IBM 3.8 Introduction, Components of TFST

176 IBM Tivoli Remote C ontrol Across Firewalls

Introduction

Tivoli Firewall Security Toolbox enables Tivoli network management across

firewalls without compromising security. When one or more firewalls exist

between Endpoint and Gateway, the communication channels permitted by the

firewall are limited. The Tivoli firewall Security Toolbox enables the Endpoint and

Gateway communication across firewalls while respecting firewall restrictions. In

a TFST scenario, the Endpoint Proxy on the secure side and the G ateway Proxy

on the less secure side communicate with each other using proprietary Tivoli

protocol encapsulated TCP/IP packets through the firewall.

Components of TFST

In the following sections we describe the four components that make up Tivoli

Firewall Security Toolbox:

򐂰Endpoint Proxy

򐂰Gateway Proxy

򐂰Relay

򐂰Event Sink

Endpoint Proxy

This component is utilized by the Tivoli Gateway on the secure side and this

emulates the Tivoli Endpoint for the Gateway in TME Framework. This in turn

establishes the connection with the Gateway Proxy across the firewall on behalf

of Tivoli Gateway.

Gateway Proxy

This component is installed in the less secure side or DMZ to emulate a Tivoli

Gateway. This is connected to the Tivoli Endpoints on the less secure side and

Tivoli Endpoints are configured to point to this as their Ga teway.

Relay

The Relay allows the Endpoints to be manageable even if they are separated

from their Gateway by multiple firewalls, and this component is placed between

layers of firewall to manage the Endpoints. The main purpose of the Relay is to

pass the information as it is received up or down the chain to the Endpoint Proxy,

the Gateway Proxy, or other Relay components in the chain.

