Chapter 1. Remote Control sessions overview 47
Endpoint Communication Protocol packets. In a TFST environment,
these packets are encapsulated by the Endpoint Proxy inside
common HTTP packets. HTTP protocol has been chosen, as it is
“firewall friendly” protocol. The packets are then rebuilt into Tivoli
proprietary communication protocol by the Gateway proxy to let the
distant Targets understand the order to start an RC session.
When the request arrives from the standard Tivoli environment, it
contains the label of the distant Endpoint, which is the Target in this
case. The Endpoint Proxy owns its proper Endpoint Database where
key information about each distant Endpoint is stored and notably its
Gateway Proxy. Using this information, the Endpoint Proxy is able to
forward the request to the correct Gateway Proxy, which will forward
it at the end to the Endpoint.
In the situation depicted in Figure 1-8 on page 46, there are two
firewalls separating the standard Tivoli environment from the distant
Endpoints. To let the Endpoint Proxy, which needs to be on the same
network zone that the Tivoli Endpoint Gateway, communicate with
the Gateway Proxy, which needs to be close to the distant Endpoints,
a second instance of the Relay is needed in the zone between the
firewalls. Its role it just to forward the packets to the final destination
between the different network zones. Multiple Relays could be
chained to cross multiple secure zones.
JBoth sessions on the Target and on the Controller are now started.
At this step, the Controller need to establish the link to control the
Target. The rc_def_proxy policy has been configured to force the
usage of the Remote Control Proxies and the Remote Control Server
has been informed of that on step E. The Remote Control server then
has informed the Controller (step I) to use the RC Target Proxy in
order to contact the Target. The Controller is able now to transfer the
connection request to the RC Target Proxy.
As only the RC Target Proxy port is defined in the rc_def_proxy
policy in an auto mode, the Controller only receives the address of
the Endpoint Proxy. As the RC Target Proxy must be installed on the
same machine as the Endpoint Proxy, the Controller can forward the
Target request to the RC Target Proxy using the address of the
Endpoint Proxy.
When the Target Proxy receives the request, it needs to find which
RC Controller Proxy the Endpoint is attached to. In a Tivoli Firewall
Security Toolbox environment, the Endpoint Proxy is in charge to
manage the key information of the Endpoint. To know the right path
to contact the Target, the RC Target Proxy needs to ask the Endpoint
Proxy for this information. The Endpoint Proxy provides the host