IBM 3.8 Unidirectional communication without Relay

62 IBM Tivoli Remote Control Across Firewalls

Regarding the network communication for IBM Tivoli Remote Control, it is

important to notice that the communication pipe between the RC Proxies is

always opened and started as soon as the local RC Proxies services are started.

If a Relay is part of the architecture, the communication pipes between the RC

Proxies and the Relay are also always opened and started at the service star tup

time. The communication channels between the RC Controller and the RC

Target Proxy and between the RC Target and the RC Controller Proxy are

opened only when the remote session is star ted.

Unidirectional communication without Relay

Table2-1 provides an exhaustive list of communication ports required to allow

the RC Controller to communicate with the RC Target located in another network

zone using a unidirectional communication type between the RC Proxies. In this

situation, the Parent Proxy, which is the RC Target Proxy, is the

initiator

. The

comments following the table refer to the numbered notes inside the table.

Note: The information provided in the following tables could be used to

configure the filtering rules of the firewall.

Note: The following sections mainly provide information about the Remote

Control Proxies network communication. These communications are the same

even if the Remote Control Proxy is a Standalone or a Non-Standalone

solution. However, the information provided could also help you to understand

the network communication between an Endpoint Proxy and a Gateway

Proxy, as the Proxy concept is almost the same for the both products.

Furthermore, as the Proxy configuration files are the same, you could replace

the RC Target Proxy by the Endpoint Proxy and the RC Controller Proxy by

the Gateway Proxy in the sections below. However, you will find more

information about the Endpoint Proxy/Gateway Proxy communication in the

redbook,

Tivoli Enterprise Management Across Firewalls

, SG24-5510 .

Note: In order to better explain the different ports used by IBM Tivoli Remote

Control, we assume that the RC Target Proxy is the Parent Proxy and that the

RC Controller Proxy is the Child Proxy. However, the communications ports

concept will work the same if the RC Target Proxy is installed on the Child

Proxy and the RC Controller Proxy on the Parent Proxy.

