12 IBM Tivoli Remote Control Across Firewalls
Bidirectional communication: In simple secure environments,
communications could be initiated either by a component on the less secure
zone or by the one located on the more secure zone. For example, an
Endpoint initiates an upcall that is intercepted by the Gateway Proxy and
further sent to the Endpoint Proxy, which in turn will forward it to the Tivoli
Endpoint Gateway. In reverse, the Endpoint Proxy could initiate a downcall to
the Endpoint without any restrictions.
Unidirectional communication: In more secure environments,
communications could only be initiated by components located in one of the
zones. For example, if an Endpoint needs to initiate an upcall, this one is
intercepted by the Gateway Proxy and held until the Endpoint Proxy polls
their Gateway Proxies, at configurable intervals, to check if any of them have
data to be sent. In this case, the Endpoint Gateway is called the
Initiator, as it
will be responsible to poll their Child. The Gateway Proxy is called the
Listener, as it will wait for a send request before being able to transfer any
information. The poll interval is set to 2 seconds by default and could be
configured by changing the polling-interval parameter in the epproxy.cfg,
gwproxy.cfg, and/or rcproxy.cfg configuration files. For more information
about the Endpoint and Gateway proxies configuration files, refer to Firewall
Security Toolbox User ’s Guide, GC23-4826. The
IBM Tivoli Remote Control
User’s Guide
, SC23-4842, provides information for the Remote Control
Proxies configuration files.
1.2 IBM Tivoli Remote Control sessions overview
In this section we describe in detail the data flow of Remote Control sessions
used in different implementations. This is meant to help you to fully understand
how the communications of Remote Control work and what you have to consider
in your design in order to respect the firewall restrictions.
The example scenarios used in this section are based on commonly found
Remote Control architecture implementations in which the RC Controller is
installed on the most secure side of the firewall and the Targets on the less
secure zone. These scenarios should provide you enough information to master
others more complicated situations. Furthermore, only the Remote Control action
is discussed, but the process is basically the same for the File Transfer action.
More information for these actions can be found in the
IBM Tivoli Remote Control
User’s Guide
, SC23-4842.
Attention: Only the Remote Control and the File Transfer actions can use the
Remote Control Proxy technology to cross firewalls.