6 Replies Latest reply on Nov 3, 2016 9:04 AM by Yanick Girouard

    2 agents behind a firewall

    Gerardo Bartoccini

      Hi everybody,

       

      I am installing CLM and two of the platform servers are on DMZ, thus I can reach them only on port 22 from install planner.

      So I would like to force nsh on the install planner to reach them by using an SSH tunnel with port forwarding.

      Here’s what I have done:

       

      Edited /etc/rsc/secure to add two additional entries with specific listening ports

       

      /etc/rsc/secure

      rscd:port=4750:protocol=5:tls_mode=encryption_only:encryption=tls:timeout=30:

      server1:port=4751:protocol=5:tls_mode=encryption_only:encryption=tls:timeout=30:

      server2:port=4752:protocol=5:tls_mode=encryption_only:encryption=tls:timeout=30:

      default:port=4750:protocol=5:tls_mode=encryption_only:encryption=tls:timeout=30:client_keepalive_time=20:

       

      Edited /etc/hosts file on install planner host to have both servers resolved as 127.0.0.1

      /etc/hosts

      127.0.0.1              server1

      127.0.0.1              server2

       

      Then I create a tunnel from install planner to one of the target server:

       

      ssh -L 4751:localhost:4750 10.5.28.111

       

      local port is correctly listening on install planner host:

       

      installplannerhost# netstat -an | grep 475

      tcp        0      0 127.0.0.1:4751              0.0.0.0:*                   LISTEN

      tcp        0      0 :::4750                     :::*                        LISTEN

      installplannerhost #

       

      but although both agentinfo attempts succeed, in both cases server1 responds

       

      installplannerhost# agentinfo server1

      server1:

        Agent Release   : 8.7.00.263

        Hostname        : server1

        Operating System: Linux 2.6.32-642.1.1.el6.x86_64

        User Permissions: 0/0 (root/root)

        Security        : Protocol=5, Encryption=TLS1

        Host ID         : 7F0100

        # of Processors : 2

        License Status  : Licensed for NSH/CM

      installplannerhost# agentinfo server2

      server2:

        Agent Release   : 8.7.00.263

        Hostname        : server1

        Operating System: Linux 2.6.32-642.1.1.el6.x86_64

        User Permissions: 0/0 (root/root)

        Security        : Protocol=5, Encryption=TLS1

        Host ID         : 7F0100

        # of Processors : 2

        License Status  : Licensed for NSH/CM

      installplannerhost#

       

      If I attempt to connect to second server:

       

      ssh -L 4752:localhost:4750 10.5.28.112

       

      local port is correctly listening on install planner host:

       

      installplannerhost# netstat -an | grep 475

      tcp        0      0 127.0.0.1:4752              0.0.0.0:*                   LISTEN

      tcp        0      0 :::4750                     :::*                        LISTEN

      installplannerhost#

       

      but agentinfo fails in both cases

      installplannerhost# agentinfo server1

      Can't access host "server1": Connection refused

      installplannerhost# agentinfo server2

      Can't access host "server2": Connection refused

      installplannerhost#

       

      Any clues?

        • 1. Re: 2 agents behind a firewall
          Yanick Girouard

          I don't think that will work. The secure file's host entry resolves the host to the IP when it's actually used. It's not the name of the host passed in the NSH command that will count, but what IP it resolves to. You would need to put an IP address in the secure file (for server1 and server2), but then if you do this you wouldn't be able to map the hosts file entries to 127.0.0.1. You would need to add more IPs in you server, and bind each tunnel to a different IP, and then use those local IPs in the hosts file, I think...

           

          Example, say you have the following IPs defined on your planner server:

           

          192.168.1.20
          192.168.1.21

           

          You would do this in your hosts file:

           

          192.168.1.20 server1
          192.168.1.21 server2

           

          Make sure there are no other entries for those IPs in the hosts file or the first one will match.

           

          Then for your tunnels:

           

           

          ssh -L 4751:192.168.1.20:4750 IP_OF_SERVER1

          ssh -L 4752:192.168.1.21:4750 IP_OF_SERVER2

           

          See if that works

          • 2. Re: 2 agents behind a firewall
            Bill Robinson

            loopback is a /8 so you have a lot of 'local' addresses you can use ...

