 AIX 5.1 TMR Spoke and

Gateway

Remote Control

Server

tic01003 Windows 2000 Server Endpoint Proxy RC Target Proxy

tic01004 Windows 2000 Server Relay Relay

tic01005 Windows 2000 Server Gateway Proxy RC Controller

Proxy

tic01006 Windows 2000

Professional

Endpoint Remote Control

Controller

tic01007 Windows 2000

Professional

Endpoint Remote Control

Target

Contents

Main Page Page Page Contents Page Page Page Figures Page Table s Page Examples Page Notices xiv Trademarks Preface The team that wrote this redbook Become a published author Comments welcome Page Page Page overview 1.1 IBM Tivoli Remote Control overview 1.1.1 IBM Tivoli Management Framework components Page Page Tivoli Management Framework Planning for Deployment Guide 1.1.2 IBM Tivoli Remote Control components 1.1.3 Tivoli components and communication symbols Page 1.1.4 Parent-Child concept 1.1.5 Proxy connection types Listener 1.2 IBM Tivoli Remote Control sessions overview Tivoli Management Framework Planning for Deployment Guide mode IBM Tivoli Remote Control Users 1.2.1 Session in a single-TMR environment Data flow for single-TMR session Page Tracing for single-TMR session Page Page Page Page 1.2.2 Session in a multi-TMR environment Tivoli Management Framework Planning for Deployment Guide Data flow for a multi-TMR session Page Page Tracing for a multi-TMR session Page 26 Page Page Page 30 Example 1-12 The nd_start_controller method from a HUB TMR 1.2.3 Session using a Remote Control Gateway Data flow for RC Gateway/single-TMR session Page Page 34 echo "YES tic01002 8877 64 IP:0" exit 0 Data flow for an RC Gateway/multi-TMR session Figure 1-5 RC session data flow in an RC Gateway/multi-TMR environment 1.2.4 Session using Remote Control Proxies Standalone Data flow for RC Proxy Standalone/single-TMR session Page Page Data flow for an RC Proxy Standalone/multi-TMR session Page Page Tra cin g for RC Proxy Standalone Example 1-15 The is_proxied_ep method for an RC Proxy Standalone architecture Example 1-16 The nd_start_target method for an RC Proxy Standalone architecture Page 1.2.5 Session using Data flow for RC Proxy-TFST/single-TMR session Page Page Page Example 1-18 The rc_def_proxy default policy method for Remote Control Data flow for RC Proxy-TFST/multi-TMR session Chapter 1. Remote Control sessions overview 51 Figure 1-9 RC session data flow in an RC Proxy-TFST/multi-TMR environment Page Page Tra cin g for RC Proxy-TFST Page 56 Page 2.1 Design Tivoli Management Framework Planning for Deployment Guide 2.1.1 Logical design 2.1.2 Physical design Page 2.1.3 Network considerations Unidirectional communication without Relay Tivoli Enterprise Management Across Firewalls initiator Page listener Unidirectional communication with Relay initiator Page listeners . The comments following the table refer to the numbered notes inside the table. Table 2-4 RC ports for unidirectional communication - Relay - Parents/listeners Page Bidirectional co mmunication without Relay Table 2-5 RC ports for bidirectional communication Bidirection al communication wit h Relay Table 2-6 RC ports for bidirectional communication with Relay Page 2.2 Planning for IBM Tivoli Remote Control Proxy 74 Figure 2-1 Planning overview for RC Proxy in a Standalone environment Phase 1 Phase 2 Phase 3a Phase 3b Figure 2-2 Planning overview for Remote Control Proxy in a TFST environment Phase 1 Phase 2 Phase 3a Phase 3b Phase 4a Supporting applications requirements Hardware requirements Software requirements Information you will need for the installation Page Page 2.3 Implementation planning case study scenario IBM Tivoli Remote Control Users Guide Implementation planning case study overview Page Implementation Planning Case Study: Solution A Page Page Page Table 2-10 RC Proxy network ports for firewall 2 - Solution A Table 2-11 RC Proxy network ports for firewall 3 - Solution A Implementation Planning Case Study: Solution B must Tivoli Enterprise Management Across Firewalls 90 Note that the ports provided in these tables are examples specific to this case study scenario. Table 2-14 RC Proxy network ports for firewall 3 - Solution B Table 2-12 RC Proxy network ports for firewall 1 - Solution B Table 2-13 RC Proxy network ports for firewall 2 - Solution B Page Page Standalone Proxies 3.1 Scenario overview Tivoli Enterprise Management Across Firewalls 3.2 Environment description 3.2.1 Technical infrastructure Page Page Page 3.2.2 Data flow description Page 3.3 Scenario installation and configuration 3.3.1 Remote Control Proxy installation IBM Tivoli Configuration Manager Users Guide for Software Distribution Page Table 3-2 RC Controller Proxy settings 3.3.2 Remote Control Proxy configuration The rcproxy.cfg configuration file Page The rcproxy.route routing table configuration file The rc_def_proxy policy method 108 3.3.3 Firewall configuration table Figure 3-4 Remote Control Data Flow Overview Table 3-3 Scenario firewall configuration table The schema provided in the previous table would allow for a data flow shown in Figure3-4. 