IBM 3.8 - page 58

38 IBM Tivoli Remote Control Across Firewalls

configuration file. However, if you decided to change this port, you

need to also review the rc_def_proxy policy. For more information

about the RC Proxies configuration files, refer to

IBM Tivoli Remote

Control User’s Guide

, SC23-4842.

Sometimes, the Controller could be in a secure zone and managed by a local

Tivoli Endpoint Gateway and the Target could be in another secure zone and

also be managed by a local Tivoli Endpoint Gateway. In this case, two firewalls

separate the Controller and its RC Target Proxy from the Target and its RC

Controller Proxy. The TFST Relay could be installed in the zone between the two

secure zones and used to pass the information between the RC Target Proxy

and the RC Controller Proxy.

In order to implement the Remote Control session to us e Remote Control

Proxies, the rc_def_proxy default policy method needs to be configured as

shown in Example 1-14.

Example 1-14 The rc_def_proxy default policy method for Remote Control

#!/bin/sh

#

# Default policy method for Remote Control Proxy

#

# This policy method determines whether to use Remote Control Proxies.

# If you use Remote Control Proxies, rc_def_proxy defines how the controller

# uses the Remote Control Proxies to start a session with a target across a

# firewall.

#

# Possible values:

#

# NO Do not use the Remote Control Proxies.

#

# YES <configuration type> <rc proxy ip address> <rc proxy port>

# Use the Remote Control Proxies, where:

#

# <configuration type>

# Identifies the following scenarios:

#

# auto

# The controller and Remote Control Proxies

# search the route to the target using the

# information stored by

# Tivoli Firewall Security Toolbox.

#

# manual

# The Remote Control Proxies run as standalone.

# The controller uses the network address that

# you specify in this method to reach

Contents

Main Page Page Page Contents Page Page Page Figures Page Table s Page Examples Page Notices xiv Trademarks Preface The team that wrote this redbook Become a published author Comments welcome Page Page Page overview 1.1 IBM Tivoli Remote Control overview 1.1.1 IBM Tivoli Management Framework components Page Page Tivoli Management Framework Planning for Deployment Guide 1.1.2 IBM Tivoli Remote Control components 1.1.3 Tivoli components and communication symbols Page 1.1.4 Parent-Child concept 1.1.5 Proxy connection types Listener 1.2 IBM Tivoli Remote Control sessions overview Tivoli Management Framework Planning for Deployment Guide mode IBM Tivoli Remote Control Users 1.2.1 Session in a single-TMR environment Data flow for single-TMR session Page Tracing for single-TMR session Page Page Page Page 1.2.2 Session in a multi-TMR environment Tivoli Management Framework Planning for Deployment Guide Data flow for a multi-TMR session Page Page Tracing for a multi-TMR session Page 26 Page Page Page 30 Example 1-12 The nd_start_controller method from a HUB TMR 1.2.3 Session using a Remote Control Gateway Data flow for RC Gateway/single-TMR session Page Page 34 echo "YES tic01002 8877 64 IP:0" exit 0 Data flow for an RC Gateway/multi-TMR session Figure 1-5 RC session data flow in an RC Gateway/multi-TMR environment 1.2.4 Session using Remote Control Proxies Standalone Data flow for RC Proxy Standalone/single-TMR session Page Page Data flow for an RC Proxy Standalone/multi-TMR session Page Page Tra cin g for RC Proxy Standalone Example 1-15 The is_proxied_ep method for an RC Proxy Standalone architecture Example 1-16 The nd_start_target method for an RC Proxy Standalone architecture Page 1.2.5 Session using Data flow for RC Proxy-TFST/single-TMR session Page Page Page Example 1-18 The rc_def_proxy default policy method for Remote Control Data flow for RC Proxy-TFST/multi-TMR session Chapter 1. Remote Control sessions overview 51 Figure 1-9 RC session data flow in an RC Proxy-TFST/multi-TMR environment Page Page Tra cin g for RC Proxy-TFST Page 56 Page 2.1 Design Tivoli Management Framework Planning for Deployment Guide 2.1.1 Logical design 2.1.2 Physical design Page 2.1.3 Network considerations Unidirectional communication without Relay Tivoli Enterprise Management Across Firewalls initiator Page listener Unidirectional communication with Relay initiator Page listeners . The comments following the table refer to the numbered notes inside the table. Table 2-4 RC ports for unidirectional communication - Relay - Parents/listeners Page Bidirectional co mmunication without Relay Table 2-5 RC ports for bidirectional communication Bidirection al communication wit h Relay Table 2-6 RC ports for bidirectional communication with Relay Page 2.2 Planning for IBM Tivoli Remote Control Proxy 74 Figure 2-1 Planning overview for RC Proxy in a Standalone environment Phase 1 Phase 2 Phase 3a Phase 3b Figure 2-2 Planning overview for Remote Control Proxy in a TFST environment Phase 1 Phase 2 Phase 3a Phase 3b Phase 4a Supporting applications requirements Hardware requirements Software requirements Information you will need for the installation Page Page 2.3 Implementation planning case study scenario IBM Tivoli Remote Control Users Guide Implementation planning case study overview Page Implementation Planning Case Study: Solution A Page Page Page Table 2-10 RC Proxy network ports for firewall 2 - Solution A