IBM Tivoli Monitoring, Version 6.3

Example gateway configuration scenario

This section illustrates firewall gateway configuration in a three-hop network configuration.

This example uses a three-hop firewall scenario, shown in Figure 1. This scenario makes the following assumptions:

Connections can only cross a firewall from the more trusted side to the less trusted side.
Relay data crossing a zone enters and leaves on separate ports.

The effects of NAT on cross-zone addresses are not shown for clarity. NAT connections are fully supported. Dynamic NAT connections may require that inbound connection verification be removed. This is accomplished by removing the <connection> tag under the "listening" <bind>.

Figure 1. Three-hop firewall scenario

Illustration of firewall gateway configuration in a three-hop network configuration

Public Network (TEMAG3)

The public network has the following characteristics:

Gateway service is configured as part of operating system agent TEMAG3 on 10.3.1.1.
TEMAG3 accepts a relay connection on port 10030 only from TEMAG22, port 10030.
The Tivoli® Monitoring components within this zone will contact the hub monitoring server and Warehouse Proxy server proxy ports 1918 and 63358 through the TEMAG3 interface address.
The agents and the monitoring server at these zones needs to be configured as follows: Agents 3B, 3C, and 3D pointed directly to RMT3. RMT3 needs to be configured to point to TEMAG3, even if the configuration dialog asks for the hostname or address of the primary hub monitoring server. Agent3A as well as TEMAG3 itself should both point to TEMAG3.

In general, a gateway agent should point to itself, except for the final gateway, which should point to a monitoring server as usual. In this example, TEMAG1 should point to HUB.

In terms of node topology, all the agents and monitoring servers in this example that are pointed to the gateway agents will appear as if they are directly connected to the hub monitoring server.
A remote monitoring server resides on a computer other than TEMAG3 to prevent conflict on port 1918.

The TEMAG3 gateway has the following configuration:

<tep:gateway name="temag3" 
 xmlns:tep="http://xml.schemas.ibm.com/tivoli/tep/kde/" >
	<zone name="least_trusted">
		<!--
		upstream interface, listens for incoming relay
		connections, accepts traffic from downstream interfaces.
		-->
		<interface name="uprelay" ipversion="4" role="listen">
			<bind localport="10030">10.3.1.1
				<connection remoteport="10030">10.2.2.1
				</connection>
			</bind>
			<!--
			downstream interface, listens for incoming proxy
			connections, routes traffic over upstream relay.
			-->
			<interface name="serverproxy" ipversion="4" role="proxy">
				<bind localport="1918" service="tems"/>
				<bind localport="63358" service="whp"/>
			</interface>
		</interface>
	</zone>
</tep:gateway>

DMZ2 Network (TEMAG22)

The DMZ2 network has the following characteristics:

Gateway service configured as part of OS agent TEMAG22 on 10.2.2.1.
TEMAG22 originates a relay connection to TEMAG3 port 10030 using local port 10030.
TEMAG22 accepts a relay connection on port 10022 only from TEMAG21, port 10022.
Tivoli Monitoring components within this zone will contact the hub monitoring server and Warehouse Proxy server proxy ports 1918 and 63358 through the TEMAG22 interface address.
A remote monitoring server resides on a computer other than TEMAG22 to prevent conflicts on port 1918.

The TEMAG22 gateway has the following configuration:

<tep:gateway name="temag22"
 xmlns:tep="http://xml.schemas.ibm.com/tivoli/tep/kde/" >
	<zone name="dmz2">
		<!--
		upstream interface, listens for incoming relay 
		connections, accepts traffic from downstream 
		interfaces
		-->
		<interface name="uprelay" ipversion="4" role="listen">
			<bind localport="10022">10.2.2.1
				<connection remoteport="10022">10.2.1.1</connection>
			</bind>
			<!--
			downstream interface, originates relay connection to
			downstream relay, routes traffic over upstream relay.
			-->
			<interface name="downrelay" ipversion="4" role="connect">
				<bind localport="10030">10.2.2.1
					<connection remoteport="10030">10.3.1.1</connection>
				</bind>
        </interface>
			<!--
			downstream interface, listens for incoming proxy
			connections, routes traffic over upstream relay.
			-->
			<interface name="serverproxy" ipversion="4" role="proxy">
				<bind localport="1918" service="tems"/>
				<bind localport="63358" service="whp"/>
			</interface>
		</interface>
	</zone>
</tep:gateway>

DMZ1 Network (TEMAG21)

The DMZ1 network has the following characteristics:

Gateway service is configured as part of OS agent TEMAG21 on 10.2.1.1.
TEMAG21 originates a relay connection to TEMAG22 port 10022 using local port 10022.
TEMAG21 accepts a relay connection on port 10021 only from TEMAG1 port 10021.
Tivoli Monitoring components within this zone will contact the hub monitoring server and Warehouse Proxy server proxy ports 1918 and 63358 via the TEMAG21 interface address.
A remote monitoring server resides on a computer other than TEMAG21 to prevent conflicts on port 1918.

The TEMAG21 gateway has the following configuration:

<tep:gateway name="temag21"
 xmlns:tep="http://xml.schemas.ibm.com/tivoli/tep/kde/" >
	<zone name="dmz1">
		<interface name="uprelay" ipversion="4" role="listen">
			<bind localport="10021">10.2.1.1
				<connection remoteport="10021">10.1.1.1</connection>
			</bind>
			<interface name="downrelay" ipversion="4" role="connect">
				<bind localport="10022">10.2.1.1
					<connection remoteport="10022">10.2.2.1</connection>
				</bind>
			</interface>
			<interface name="serverproxy" ipversion="4" role="proxy">
				<bind localport="1918" service="tems"/>
				<bind localport="63358" service="whp"/>
			</interface>
		</interface>
	</zone>
</tep:gateway>

Trusted Network (TEMAG1)

The Trusted Network has the following characteristics:

Gateway service is configured as part of operating system agent TEMAG1 on 10.1.1.1.
TEMAG1 originates a relay connection to TEMAG21 port 10021 using local port 10021.
TEMAG1 makes client proxy connections to the hub monitoring server using source ports in the range 20000-20099.
TEMAG1 makes client proxy connections to the Warehouse Proxy Agent at destination port 63358 using source ports in the range 20100-20199.

The TEMAG1 gateway has the following configuration:

<tep:gateway name="temag1"
 xmlns:tep="http://xml.schemas.ibm.com/tivoli/tep/kde/" >
	<zone name="most_trusted">
		<!--
		upstream interface, traffic from downstream
		interfaces and originates proxy connections on behalf
		of downstream server proxy clients
		-->
		<interface name="clientproxy" ipversion="4" role="proxy">
			<bind localport="poolhub" service="tems">
				<connection remoteport="1918">10.1.1.1</connection>
			</bind>
			<bind localport="poolwhp" service="whp">
				<connection remoteport="63358">10.1.1.1</connection>
			</bind>
			<!--
			downstream interface, originates connection to 
			downstream relay, routes traffic to upstream proxy
 			-->
			<interface name="downrelay" ipversion="4" role="connect">
				<bind localport="10021">10.1.1.1
					<connection remoteport="10021">10.2.1.1</connection>
				</bind>
			</interface>
		</interface>
	</zone>
	<portpool name="poolhub">20000-20099</portpool>
	<portpool name="poolwhp">20100-20199</portpool>
</tep:gateway>

Feedback