We do have a few large hosting customers that use it. typically these are the reasons:
1 – overlapping IP ranges – eg from acquisitions or poor network planning
2 – network admins don’t want to open firewall ports (as mentioned)
3 – NAT at the remote site
4 – DNS issues where appserver cannot talk to DNS servers that can resolve the target servers
I have a large remote client (> than 800 servers estate) with a WAN connection to the application server with the speed 2 x 2 MB. At the remote site, the first firewall does NAT and a second firewall classsic is in front of the server estate. I hope this diagram can help you visualize more or less the netowrk topology:
Therefore my questions are the following: (1). Can I have the proxy and repeater components located in front of the firewall of the server estates? (2). Do I really need the proxy server at all? After reading your comments from the community, I understand that if a NAT is being used, therefore the proxy server is needed. (3). I recommeneded the opening of the port 4750 from the Proxy server to the BDSSA reports server (after consulting the official document from BMC which describes the ports) Is this really needed? My understanding is that this port should be opened exclusively because the RSCD agents need to copy the agent logs to the reports server for reporting purposes. (4) Or would you recommend having the repeater behind the firewall closer to the RSCD agents? I would appreciate your expertise.
added the diagram asmodification to this message
1 - yes, as long as the proxy and repeater can reach the targets on 4750.
2 - If the NAT in the diagram is not a 1-to-1 NAT, then yes, you need the socks proxy.
3 - I don't think so. Assuming the reports server is in the same zone as the appserver, i don't see a need to do this. the traffic in that case is going from the appserver to the reports server. however there are cases where the proxy does need to talk back to the file server and possibly other servers on port 4750, depending on the nsh scripts that are being run - eg a script that copies from one zone to another.
4 - it doesn't really matter. you are opening ports in a firewall either way. it might be easier to have the socks proxy behind the second firewall (the bottom one) because then you only open a single port to the proxy.
why do you have the two firewalls there - one does NAT and fw, then another fw to the targets? why not just have one ?
1 - Yes, the port 4750 will be opened from the Proxy SOCKS towards the target servers RSCD.
and the same port from the Repeater towards the target servers RSCD.
2 - Apparently the NAT uses both ONE TO ONE or ONE TO ANY if this helps you clarify your question.
3 - Effectively, the reports server is in the same LAN (zone) as the reports server and it is still not clear on the example you have given me.
4. For this specific client, after strict security concerns, we cannot install infra servers in that VLAN where client servers will be located. All infra servers will be located in the reserved area (after the NATting)
2 - for a one to many nat you need a socks proxy that has an interface on the other side of the nat so it can talk to the actual target systems. for a one to one nat you don't need a socks proxy
3 - if the appserver and reports server are on the vlan, then no traffic would need to go through the socks proxy to to from the app to reports server.
4 - ok