IBM 3.8 1.2.5 Session using

Chapter 1. Remote Control sessions overview 45

rem-oc 972 12

Results: (encoded):

0

1.2.5 Session using Remote Control Proxies in a TFST environment

In the following sections we describe the Remote Control Proxy architecture

running on top of Tivoli Firewall Security Toolbox for both single-TMR and

multi-TMR environments.

The Remote Control Proxy components enable machines on one side of a

firewall to communicate, through a common definable port, with machines on the

other side of the firewall. The Controller is able to start a Target session by

minimizing the impact on the security infrastructure.

The Remote Control Proxy-TFST solution can only be used if a Tivoli Firewall

Security Toolbox environment is already deployed.

The Endpoint Proxy emulates the Endpoints located in another network zone to

the standard Tivoli Gateway located in the same network zone as the TMR

Server. Thus, the Endpoint Proxy is able to find the path to contact a ll distant

Endpoints. In this context, the RC Target Proxy, which emulates the Target

located in another network zone, could take the advantage of the Endpoint Proxy

to find the way to contact the Targets. However, the Target Proxy must be able to

communicate with the Controller without any firewall constraints, and thus must

be located in the same network zone as the Controller.

On the other side, the RC Controller Proxy emulates the Controller located in

another zone to the Target. The RC Controller Proxy must be able to

communicate with the Target without any firewall constraints, and thus must be

located in the same network zone as the Target. Furthermore, as the RC Target

Proxy is installed on top of the Endpoint Proxy, the RC Controller Proxy must be

installed on the top of the Gateway Proxy, which emulates a standard Tivoli

Gateway to the distant Endpoints.

Data flow for RC Proxy-TFST/single-TMR session

Figure 1-8 shows in detail how a Remote Control session works using a Remote

Control Proxy - TFST architecture in a single-TMR environment with firewall

restrictions:

