IBM RELEASE 7.3 3.3.6.2. Solutions for Op erating Through a Firewall, 3.3.6.3. Example: Using hps sgui Through a Firewall

3.3.6.2. Solutions for Op erating Through a Firewall

SSM can operate through a firewall in three different ways:

•The hpssgui and hpssadm can use ports exempted by the network administrator as firewall

exceptions. See the -n option described in the hpssgui and hpssadm man pages.

•The hpssgui and hpssadm can contact the System Manager across a Virtual Private Network

connection (VPN). See the -p and -h options described in the hpssgui and hpssadm man

pages.

•The hpssgui and hpssadm can contact the System Manager across an ssh tunnel. See the

instructions for tunneling in the hpssgui man page.

The firewall exception is the simplest of these. However, security organizations are not always willing to

grant exceptions.

The vpn option is usually simple and transparent regardless of how many ports are needed, but require s

the site to support vpn. The site must also allow the vpn users access to the ports listed in Section

3.3.6.1 The Firewall Problem on page 44; not all sites do.

The ssh tunneling option has the advantage that it can be used almost anywhere at no cost. It has the

disadvantage that the tunnel essentially creates its own firewall exception. Some security organizations

would rather know about any applications coming through the firewall and what ports they are using

rather than have users create exceptions themselves without the awareness of secur ity personnel. A

second disadvantage of tunneling is that if a particular client machine is compromised, a ny tunnels open

on that client could also be compromised. The client machine may become a point of vulnerability and

access to the other machines behind the firewall. A third disadvantage is that t unneling can be complex

to set up, requiring slight or significant variations at every site.

The firewall and tunneling options both benefit from reducing the number of ports requir ed:

•The need for port 111 can be eliminated by making the System Manager listen on a fixed port.

To do this, set the HPSS_SSM_SERVER_LISTEN_PORT environment variable to the

desired port and restart the System Manager. Then use the -n option with the hpssgui and

hpssadm startup scripts to specify this port.

•The need for port 88 can be eliminated only by avoiding Kerberos and using UNIX

authentication.

•There is no way to eliminate the need for the port on which the System Manager listens.

3.3.6.3. Example: Using hps sgui Through a Firewall

Here is an example of how a particular site set up their hpssgui SSM client sess ions using krb5

authentication outside a firewall. Many of the items are site specific so modifications will need to be

made to suit each site's specific needs. Where this procedure would differ for a site using Unix

authentication, the Unix instructions are also included.

At this site, vpn users were not allowed access to all the ports listed in Section 3.3.6.1 The Firewall

Problem on page 44 so they had to use a combination of vpn and ssh tunneling.

•Create a directory on the client machine to hold the SSM client files. It is recommended that

a separate directory be created for each server hostname that the client wil l contact.

HPSS Management Guide November 2009

Release 7.3 (Revision 1.0) 45