I recently worked on a project to replace the server availability monitoring solution for a client. Existing solution was based on a set of scripts that perform ping tests and once a failure is identified, an event would be sent to Netcool. There were some concerns with the solution and the most critical one was the fact that servers residing on internet-facing network were not being monitored because the script could not send events to Netcool environment located on internal network due to firewall restrictions that would block traffic between those two networks.

 

There was a Netcool/OMNIbus environment in place for the client, so the plan was to replace existing server availability monitoring with Netcool/OMNIbus Ping Probe component installed on each Network – Internet-facing and internal.

 

Netcool/OMNIbus Ping Probes connect to the ObjectServer to send events, so communication flow is from the Probe to the ObjectServer. Due to firewall/security restrictions, opening a firewall port to allow communication from internet-facing server to internal server is not possible. Only option was to set up connectivity in the opposite direction. We decided to use Netcool Firewall Bridge component to address this problem, but unfortunately there was not much documentation explaining how to set it up  so I decided to write this post to share my experience with other Netcool Administrators that could be facing the same challenge.

 

About Netcool Firewall Bridge component

 

Netcool firewall bridge component must be installed in two servers: a server residing on internet-facing network to act as a 'Client Bridge' and a server residing on internal network to act as 'Server Bridge'. Server Bridge will open connection to Client Bridge (uni-directional communication) to receive data. In our environment we decided to install the Client Bridge on the same server where Ping Probe is located.

 

Architecture (example):

In the example above, Server Bridge connects to Client Bridge through port 10002 to pull events generated by the Ping Probe and then forwards them to the ObjectServer.

This will be the only Firewall port to open - from internal to internet-facing network.

 

How to set up Firewall Bridge components

 

This component is installed as part of ObjectServer installation process.

After installing the Netcool Firewall Bridge component on both servers and identifying which port will be used for the communication between Server Bridge and Client Bridge, you have to update some configuration files:

 

Environment Variables:

$OMNIHOME = /opt/IBM/tivoli/netcool/omnibus

$NCHOME = /opt/IBM/tivoli/netcool

 

 

Client Bridge (Example name: fw_bridge_cli)

 

File: $NCHOME/etc/omni.dat

• Add lines below:

 

 

 

File: $OMNIHOME/etc/NCO_BRIDGE.thosts

• Add Firewall Bridge server IP and name

 

File: $OMNIHOME/etc/NCO_BRIDGE.props

• Edit file, uncomment lines below and update values.

Example:

 

 

 

Server Bridge (Example name: fw_bridge_svr)

 

 

File: $NCHOME/etc/omni.dat

• Add the lines below:

 

 

File: $OMNIHOME/etc/NCO_BRIDGE.props

 

 

• Edit file, uncomment lines below and update values.

Example:

(you can obtain the ObjectServer name information from omni.dat file)

 

 

 

 

How to start Bridge Client / Server

 

To start Netcool Firewall Bridge (client)

Run as ncosys user:  /opt/IBM/tivoli/netcool/omnibus/bin/nco_bridgeserv -name CLIENT_BRIDGE -propsfile /opt/IBM/tivoli/netcool/omnibus/etc/NCO_BRIDGE.props

 

To start Netcool Firewall Bridge (server)

Run as ncosys user: /opt/IBM/tivoli/netcool/omnibus/bin/nco_bridgeserv -name SERVER_BRIDGE -propsfile /opt/IBM/tivoli/netcool/omnibus/etc/NCO_BRIDGE.props

 

 

Logging:

 

/opt/IBM/tivoli/netcool/omnibus/log/SERVER_BRIDGE.log           (Netcool Firewall Bridge - Server)

/opt/IBM/tivoli/netcool/omnibus/log/CLIENT_BRIDGE.log            (Netcool Firewall Bridge - Client)

 

 

Validation:

After performing the configuration, starting components and checking logs you can force some test event on Probe side and confirm that it appears in the ObjectServer.

 

With this configuration in place, Server Bridge component residing on a server within internal network will connect to Client Bridge residing on a server within internet-facing network and pull events from the Probes connected to the Client Bridge. In our project we are just using Ping Probes for server availability monitoring but you could also use SNMP Probe to receive Hardware events from the servers, for example.

 

Now you can receive events from internet-facing network without having to open a firewall port from internet-facing to internal network, which is a security breach!

 

 

References:

 

Configuring a Firewall Bridge Server

https://www.ibm.com/support/knowledgecenter/en/SSSHTQ_8.1.0/com.ibm.netcool_OMNIbus.doc_8.1.0/omnibus/wip/admin/concept/omn_con_fb_configuringfirewallbridgeserv.html

Starting the Firewall Bridge components

https://www.ibm.com/support/knowledgecenter/en/SSSHTQ_8.1.0/com.ibm.netcool_OMNIbus.doc_8.1.0/omnibus/wip/admin/task/omn_task_fb_startingfirewallbridgeserver.html

 

 

 

Tags:  netcool probe bridge firewall omnibus