Firewall scenarios for Tivoli Enterprise Portal

Monitoring, Version 6.2

Firewall scenarios for Tivoli Enterprise Portal

The following diagrams illustrate several firewall scenarios using various combinations of the IBM® Tivoli® integral Web server, an external Web server (such as Apache or IBM HTTP Server), NAT, and a second NIC on the Tivoli Enterprise Portal Server computer. These scenarios can help you to define the Tivoli Enterprise Portal Server interface.

Note:

You can download the IBM HTTP Server for free at http://www-306.ibm.com/software/webservers/httpservers/.

Figure 33 shows scenario with the following configuration:

Has an intranet firewall
Has no NAT
Uses the integral Web server

Figure 33. Intranet with integral Web server Firewall configuration for intranet with an integral Web server

The default Tivoli Enterprise Portal Server interface "cnps" is used. No additional interface definitions are needed. Browser mode users, whether going through the firewall or not, start Tivoli Enterprise Portal at:

 http://10.10.10.10:1920///cnp/client

or substitute the host name for the IP address.

For configurations using the integrated Web server and these port numbers, use the default cnps interface definition.

In this scenario, the monitoring server and agents can be installed on the Tivoli Enterprise Portal Server computer.

Figure 34 shows a scenario that has the following configuration:

Has an intranet firewall
Has no NAT
Uses an external Web server (such as IBM HTTP Server, Apache or IIS)

Figure 34. Intranet with external Web server

Firewall configuration for intranet with external Web server

Browser mode users, whether going through the firewall or not, start Tivoli Enterprise Portal Server with

http://10.10.10.10 or http://10.10.10.10/mydirectory

(where mydirectory is the alias), or substitute the host name for the IP address.

For intranet configurations using an external Web server, with no NAT, you do not need to add a new interface definition. Web server port 80 is used automatically when none is specified in the URL.

In this scenario, the monitoring server and agents can be installed on the Tivoli Enterprise Portal Server computer.

Figure 35 shows the following two-part configuration:

Intranet firewall without NAT and using the integral Web server
Internet firewall with NAT and using an external Web server

Figure 35. Intranet with integral Web server; Internet with external Web server

Firewall configuration encompassing both intranet with integral Web server and internet with external Web server

Intranet users can enter the URL for either the integral Web server or the external Web server:

 http//10.10.10.10:1920///cnp/client or http://10.10.10.10

Internet users enter the URL for the NATed address:

http://198.210.32.34/?ior=internet.ior

(or substitute the host name for the IP address).

The Internet configuration requires a new Tivoli Enterprise Portal Server interface named "internet", with proxy host address 198.210.32.34 and port number 15002. The intranet firewall uses the "cnps" definition.

In this scenario, the monitoring server and agents cannot be installed on the Tivoli Enterprise Portal Server computer.

Figure 36 shows the following three-part configuration:

Intranet firewall with NAT through the firewall to the external Web server
```
http://192.168.1.100/?ior=intranet.ior
```
Without NAT inside the DMZ to the integral Web server
```
 http://10.10.10.10:1920///cnp/client
```
Internet firewall with NAT through the firewall to the external Web server
```
http://198.210.32.34/?ior=internet.ior
```

Figure 36. Intranet and Internet with integral and external Web servers

The intranet firewall configuration requires a new Tivoli Enterprise Portal Server interface named "intranet", which uses proxy host 192.168.1.100 and port 15003.

The Internet DMZ configuration requires a new Tivoli Enterprise Portal Server interface definition.

The Internet configuration uses the same Tivoli Enterprise Portal Server "internet" interface definition as the previous scenario: proxy host 198.210.32.34 and port 15002.

In this scenario, the monitoring server and agents cannot be installed on the Tivoli Enterprise Portal Server computer.

Figure 37 shows the following two-part configuration:

Intranet firewall with NAT through the firewall to the external Web server using http://192.168.1.100, and without NAT inside the DMZ to the integral Web server uses http://10.10.10.10:1920///cnp/client
Internet firewall with NAT through the firewall to the external Web server using http://198.210.32.34.

Figure 37. Two host addresses, intranet and Internet, with integral and external Web servers

Configuration with wo host addresses, intranet and Internet, using both integral and external Web servers

The intranet firewall configuration uses the same Tivoli Enterprise Portal Server interface definition (named "intranet") as in the scenario shown in Figure 36: http://10.10.10.10; proxy host 192.168.1.100; and port 15003.

The intranet DMZ configuration uses the default Tivoli Enterprise Portal Server interface definition: host 192.168.33.33; proxy host 198.210.32.34; port 15002; and proxy port 444.

In this scenario, the monitoring server and agents cannot be installed on the Tivoli Enterprise Portal Server computer.

Feedback

[ Top of Page | Previous Page | Next Page | Contents | Index ]