Contents

Main Page Page Page Contents Page Page Page Figures Page Table s Page Examples Page Notices xiv Trademarks Preface The team that wrote this redbook Become a published author Comments welcome Page Page Page overview 1.1 IBM Tivoli Remote Control overview 1.1.1 IBM Tivoli Management Framework components Page Page Tivoli Management Framework Planning for Deployment Guide 1.1.2 IBM Tivoli Remote Control components 1.1.3 Tivoli components and communication symbols Page 1.1.4 Parent-Child concept 1.1.5 Proxy connection types Listener 1.2 IBM Tivoli Remote Control sessions overview Tivoli Management Framework Planning for Deployment Guide mode IBM Tivoli Remote Control Users 1.2.1 Session in a single-TMR environment Data flow for single-TMR session Page Tracing for single-TMR session Page Page Page Page 1.2.2 Session in a multi-TMR environment Tivoli Management Framework Planning for Deployment Guide Data flow for a multi-TMR session Page Page Tracing for a multi-TMR session Page 26 Page Page Page 30 Example 1-12 The nd_start_controller method from a HUB TMR 1.2.3 Session using a Remote Control Gateway Data flow for RC Gateway/single-TMR session Page Page 34 echo "YES tic01002 8877 64 IP:0" exit 0 Data flow for an RC Gateway/multi-TMR session Figure 1-5 RC session data flow in an RC Gateway/multi-TMR environment 1.2.4 Session using Remote Control Proxies Standalone Data flow for RC Proxy Standalone/single-TMR session Page Page Data flow for an RC Proxy Standalone/multi-TMR session Page Page Tra cin g for RC Proxy Standalone Example 1-15 The is_proxied_ep method for an RC Proxy Standalone architecture Example 1-16 The nd_start_target method for an RC Proxy Standalone architecture Page 1.2.5 Session using Data flow for RC Proxy-TFST/single-TMR session Page Page Page Example 1-18 The rc_def_proxy default policy method for Remote Control Data flow for RC Proxy-TFST/multi-TMR session Chapter 1. Remote Control sessions overview 51 Figure 1-9 RC session data flow in an RC Proxy-TFST/multi-TMR environment Page Page Tra cin g for RC Proxy-TFST Page 56 Page 2.1 Design Tivoli Management Framework Planning for Deployment Guide 2.1.1 Logical design 2.1.2 Physical design Page 2.1.3 Network considerations Unidirectional communication without Relay Tivoli Enterprise Management Across Firewalls initiator Page listener Unidirectional communication with Relay initiator Page listeners . The comments following the table refer to the numbered notes inside the table. Table 2-4 RC ports for unidirectional communication - Relay - Parents/listeners Page Bidirectional co mmunication without Relay Table 2-5 RC ports for bidirectional communication Bidirection al communication wit h Relay Table 2-6 RC ports for bidirectional communication with Relay Page 2.2 Planning for IBM Tivoli Remote Control Proxy 74 Figure 2-1 Planning overview for RC Proxy in a Standalone environment Phase 1 Phase 2 Phase 3a Phase 3b Figure 2-2 Planning overview for Remote Control Proxy in a TFST environment Phase 1 Phase 2 Phase 3a Phase 3b Phase 4a Supporting applications requirements Hardware requirements Software requirements Information you will need for the installation Page Page 2.3 Implementation planning case study scenario IBM Tivoli Remote Control Users Guide Implementation planning case study overview Page Implementation Planning Case Study: Solution A Page Page Page Table 2-10 RC Proxy network ports for firewall 2 - Solution A Table 2-11 RC Proxy network ports for firewall 3 - Solution A Implementation Planning Case Study: Solution B must Tivoli Enterprise Management Across Firewalls 90 Note that the ports provided in these tables are examples specific to this case study scenario. Table 2-14 RC Proxy network ports for firewall 3 - Solution B Table 2-12 RC Proxy network ports for firewall 1 - Solution B Table 2-13 RC Proxy network ports for firewall 2 - Solution B Page Page Standalone Proxies 3.1 Scenario overview Tivoli Enterprise Management Across Firewalls 3.2 Environment description 3.2.1 Technical infrastructure Page Page Page 3.2.2 Data flow description Page 3.3 Scenario installation and configuration 3.3.1 Remote Control Proxy installation IBM Tivoli Configuration Manager Users Guide for Software Distribution Page Table 3-2 RC Controller Proxy settings 3.3.2 Remote Control Proxy configuration The rcproxy.cfg configuration file Page The rcproxy.route routing table configuration file The rc_def_proxy policy method 108 3.3.3 Firewall configuration table Figure 3-4 Remote Control Data Flow Overview Table 3-3 Scenario firewall configuration table The schema provided in the previous table would allow for a data flow shown in Figure3-4. 3.3.4 Remote Control Proxy startup IBM Tivoli Remote Control Us ers Page Example 3-13 The rcproxy.log: RC Controller Proxy log file Example 3-14 The netstat output collected on the RC Target Proxy 112 Example 3-15 The netstat output collected on the Controller Proxy Page Page Tivoli Firewall Security Toolbox 4.1 Scenario overview 4.2 Environment description 4.2.1 Technical infrastructure 118 Figure 4-1 General TFST testing scenario Page 120 Figure 4-2 Remote Control Proxy Implementation in a TFST environment 4.2.2 Data flow description Page Page 4.2.3 Firewall configuration tables 4.3 Scenario installation and configuration 4.3.1 Remote Control Proxy installation IBM Tivoli Configuration Manager Users Guide for Software Distribution RC Target Proxy installation Relay instance used by Remote Control RC Controller Proxy installation 4.3.2 Remote Control Proxy configuration The rcproxy.cfg configuration file Page The Relay.cfg configuration file The rc_def_proxy policy method 4.3.3 Remote Control Proxy startup 134 Example 4-8 shows the Relay log file. Example 4-8 The Relay.log: Relay log file contents Example 4-9 shows the RC Controller Proxy log file. Example 4-9 The rcproxy.log: RC Controller Proxy log file Example 4-11 shows the output of the netstat -a command on the Relay. Example 4-11 The netstat output collected on the Relay Page Page Page Page Page Page 5.1 Generic problem determination outline 5.1.1 Session startup Endpoint problem determination process 144 Figure 5-1 Endpoint problem determination flow Tivoli Management Framework Maintenance and Troubleshooting Guide Page Tivoli Management Framework Maintenance and Troubleshooting Guide TFST problem determinat ion process 148 Figure 5-2 TFST problem determination flow Page Page RC Proxy problem determination process 152 Figure 5-3 RC Proxy problem determination flow Page Page 5.1.2 Session management IBM Tivoli Remote Control Use rs Guide 5.2 Troubleshooting the Remote Control Proxy 5.2.1 The rcproxy.log file Page Page 5.2.2 The remcon.trc Controller trace file Page 5.3 Troubleshooting examples 5.3.1 Case 1: Controller not connecting to Target Proxy Example 5-5 The Target Proxy log file Both logs show that the Proxy communication is working. Example 5-6 The Controller Proxy log file Page 5.3.2 Case 2: Target Proxy service is not active 164 Example 5-10 The Relay log file Example 5-11 The Gateway Proxy log file Page 166 Example 5-13 The Relay log file (instance used by remote control proxies) Example 5-14 The Controller Proxy log file 5.3.3 Case 3: Wrong Proxy configuration Page Page Page 5.4 Troubleshooting the firewall Page Page Page A Introduction Components of TFST Endpoint Proxy Gateway Proxy Relay Tivoli environments with single firewall Tivoli environments with multiple firewalls Sending events across firewalls Installation and configuration of TFST Installation of TFST Installing the Endpoint Proxy Installing the Gateway Proxy Installing Relay instances Configuration of TFST Configuring the Endpoint Proxy Endpoint Proxy Firewall Security Communication Layer Configuring Gateway Proxy Gateway-Proxy Firewall Security Communication-layer Firewall Secur ity Configuring the Relay Relay Firewall Security Toolbox User s Firewall Security Communication layer Configuring the Event Sink Firewall Security Toolbox User s SENDING RECEPTION EIF TFST components and operations Port range configurations Effective Utilization of TFST across firewalls Page Page Introduction Functionality of a firewall Firewall tools Packet filters Stateful packet filtering Proxy servers Socks Authentication Security Dynamics SecurID token SecureWay Policy Director integration with firewall DNS and mail gateways Network address translation (NAT) Virtual Private Networks Log management Firewalls in the market Page Abbreviations and acronyms 198 Related publications IBM Redbooks Other publications Building Internet Firewalls Online resources How to get IBM Redbooks Index Numerics A B C J K L M N S T U V W Page Page Page Page INTERNATIONAL TECHNICAL SUPPORT ORGANIZATION Implementing IBM Tivoli Remote Control Across Firewalls Back cover