3.3.4 Remote Control Proxy startup IBM Tivoli Remote Control Us ers Page Example 3-13 The rcproxy.log: RC Controller Proxy log file Example 3-14 The netstat output collected on the RC Target Proxy 112 Example 3-15 The netstat output collected on the Controller Proxy Page Page Tivoli Firewall Security Toolbox 4.1 Scenario overview 4.2 Environment description 4.2.1 Technical infrastructure 118 Figure 4-1 General TFST testing scenario Page 120 Figure 4-2 Remote Control Proxy Implementation in a TFST environment 4.2.2 Data flow description Page Page 4.2.3 Firewall configuration tables 4.3 Scenario installation and configuration 4.3.1 Remote Control Proxy installation IBM Tivoli Configuration Manager Users Guide for Software Distribution RC Target Proxy installation Relay instance used by Remote Control RC Controller Proxy installation 4.3.2 Remote Control Proxy configuration The rcproxy.cfg configuration file Page The Relay.cfg configuration file The rc_def_proxy policy method 4.3.3 Remote Control Proxy startup 134 Example 4-8 shows the Relay log file. Example 4-8 The Relay.log: Relay log file contents Example 4-9 shows the RC Controller Proxy log file. Example 4-9 The rcproxy.log: RC Controller Proxy log file Example 4-11 shows the output of the netstat -a command on the Relay. Example 4-11 The netstat output collected on the Relay Page Page Page Page Page Page 5.1 Generic problem determination outline 5.1.1 Session startup Endpoint problem determination process 144 Figure 5-1 Endpoint problem determination flow Tivoli Management Framework Maintenance and Troubleshooting Guide Page Tivoli Management Framework Maintenance and Troubleshooting Guide TFST problem determinat ion process 148 Figure 5-2 TFST problem determination flow Page Page RC Proxy problem determination process 152 Figure 5-3 RC Proxy problem determination flow Page Page 5.1.2 Session management IBM Tivoli Remote Control Use rs Guide 5.2 Troubleshooting the Remote Control Proxy 5.2.1 The rcproxy.log file Page Page 5.2.2 The remcon.trc Controller trace file Page 5.3 Troubleshooting examples 5.3.1 Case 1: Controller not connecting to Target Proxy Example 5-5 The Target Proxy log file Both logs show that the Proxy communication is working. Example 5-6 The Controller Proxy log file Page 5.3.2 Case 2: Target Proxy service is not active 164 Example 5-10 The Relay log file Example 5-11 The Gateway Proxy log file Page 166 Example 5-13 The Relay log file (instance used by remote control proxies) Example 5-14 The Controller Proxy log file 5.3.3 Case 3: Wrong Proxy configuration Page Page Page 5.4 Troubleshooting the firewall Page Page Page A Introduction Components of TFST Endpoint Proxy Gateway Proxy Relay Tivoli environments with single firewall Tivoli environments with multiple firewalls Sending events across firewalls Installation and configuration of TFST Installation of TFST Installing the Endpoint Proxy Installing the Gateway Proxy Installing Relay instances Configuration of TFST Configuring the Endpoint Proxy Endpoint Proxy Firewall Security Communication Layer Configuring Gateway Proxy Gateway-Proxy Firewall Security Communication-layer Firewall Secur ity Configuring the Relay Relay Firewall Security Toolbox User s Firewall Security Communication layer Configuring the Event Sink Firewall Security Toolbox User s SENDING RECEPTION EIF TFST components and operations Port range configurations Effective Utilization of TFST across firewalls Page Page Introduction Functionality of a firewall Firewall tools Packet filters Stateful packet filtering Proxy servers Socks Authentication Security Dynamics SecurID token SecureWay Policy Director integration with firewall DNS and mail gateways Network address translation (NAT) Virtual Private Networks Log management Firewalls in the market Page Abbreviations and acronyms 198 Related publications IBM Redbooks Other publications Building Internet Firewalls Online resources How to get IBM Redbooks Index Numerics A B C J K L M N S T U V W Page Page Page Page INTERNATIONAL TECHNICAL SUPPORT ORGANIZATION Implementing IBM Tivoli Remote Control Across Firewalls Back cover