How do I configure the AR server and Mid-Tier in a firewall segmented network?

Version 2
    Share:|

    This document contains official content from the BMC Software Knowledge Base. It is automatically updated when the knowledge article is modified.


    PRODUCT:

    Remedy AR System Server


    APPLIES TO:

    BMC Remedy AR System Server



    QUESTION:

    How do I configure the AR server and Mid-Tier in a firewall segmented network?


    ANSWER:

     

    Legacy ID:KA334032

    Note: This KB needs to be generalized for the various OS's / Servlet Engines, etc... 

    The protocols used between the Mid-Tier and AR Server in a firewall segmented network are as follows: 
    ------------------------------------------------------------- 
    TCP from the Mid-Tier server with a source TCP port in the range of 1024-65535, destined for the single TCP port as specified in the ar.conf file, eg: TCD-Specific-Port: XXXXX where XXXXX is any port 1024-65535 for user space processes. 

    The rule for the above might look like: 
    deny all 
    allow TCP source 1024-65535 [source_serverIP_or_DNSName_or_NetMask] destination TCP 5555 [destination_serverIP_or_DNSName_or_NetMask] 

    This type of rule would need to be repeated for each Mid-Tier server if specific IP addresses or DNS names are used in the source half of the rule. 

    The rule must not contain any authentication challenges. The ARAPI is not designed to respond to or present challenge-response authentication prompts.to users. 

    UDP is not used by the ARAPI client when a server port is specified in the client configuration. 


    Having said all this, there is a known problem where specific ARAPI calls will generate GET PORTMAP requests (TCP port 111 and UDP port 111). This can be avoided by setting ARTCPPORT=XXXXX (where XXXXX = the port set for TCD-Specific-Port) in the environment prior to starting the ARAPI client. In your case this can be done anywhere within the StartServletExec script. Note that ALL AR servers listed in the Mid-Tier config tool will need to be configured to run on the same port, since the ARTCPPORT environment variable applies to all servers. 

    Please verify: 
    - That the Mid-Tier config tool shows the AR Server Name(s) as listed in your Remedy Windows Admin Tool, Accounts dialog (Tools -> Accounts). 
    - That the AR Server Name(s) as listed in the Mid-Tier config tool are resolvable via DNS, NIS, or file (/etc/hosts) and that the correct method of resolution is specified in /etc/nsswitch.conf. 
    - That no RPC Program number is specified in the Mid-Tier config tool. If this field is blank, the default RPC program number for the TCD Specific Port will be used.  

    If you are attempting to use a private server there is a separate ar.conf parameter, a separate port used, and a different rule needed for the firewall configuration. In this configuration you must specify the port and RPC program number associated with the private server. The protocol for private servers is still TCP with the same source TCP port range and specific destination TCP port range as shown above. 
    ------------------------------------------------------------- 
    The protocols used between the browser client and Web Server / Servlet Engine in a firewall segmented network are as follows: 
    ------------------------------------------------------------- 
    Whatever TCP port the web server / server is listening on to service HTTP requests is the TCP port that needs to be allowed in the firewall rule. This is typically TCP port 80 or 443 for SSL/HTTPS. The rule for the above might look like: 

    deny all 
    allow TCP source 1024-65535 [NetMask] destination TCP 80 [destination_serverIP_or_DNSName_or_NetMask] 

    The rule must not contain any authentication challenges. The Mid-Tier client architecture includes an applet named Client Services. The Client Services applet is not designed to respond to or present challenge-response authentication prompts.to users. 

    The connection can be proxied, but the content must not be cached at any proxy server. 

    The connection can be load balanced. The best method for load balancing is by cookie. The connection must have session affinity (or "sticky") such that subsequent packets are sent to the same web server where the initial connection was established. This is because the Mid-Tier is not cluster aware. The Mid-Tier does not share session information between separate Mid-Tier instances running on other nodes / hosts. 
    ------------------------------------------------------------- 


     


    Article Number:

    000030191


    Article Type:

    FAQ/Procedural



      Looking for additional information?    Search BMC Support  or  Browse Knowledge Articles