Contents

Main Page Page Page Contents Page Page Page Figures Page Table s Page Examples Page Notices xiv Trademarks Preface The team that wrote this redbook Become a published author Comments welcome Page Page Page overview 1.1 IBM Tivoli Remote Control overview 1.1.1 IBM Tivoli Management Framework components Page Page Tivoli Management Framework Planning for Deployment Guide 1.1.2 IBM Tivoli Remote Control components 1.1.3 Tivoli components and communication symbols Page 1.1.4 Parent-Child concept 1.1.5 Proxy connection types Listener 1.2 IBM Tivoli Remote Control sessions overview Tivoli Management Framework Planning for Deployment Guide mode IBM Tivoli Remote Control Users 1.2.1 Session in a single-TMR environment Data flow for single-TMR session Page Tracing for single-TMR session Page Page Page Page 1.2.2 Session in a multi-TMR environment Tivoli Management Framework Planning for Deployment Guide Data flow for a multi-TMR session Page Page Tracing for a multi-TMR session Page 26 Page Page Page 30 Example 1-12 The nd_start_controller method from a HUB TMR 1.2.3 Session using a Remote Control Gateway Data flow for RC Gateway/single-TMR session Page Page 34 echo "YES tic01002 8877 64 IP:0" exit 0 Data flow for an RC Gateway/multi-TMR session Figure 1-5 RC session data flow in an RC Gateway/multi-TMR environment 1.2.4 Session using Remote Control Proxies Standalone Data flow for RC Proxy Standalone/single-TMR session Page Page Data flow for an RC Proxy Standalone/multi-TMR session Page Page Tra cin g for RC Proxy Standalone Example 1-15 The is_proxied_ep method for an RC Proxy Standalone architecture Example 1-16 The nd_start_target method for an RC Proxy Standalone architecture Page 1.2.5 Session using Data flow for RC Proxy-TFST/single-TMR session Page Page Page Example 1-18 The rc_def_proxy default policy method for Remote Control Data flow for RC Proxy-TFST/multi-TMR session Chapter 1. Remote Control sessions overview 51 Figure 1-9 RC session data flow in an RC Proxy-TFST/multi-TMR environment Page Page Tra cin g for RC Proxy-TFST Page 56 Page 2.1 Design Tivoli Management Framework Planning for Deployment Guide 2.1.1 Logical design 2.1.2 Physical design Page 2.1.3 Network considerations Unidirectional communication without Relay Tivoli Enterprise Management Across Firewalls initiator Page listener Unidirectional communication with Relay initiator Page listeners . The comments following the table refer to the numbered notes inside the table. Table 2-4 RC ports for unidirectional communication - Relay - Parents/listeners Page Bidirectional co mmunication without Relay Table 2-5 RC ports for bidirectional communication Bidirection al communication wit h Relay Table 2-6 RC ports for bidirectional communication with Relay Page 2.2 Planning for IBM Tivoli Remote Control Proxy 74 Figure 2-1 Planning overview for RC Proxy in a Standalone environment Phase 1 Phase 2 Phase 3a Phase 3b Figure 2-2 Planning overview for Remote Control Proxy in a TFST environment Phase 1 Phase 2 Phase 3a Phase 3b Phase 4a Supporting applications requirements Hardware requirements Software requirements Information you will need for the installation Page Page 2.3 Implementation planning case study scenario IBM Tivoli Remote Control Users Guide Implementation planning case study overview Page Implementation Planning Case Study: Solution A Page Page Page Table 2-10 RC Proxy network ports for firewall 2 - Solution A Table 2-11 RC Proxy network ports for firewall 3 - Solution A Implementation Planning Case Study: Solution B must Tivoli Enterprise Management Across Firewalls 90 Note that the ports provided in these tables are examples specific to this case study scenario. Table 2-14 RC Proxy network ports for firewall 3 - Solution B Table 2-12 RC Proxy network ports for firewall 1 - Solution B Table 2-13 RC Proxy network ports for firewall 2 - Solution B Page Page Standalone Proxies 3.1 Scenario overview Tivoli Enterprise Management Across Firewalls 3.2 Environment description 3.2.1 Technical infrastructure Page Page Page 3.2.2 Data flow description Page 3.3 Scenario installation and configuration 3.3.1 Remote Control Proxy installation IBM Tivoli Configuration Manager Users Guide for Software Distribution Page Table 3-2 RC Controller Proxy settings 3.3.2 Remote Control Proxy configuration The rcproxy.cfg configuration file Page The rcproxy.route routing table configuration file The rc_def_proxy policy method 108 3.3.3 Firewall configuration table Figure 3-4 Remote Control Data Flow Overview Table 3-3 Scenario firewall configuration table The schema provided in the previous table would allow for a data flow shown in Figure3-4. 3.3.4 Remote Control Proxy startup IBM Tivoli Remote Control Us ers Page Example 3-13 The rcproxy.log: RC Controller Proxy log file Example 3-14 The netstat output collected on the RC Target Proxy 112 Example 3-15 The netstat output collected on the Controller Proxy Page Page Tivoli Firewall Security Toolbox 4.1 Scenario overview 4.2 Environment description 4.2.1 Technical infrastructure 118 Figure 4-1 General TFST testing scenario Page 120 Figure 4-2 Remote Control Proxy Implementation in a TFST environment 4.2.2 Data flow description Page Page 4.2.3 Firewall configuration tables 4.3 Scenario installation and configuration 4.3.1 Remote Control Proxy installation IBM Tivoli Configuration Manager Users Guide for Software Distribution RC Target Proxy installation Relay instance used by Remote Control RC Controller Proxy installation 4.3.2 Remote Control Proxy configuration The rcproxy.cfg configuration file Page The Relay.cfg configuration file The rc_def_proxy policy method 4.3.3 Remote Control Proxy startup 134 Example 4-8 shows the Relay log file. Example 4-8 The Relay.log: Relay log file contents Example 4-9 shows the RC Controller Proxy log file. Example 4-9 The rcproxy.log: RC Controller Proxy log file Example 4-11 shows the output of the netstat -a command on the Relay. Example 4-11 The netstat output collected on the Relay Page Page Page Page Page Page 5.1 Generic problem determination outline 5.1.1 Session startup Endpoint problem determination process 144 Figure 5-1 Endpoint problem determination flow Tivoli Management Framework Maintenance and Troubleshooting Guide Page Tivoli Management Framework Maintenance and Troubleshooting Guide TFST problem determinat ion process 148 Figure 5-2 TFST problem determination flow Page Page RC Proxy problem determination process 152 Figure 5-3 RC Proxy problem determination flow Page Page 5.1.2 Session management IBM Tivoli Remote Control Use rs Guide 5.2 Troubleshooting the Remote Control Proxy 5.2.1 The rcproxy.log file Page Page 5.2.2 The remcon.trc Controller trace file Page 5.3 Troubleshooting examples 5.3.1 Case 1: Controller not connecting to Target Proxy Example 5-5 The Target Proxy log file Both logs show that the Proxy communication is working. Example 5-6 The Controller Proxy log file Page 5.3.2 Case 2: Target Proxy service is not active 164 Example 5-10 The Relay log file Example 5-11 The Gateway Proxy log file Page 166 Example 5-13 The Relay log file (instance used by remote control proxies) Example 5-14 The Controller Proxy log file 5.3.3 Case 3: Wrong Proxy configuration Page Page Page 5.4 Troubleshooting the firewall Page Page Page A Introduction Components of TFST Endpoint Proxy Gateway Proxy Relay Tivoli environments with single firewall Tivoli environments with multiple firewalls Sending events across firewalls Installation and configuration of TFST Installation of TFST Installing the Endpoint Proxy Installing the Gateway Proxy Installing Relay instances Configuration of TFST Configuring the Endpoint Proxy Endpoint Proxy Firewall Security Communication Layer Configuring Gateway Proxy Gateway-Proxy Firewall Security Communication-layer Firewall Secur ity Configuring the Relay Relay Firewall Security Toolbox User s Firewall Security Communication layer Configuring the Event Sink Firewall Security Toolbox User s SENDING RECEPTION EIF TFST components and operations Port range configurations Effective Utilization of TFST across firewalls Page Page Introduction Functionality of a firewall Firewall tools Packet filters Stateful packet filtering Proxy servers Socks Authentication Security Dynamics SecurID token SecureWay Policy Director integration with firewall DNS and mail gateways Network address translation (NAT) Virtual Private Networks Log management Firewalls in the market Page Abbreviations and acronyms 198 Related publications IBM Redbooks Other publications Building Internet Firewalls Online resources How to get IBM Redbooks Index Numerics A B C J K L M N S T U V W Page Page Page Page INTERNATIONAL TECHNICAL SUPPORT ORGANIZATION Implementing IBM Tivoli Remote Control Across Firewalls Back cover