            1 of 1 people found this helpful
            • 3. Re: 2 agents behind a firewall
              Yanick Girouard

              Oh, didn't know that. In this case even better!

              • 4. Re: 2 agents behind a firewall
                Bill Robinson

                http://www.ietf.org/rfc/rfc3330.txt

                 

                 

                   127.0.0.0/8 - This block is assigned for use as the Internet host

                   loopback address.  A datagram sent by a higher level protocol to an

                   address anywhere within this block should loop back inside the host.

                   This is ordinarily implemented using only 127.0.0.1/32 for loopback,

                   but no addresses within this block should ever appear on any network

                   anywhere [RFC1700, page 5].

                3 of 3 people found this helpful
                • 5. Re: 2 agents behind a firewall
                  Gerardo Bartoccini

                  Thanks to both of you.

                   

                  I fixed things and I am posting here the configuration that works in case anybody needs to put it in place:

                   

                  Edited /etc/rsc/secure to add two additional entries with specific listening ports

                   

                  /etc/rsc/secure

                  rscd:port=4750:protocol=5:tls_mode=encryption_only:encryption=tls:timeout=30:

                  server1:port=4751:protocol=5:tls_mode=encryption_only:encryption=tls:timeout=30:

                  server2:port=4752:protocol=5:tls_mode=encryption_only:encryption=tls:timeout=30:

                  default:port=4750:protocol=5:tls_mode=encryption_only:encryption=tls:timeout=30:client_keepalive_time=20:

                   

                  Added two loopback interfaces:

                   

                  ifconfig lo:1 127.0.0.2 netmask 255.0.0.0 up

                  ifconfig lo:2 127.0.0.3 netmask 255.0.0.0 up

                   

                  Edited /etc/hosts file on install planner host to have servers resolved as 127.0.0.2 and 127.0.0.3

                  /etc/hosts

                  127.0.0.2              server1

                  127.0.0.3              server2

                   

                  Then I create two tunnels from install planner to both target servers.

                  This way local nsh on installplannerhost will contact agent on localhost on ports 4751 and 4752 which will be tunneled by ssh to the target hosts.

                   

                  ssh -L 127.0.0.2:4751:localhost:4750 <server1_IP>

                  ssh -L 127.0.0.3:4752:localhost:4750 <server2_IP>

                   

                  (I had to add local IP to bind)

                   

                  local ports are correctly listening on install planner host:

                   

                  installplannerhost# netstat -an | grep 475

                  tcp        0      0 127.0.0.2:4751              0.0.0.0:*                   LISTEN

                  tcp        0      0 127.0.0.3:4752              0.0.0.0:*                   LISTEN

                  tcp        0      0 :::4750                     :::*                        LISTEN

                  installplannerhost #

                   

                  and both agentinfo attempts succeed.

                   

                  installplannerhost# agentinfo server1

                  server1:

                    Agent Release   : 8.7.00.263

                    Hostname        : server1

                    Operating System: Linux 2.6.32-642.1.1.el6.x86_64

                    User Permissions: 0/0 (root/root)

                    Security        : Protocol=5, Encryption=TLS1

                    Host ID         : 7F0100

                    # of Processors : 2

                    License Status  : Licensed for NSH/CM

                  installplannerhost# agentinfo server2

                  server2:

                    Agent Release   : 8.7.00.263

                    Hostname        : server2

                    Operating System: Linux 2.6.32-642.1.1.el6.x86_64

                    User Permissions: 0/0 (root/root)

                    Security        : Protocol=5, Encryption=TLS1

                    Host ID         : 7F0100

                    # of Processors : 2

                    License Status  : Licensed for NSH/CM

                  installplannerhost#

                  • 6. Re: 2 agents behind a firewall
                    Yanick Girouard

                    How did you manage to run the tunnels as daemons so they run in the background, and have you planned on creating a watchdog script to restart them if the connexion fails?