Manualshelf

Software Distributor: Firewall Configuration Cookbook

ManualsBrandsHP ManualsSoftwareHP-UX Software Distributor
12345
1
Introduction
This document describes how to configure an existing SD environment to work across a firewall.
This procedure has been verified and implemented across a real firewall and is known to work.
This document is applicable to any site that wants to install software to an external firewall
system from an internal depot. When using this document, please verify all security procedures
are observed and properly implemented to avoid any security exposure. It is highly recommended
to use a DMZ style firewall configuration if possible to reduce unauthorized access to your
internal systems.
For purposes of this discussion, the following system configuration is being used.
<-------- Inside Firewall -----|----- Outside Firewall ------>
|
------------ ------------ ---------------
| | | | | |
| SystemA |-------------| Firewall |------------| SystemB |
| (agent) | | | |(controller) |
------------ ------------ ---------------
/ |
__/_____ |
( DepotA ) |
-------- |
|
<-------- Inside Firewall -----|----- Outside Firewall ------>
Network Configuration Notes
1. SystemA is inside the firewall and can have a class A, B, or C address.
2. SystemB is outside the firewall and can have a class A, B, or C address.
3. The firewall has restrictions on all ports and requires any access to be explicitly defined.
4. SystemB will act as the SD controller. This is the external system where the swlist, swcopy,
or swinstall command will be executed.
5. SystemA will act as the SD agent. This is the internal system where the depots exist and the
swagentd daemon process runs.
SD Background
To understand the configuration that needs to be conducted, it is important to understand how
SD uses DCE/RPC ports to establish/complete communication across agent and controller.
In this explanation, it is assumed that the controller is initiating a command such as swlist,
swcopy, or swinstall to an SD agent.
The sequence of steps that occur when an SD controller and agent communicate are as follows:
1. A controller process such as a swlist, swcopy or swinstall is executed on SystemB.
2. The swagentd on SystemA responds on the controller initiating port.
3. The swagentd on SystemA spawns a swagent process that uses DCE/RPC to dynamicaly
choose a new port on A, and it listens on the new port.
4. The swagentd on SystemA sends the controller on SystemB the new port the agent is
listening on.
5. The swagentd on SystemB spawns a swagent to communicate with the SystemA swagent
using the new port.
Introduction 5