Table 2-11 RC Proxy network ports for firewall 3 - Solution A Implementation Planning Case Study: Solution B must Tivoli Enterprise Management Across Firewalls 90 Note that the ports provided in these tables are examples specific to this case study scenario. Table 2-14 RC Proxy network ports for firewall 3 - Solution B Table 2-12 RC Proxy network ports for firewall 1 - Solution B Table 2-13 RC Proxy network ports for firewall 2 - Solution B Page Page Standalone Proxies 3.1 Scenario overview Tivoli Enterprise Management Across Firewalls 3.2 Environment description 3.2.1 Technical infrastructure Page Page Page 3.2.2 Data flow description Page 3.3 Scenario installation and configuration 3.3.1 Remote Control Proxy installation IBM Tivoli Configuration Manager Users Guide for Software Distribution Page Table 3-2 RC Controller Proxy settings 3.3.2 Remote Control Proxy configuration The rcproxy.cfg configuration file Page The rcproxy.route routing table configuration file The rc_def_proxy policy method 108 3.3.3 Firewall configuration table Figure 3-4 Remote Control Data Flow Overview Table 3-3 Scenario firewall configuration table The schema provided in the previous table would allow for a data flow shown in Figure3-4. 3.3.4 Remote Control Proxy startup IBM Tivoli Remote Control Us ers Page Example 3-13 The rcproxy.log: RC Controller Proxy log file Example 3-14 The netstat output collected on the RC Target Proxy 112 Example 3-15 The netstat output collected on the Controller Proxy Page Page Tivoli Firewall Security Toolbox 4.1 Scenario overview 4.2 Environment description 4.2.1 Technical infrastructure 118 Figure 4-1 General TFST testing scenario Page 120 Figure 4-2 Remote Control Proxy Implementation in a TFST environment 4.2.2 Data flow description Page Page 4.2.3 Firewall configuration tables 4.3 Scenario installation and configuration 4.3.1 Remote Control Proxy installation IBM Tivoli Configuration Manager Users Guide for Software Distribution RC Target Proxy installation Relay instance used by Remote Control RC Controller Proxy installation 4.3.2 Remote Control Proxy configuration The rcproxy.cfg configuration file Page The Relay.cfg configuration file The rc_def_proxy policy method 4.3.3 Remote Control Proxy startup 134 Example 4-8 shows the Relay log file. Example 4-8 The Relay.log: Relay log file contents Example 4-9 shows the RC Controller Proxy log file. Example 4-9 The rcproxy.log: RC Controller Proxy log file Example 4-11 shows the output of the netstat -a command on the Relay. Example 4-11 The netstat output collected on the Relay Page Page Page Page Page Page 5.1 Generic problem determination outline 5.1.1 Session startup Endpoint problem determination process 144 Figure 5-1 Endpoint problem determination flow Tivoli Management Framework Maintenance and Troubleshooting Guide Page Tivoli Management Framework Maintenance and Troubleshooting Guide TFST problem determinat ion process 148 Figure 5-2 TFST problem determination flow Page Page RC Proxy problem determination process 152 Figure 5-3 RC Proxy problem determination flow Page Page 5.1.2 Session management IBM Tivoli Remote Control Use rs Guide 5.2 Troubleshooting the Remote Control Proxy 5.2.1 The rcproxy.log file Page Page 5.2.2 The remcon.trc Controller trace file Page 5.3 Troubleshooting examples 5.3.1 Case 1: Controller not connecting to Target Proxy Example 5-5 The Target Proxy log file Both logs show that the Proxy communication is working. Example 5-6 The Controller Proxy log file Page 5.3.2 Case 2: Target Proxy service is not active 164 Example 5-10 The Relay log file Example 5-11 The Gateway Proxy log file Page 166 Example 5-13 The Relay log file (instance used by remote control proxies) Example 5-14 The Controller Proxy log file 5.3.3 Case 3: Wrong Proxy configuration Page Page Page 5.4 Troubleshooting the firewall Page Page Page A Introduction Components of TFST Endpoint Proxy Gateway Proxy Relay Tivoli environments with single firewall Tivoli environments with multiple firewalls Sending events across firewalls Installation and configuration of TFST Installation of TFST Installing the Endpoint Proxy Installing the Gateway Proxy Installing Relay instances Configuration of TFST Configuring the Endpoint Proxy Endpoint Proxy Firewall Security Communication Layer Configuring Gateway Proxy Gateway-Proxy Firewall Security Communication-layer Firewall Secur ity Configuring the Relay Relay Firewall Security Toolbox User s Firewall Security Communication layer Configuring the Event Sink Firewall Security Toolbox User s SENDING RECEPTION EIF TFST components and operations Port range configurations Effective Utilization of TFST across firewalls Page Page Introduction Functionality of a firewall Firewall tools Packet filters Stateful packet filtering Proxy servers Socks Authentication Security Dynamics SecurID token SecureWay Policy Director integration with firewall DNS and mail gateways Network address translation (NAT) Virtual Private Networks Log management Firewalls in the market Page Abbreviations and acronyms 198 Related publications IBM Redbooks Other publications Building Internet Firewalls Online resources How to get IBM Redbooks Index Numerics A B C J K L M N S T U V W Page Page Page Page INTERNATIONAL TECHNICAL SUPPORT ORGANIZATION Implementing IBM Tivoli Remote Control Across Firewalls Back cover