Chapter 2. Implementation planning 89
Similarly to Solution A, there are three main requests that need to be addressed:
Controllers in the External zone connecting Targets in the Internal zone:
The change in the design has no affect on this request, and Controller 1 is
able to connect to Target 1 using the A path, as described in “Implementation
Planning Case Study: Solution A” on page 83.
Controllers in the External zone connecting Targets in the Servers zone:
The second requirement is that Controller 1 needs to contact Target 2 in the
Server zone. As shown in Figure 2-5, because the Endpoint Gateway was
removed from the Server zone, a new Endpoint/Gateway Proxy B architecture
needs to be deployed to manage Targets in the Server zone.
For Remote Control operations, a new RC Target Proxy B needs to be
installed on top of the Endpoint Proxy B and it becomes automatically a
Parent, as the Endpoint Proxy is a Parent. On the other side of Firewall 3, a
new RC Controller Proxy B needs to be installed on top of the Gateway Proxy
B, and, of course, this component becomes the Child. Using this architecture,
the request from Controller 2 is forwarded from the A path to the B path using
the Endpoint Proxy
routing technology.
Controllers in the Internal zone connecting Targets in the Servers zone:
The third requirement is still raised by the CSI Level 3 support group. These
administrators need to have remote control access to Targets in both Internal
and Servers zone. Targets in the Internal zone will be managed by Controller
2 using the non-secure 1 IBM Tivoli Remote Control process. However, the
Controller 2 could benefit from the RC Proxy architecture to get the Target 2
sited in the Servers zone. It just needs to connect to the RC Target Proxy B,
which will transfer the request to the RC Controller Proxy B. So, the Controller
2 is able to contact the Target 2 using the B path.
Table 2-12, Table 2-13, and Table 2-14 summarize all of the necessary network
communications ports that may help in configuring the RC Proxies, TFST
components, as well as the firewalls of CSI Corporation.
Important: Requests initiated by a Controller can be forwarded from one
RC Target Proxy/RC Controller Proxy architecture to another RC Target
Proxy/RC Controller Proxy architecture. However, these two architectures
must be RC Proxy Non-Standalone solutions, because the request is
transmitted from one part to the other using the routing technology of the
Endpoint Proxy components.
For more information about the Endpoint Proxy routing technology, refer to
the
Firewall Security Toolbox User ’s Guide
, GC23-4826 and to the
Tivoli
Enterprise Management Across Firewalls
, SG24-5510.