48 IBM Tivoli Remote Control Across Firewalls
name of the Gateway Proxy which the Target is connected to. As the
RC Controller Proxy must be installed on the same machine as the
Gateway Proxy, the RC Target proxy is able to connect to this RC
Controller Proxy and forward the Target request using the Gateway
Proxy IP Address provided by the Endpoint Proxy. The RC Controller
Proxy then uses the Target information stored in the first request to
start a session with the Target.
The Remote Control session is now established. It is important to
notice that once the session established, the Controller talks directly
with the Target, but it’s not a peer-to-peer communication
(Controller-Target) anymore, as the communication flow must always
go through the Remote Control Proxies.
The Target is listening on port defined in the rc_def_ports policy.
On the Controller side, by default, the port is assigned by the
communication stack. However, these ports could be easily changed
by configuring the rc_def_ports Remote Control Policies. The RC
Target Proxy and the RC Controller Proxy are listening on the port
defined during the installation process. The port specified in the
rc_def_proxy policy must be the same as defined during the
installation process of the RC Target Proxy. The configuration of
these RC Proxies ports could be reviewed by editing the rcproxy.cfg
configuration file. However, if you decided to change this port, you
need to also review the rc_def_proxy policy. For more information
about the RC Proxies configuration files, refer to
IBM Tivoli Remote
Control User’s Guide
, SC23-4842.
In the scenario depicted in Figure 1-8 on page 46, there are two
firewalls separating the standard Tivoli environment from the distant
Endpoints. To let the RC Target Proxy, which needs to be on the
same network zone that the Controller, communicate with the RC
Controller Proxy, which needs to be close to the Target, a second
instance of a Relay is needed. Its role it just to forward the packet to
the final destination between the different network zones. Multiple
Relays could be chained to cross all multiple secure zones. The
Relay is not a Remote Control Component, it is a Tivoli Firewall
Security Toolbox one. In fact, one instance of the Relay is needed to
manage network flow between the Endpoint Proxy and Gateway
Proxy and another instance of the same Relay need to be installed
on the same machine as the first Relay instance to manage the
network flow between the Remote Control Proxies.
In order to implement the Remote Control session to us e Remote Control
Proxies, the rc_def_proxy default policy method needs to be configured, for
instance, as shown in Example 1-18.