Chapter 1. Remote Control sessions overview 53
Gateway Proxy on which the Target is connected to. As the RC
Controller Proxy must be installed on the same machine as the
Gateway Proxy, the RC Target proxy is able to connect to this RC
Controller Proxy and forward the Target request using the Gateway
Proxy Address provided by the Endpoint Proxy. The RC Controller
Proxy uses the Target information stored in the first request to start a
session with the Target.
The Remote Control session is now established. It is important to
notice that once the session established, the Controller talks directly
with the Target, but it’s NOT a peer-to-peer communication
(Controller-Target) anymore, as the communication flow must always
go through the Remote Control Proxies.
The Target is listening on port define in the rc_def_port policy.
On the Controller side, by default, the port is assigned by the
communication stack. However, these ports could be easily changed
by configuring the rc_def_ports Remote Control Policies. The RC
Target Proxy and the RC Controller proxy are listening on the port
defined during the installation process. The port specified in the
rc_def_proxy policy must be the same as defined during the
installation process of the RC Target Proxy. The configuration of
these RC Proxies port could be reviewed by editing the rcproxy.cfg
configuration file. However, if you decided to change this port, you
need to also review the rc_def_proxy policy. For more information
about the RC Proxies configuration files, refer to
IBM Tivoli Remote
Control User’s Guide
, SC23-4842.
In the situation depicted in Figure 1-9 on page 51, there are two
firewalls separating the standard Tivoli environment from the distant
Endpoints. To let the RC Target Proxy (which needs to be on the
same network zone as the Controller) communicate with the RC
Controller Proxy (which needs to be close to the Target), a second
instance of the Relay is needed. Its role is just to forward the packet
to the final destination between the different network zones. Multiple
Relays could be chained to cross all multiple secure zones. The
Relay is not a Remote Control Component, it is a Tivoli Firewall
Security Toolbox one. In fact, one instance of the Relay is needed to
manage network flow between the Endpoint Proxy and Gateway
Proxy and another instance of the same Relay need to be installed
on the same machine as the first Relay instance to manage the
network flow between the Remote Control Proxies.
In order to implement the Remote Control session to us e Remote Control
Proxies, the rc_def_proxy default policy method needs to be configured as
shown in Example 1-18 on page 49. This has t o be done in the Spoke TMR
where the Remote Control Object is located.