Contents

Main Page Page Page Contents Page Page Page Figures Page Table s Page Examples Page Notices xiv Trademarks Preface The team that wrote this redbook Become a published author Comments welcome Page Page Page overview 1.1 IBM Tivoli Remote Control overview 1.1.1 IBM Tivoli Management Framework components Page Page Tivoli Management Framework Planning for Deployment Guide 1.1.2 IBM Tivoli Remote Control components 1.1.3 Tivoli components and communication symbols Page 1.1.4 Parent-Child concept 1.1.5 Proxy connection types Listener 1.2 IBM Tivoli Remote Control sessions overview Tivoli Management Framework Planning for Deployment Guide mode IBM Tivoli Remote Control Users 1.2.1 Session in a single-TMR environment Data flow for single-TMR session Page Tracing for single-TMR session Page Page Page Page 1.2.2 Session in a multi-TMR environment Tivoli Management Framework Planning for Deployment Guide Data flow for a multi-TMR session Page Page Tracing for a multi-TMR session Page 26 Page Page Page 30 Example 1-12 The nd_start_controller method from a HUB TMR 1.2.3 Session using a Remote Control Gateway Data flow for RC Gateway/single-TMR session Page Page 34 echo "YES tic01002 8877 64 IP:0" exit 0 Data flow for an RC Gateway/multi-TMR session Figure 1-5 RC session data flow in an RC Gateway/multi-TMR environment 1.2.4 Session using Remote Control Proxies Standalone Data flow for RC Proxy Standalone/single-TMR session Page Page Data flow for an RC Proxy Standalone/multi-TMR session Page Page Tra cin g for RC Proxy Standalone Example 1-15 The is_proxied_ep method for an RC Proxy Standalone architecture Example 1-16 The nd_start_target method for an RC Proxy Standalone architecture Page 1.2.5 Session using Data flow for RC Proxy-TFST/single-TMR session Page Page Page Example 1-18 The rc_def_proxy default policy method for Remote Control Data flow for RC Proxy-TFST/multi-TMR session Chapter 1. Remote Control sessions overview 51 Figure 1-9 RC session data flow in an RC Proxy-TFST/multi-TMR environment Page Page Tra cin g for RC Proxy-TFST Page 56 Page 2.1 Design Tivoli Management Framework Planning for Deployment Guide 2.1.1 Logical design 2.1.2 Physical design Page 2.1.3 Network considerations Unidirectional communication without Relay Tivoli Enterprise Management Across Firewalls initiator Page listener Unidirectional communication with Relay initiator Page listeners . The comments following the table refer to the numbered notes inside the table. Table 2-4 RC ports for unidirectional communication - Relay - Parents/listeners Page Bidirectional co mmunication without Relay Table 2-5 RC ports for bidirectional communication Bidirection al communication wit h Relay Table 2-6 RC ports for bidirectional communication with Relay Page 2.2 Planning for IBM Tivoli Remote Control Proxy 74 Figure 2-1 Planning overview for RC Proxy in a Standalone environment Phase 1 Phase 2 Phase 3a Phase 3b Figure 2-2 Planning overview for Remote Control Proxy in a TFST environment Phase 1 Phase 2 Phase 3a Phase 3b Phase 4a Supporting applications requirements Hardware requirements Software requirements Information you will need for the installation Page Page 2.3 Implementation planning case study scenario IBM Tivoli Remote Control Users Guide Implementation planning case study overview Page Implementation Planning Case Study: Solution A Page Page Page Table 2-10 RC Proxy network ports for firewall 2 - Solution A Table 2-11 RC Proxy network ports for firewall 3 - Solution A Implementation Planning Case Study: Solution B must Tivoli Enterprise Management Across Firewalls 90 Note that the ports provided in these tables are examples specific to this case study scenario. Table 2-14 RC Proxy network ports for firewall 3 - Solution B Table 2-12 RC Proxy network ports for firewall 1 - Solution B Table 2-13 RC Proxy network ports for firewall 2 - Solution B Page Page Standalone Proxies 3.1 Scenario overview Tivoli Enterprise Management Across Firewalls 3.2 Environment description 3.2.1 Technical infrastructure Page Page Page 3.2.2 Data flow description Page 3.3 Scenario installation and configuration 3.3.1 Remote Control Proxy installation IBM Tivoli Configuration Manager Users Guide for Software Distribution Page Table 3-2 RC Controller Proxy settings 3.3.2 Remote Control Proxy configuration The rcproxy.cfg configuration file Page The rcproxy.route routing table configuration file The rc_def_proxy policy method 108 3.3.3 Firewall configuration table Figure 3-4 Remote Control Data Flow Overview Table 3-3 Scenario firewall configuration table The schema provided in the previous table would allow for a data flow shown in Figure3-4. 3.3.4 Remote Control Proxy startup IBM Tivoli Remote Control Us ers Page Example 3-13 The rcproxy.log: RC Controller Proxy log file Example 3-14 The netstat output collected on the RC Target Proxy 112 Example 3-15 The netstat output collected on the Controller Proxy Page Page Tivoli Firewall Security Toolbox 4.1 Scenario overview 4.2 Environment description 4.2.1 Technical infrastructure 118 Figure 4-1 General TFST testing scenario Page 120 Figure 4-2 Remote Control Proxy Implementation in a TFST environment 4.2.2 Data flow description Page Page 4.2.3 Firewall configuration tables 4.3 Scenario installation and configuration 4.3.1 Remote Control Proxy installation IBM Tivoli Configuration Manager Users Guide for Software Distribution RC Target Proxy installation Relay instance used by Remote Control RC Controller Proxy installation 4.3.2 Remote Control Proxy configuration The rcproxy.cfg configuration file Page The Relay.cfg configuration file The rc_def_proxy policy method 4.3.3 Remote Control Proxy startup 134 Example 4-8 shows the Relay log file. Example 4-8 The Relay.log: Relay log file contents Example 4-9 shows the RC Controller Proxy log file. Example 4-9 The rcproxy.log: RC Controller Proxy log file Example 4-11 shows the output of the netstat -a command on the Relay. Example 4-11 The netstat output collected on the Relay Page Page Page Page Page Page 5.1 Generic problem determination outline 5.1.1 Session startup Endpoint problem determination process 144 Figure 5-1 Endpoint problem determination flow Tivoli Management Framework Maintenance and Troubleshooting Guide Page Tivoli Management Framework Maintenance and Troubleshooting Guide TFST problem determinat ion process 148 Figure 5-2 TFST problem determination flow Page Page RC Proxy problem determination process 152 Figure 5-3 RC Proxy problem determination flow Page Page 5.1.2 Session management IBM Tivoli Remote Control Use rs Guide 5.2 Troubleshooting the Remote Control Proxy 5.2.1 The rcproxy.log file Page Page 5.2.2 The remcon.trc Controller trace file Page 5.3 Troubleshooting examples 5.3.1 Case 1: Controller not connecting to Target Proxy Example 5-5 The Target Proxy log file Both logs show that the Proxy communication is working. Example 5-6 The Controller Proxy log file Page 5.3.2 Case 2: Target Proxy service is not active 164 Example 5-10 The Relay log file Example 5-11 The Gateway Proxy log file Page 166 Example 5-13 The Relay log file (instance used by remote control proxies) Example 5-14 The Controller Proxy log file 5.3.3 Case 3: Wrong Proxy configuration Page Page Page 5.4 Troubleshooting the firewall Page Page Page A Introduction Components of TFST Endpoint Proxy Gateway Proxy Relay Tivoli environments with single firewall Tivoli environments with multiple firewalls Sending events across firewalls Installation and configuration of TFST Installation of TFST Installing the Endpoint Proxy Installing the Gateway Proxy Installing Relay instances Configuration of TFST Configuring the Endpoint Proxy Endpoint Proxy Firewall Security Communication Layer Configuring Gateway Proxy Gateway-Proxy Firewall Security Communication-layer Firewall Secur ity Configuring the Relay Relay Firewall Security Toolbox User s Firewall Security Communication layer Configuring the Event Sink Firewall Security Toolbox User s SENDING RECEPTION EIF TFST components and operations Port range configurations Effective Utilization of TFST across firewalls Page Page Introduction Functionality of a firewall Firewall tools Packet filters Stateful packet filtering Proxy servers Socks Authentication Security Dynamics SecurID token SecureWay Policy Director integration with firewall DNS and mail gateways Network address translation (NAT) Virtual Private Networks Log management Firewalls in the market Page Abbreviations and acronyms 198 Related publications IBM Redbooks Other publications Building Internet Firewalls Online resources How to get IBM Redbooks Index Numerics A B C J K L M N S T U V W Page Page Page Page INTERNATIONAL TECHNICAL SUPPORT ORGANIZATION Implementing IBM Tivoli Remote Control Across Firewalls Back cover