Manualshelf

Managing HP Servers through Firewalls with Insight Management 7.0

ManualsBrandsHP ManualsSoftwareInsight Software
12345678910
10
Case 3: Managing through a firewall using a single
network
In other computing environments, a firewall commonly separates the central management server
(CMS) and the managed server. In such an environment (Figure 3), two networks are given different
levels of trust. For example, the managed server may be in a DMZ, while the CMS resides in a more
trusted portion of the intranet. The firewall is used to control traffic between these two networks. The
firewall permits the exchange of only specific types of traffic between specific systems.
In some situations, the firewall may simply restrict communication between specific IP addresses. For
example, the firewall may allow the exchange of any IP packets between the managed system and
the CMS. However, because host names and IP addresses can be spoofed, a higher level of
restriction can be imposed through the firewall; that is, the firewall can permit only non-spoofable
protocols.
In this case study, we assume that the firewall is configured to allow only requests from the CMS to
the managed server and returned responses. Typically, this means the firewall will not permit UDP
traffic, as connectionless protocols cannot easily be configured to block incoming packets. Only
specific TCP ports will be opened, and they will possibly be filtered for certain types of traffic.
Figure 3 Firewall separating central management server from managed server
Asset Management
HP Insight Management provides asset management services by first discovering and identifying the
managed systems, gathering data from instrumentation running on each managed system, storing this
data in a SQL database, and finally providing reporting capabilities on this gathered data. These
steps require communication between the CMS and managed system as described in the following
paragraphs.
First the managed systems and the instrumentation running on them must be identified. HP Insight
Management offers an automatic discovery mechanism using IP ping sweep, or administrators can
manually add systems by name or address. In either case, the CMS will attempt to contact the
managed system using a ping; if this fails, then no further requests will be sent to the system.
HP Insight Management normally uses an ICMP echo to ping a system; however, some network
administrators turn off ICMP through firewalls. In this situation, the administrator can configure HP
Insight Management to use a TCP port to ping systems. Port 80 is used by default, but an alternative
port may be specified in a configuration file. The target system need not be actively listening to the
chosen port, but the firewall must be configured to allow these requests to pass.