Manualshelf

Managing your HP servers through firewalls with HP SIM (481364-002, February 2008)

ManualsBrandsHP ManualsSoftwareHP Systems Insight Manager 4.x HP-UX Software
12345678910
8
anyone compromises the DMZ network, he or she cannot compromise the iLO network. This
architecture permits administrators to use iLO on servers located in the DMZ, or in the internal
network, without the risk of compromising sensitive data. This separation is accomplished through the
use of a dedicated NIC or the iLO 2 Shared Network Port with its Virtual Local Area Network (see the
paper titled “HP Integrated Lights-Out security technology” available at
http://h20000.www2.hp.com/bc/docs/support/SupportManual/c00212796/c00212796.pdf for
more information).
For best protection of the servers operating inside the DMZ, administrators should set the SNMP trap
destinations to the loop back address and enable the SNMP pass-through in iLO 2 so that SNMP
traps are routed onto the iLO management network. While this SNMP pass-through option does not
enable all management functions, it allows for passing status, inventory, and fault information to HP
Systems Insight Manager or another SNMP-capable management application. This option has the
benefit of being very secure because the host operating system does not recognize the Lights-Out
product as a NIC.
Asset Management
With HP Systems Insight Manager installed on the secondary management network, system
administrators can collect system asset information from a ProLiant server on that management
network through the iLO 2 pass-through. As a second option, administrators can browse to the System
Management Homepage (https://servername:2381/) and manually view the asset information.
The Appendix to this paper describes the procedure for configuring a separate management network.
When using SNMP management protocols, SNMP should be configured to accept packets only from
the IP addresses used on the management network, or SNMP should be bound to the secondary
network interface (if the operating system allows this.) The HP Insight Management Agents should be
configured to allow access only from IP addresses on the management network. HP Systems Insight
Manager should be configured to discover the systems on the secondary network. WMI and WBEM
can be disabled on the primary network by configuring a firewall on the system to disable each of the
protocols on the primary NIC.
Fault Management
SNMP traps can be forwarded through the Lights-Out interface on ProLiant servers. This allows full
fault management data to flow into HP Systems Insight Manager or another management product
(such as HP OpenView Network Node Manager).
The Insight Agents for Microsoft Windows also create Windows Event Log entries. A management
tool such as HP OpenView Operations or Microsoft Operations Manager operating in the same
environment can then collect the log entries and send them back to a centralized server. The Insight
Agents for Linux also create entries in the syslog. Administrators can write a script to look for these
entries and take appropriate action.
Case 3: managing through a firewall using a single
network
In other computing environments, a firewall commonly separates the central management server
(CMS) and the managed server. In such an environment (Figure 3), two networks are given different
levels of trust. For example, the managed server may be in a DMZ, while the CMS resides in a more
trusted portion of the intranet. The firewall is used to control traffic between these two networks. The
firewall permits the exchange of only specific types of traffic between specific systems.