Chapter 1. Remote Control sessions overview 35
The legend used in Figure 1-5 is explained as follows:
Steps A, B,C, D, E, F, G, H, I, J, and K remain the same as for a Remote Control
session in a multi-TMR environment without the firewall restriction. Refer to “Data
flow for a multi-TMR session” on page 21 for detailed information about these
steps.
The remaining step is different and is defined as follows:
L The rc_def_gw policy has been configured to force the usage of the
Remote Control Gateway and the Remote Control Server has been
informed of that on step F. The Remote Control server then has
informed the Controller (step K) to use the Remote Control Gateway
in order to contact the Target. As the Controller knows on which
Managed Node the Remote Control Gateway is installed and which
port has to be used, it could start to communicate with the Target
using this specific network path. The Remote Control session is now
established. It is important to notice that once the session
established, the Controller talks directly with the Target, but it’s
not a
peer-to-peer communication (Controller-Target) anymore, as the
communication flow must always go through the Remote Control
Gateway. The Target is listening on port defined in the rc_def_gw
policy. If 0 is specified as parameter, the port is assigned by the
communication stack. On the Controller side, by default, the port is
assigned by the communication stack. However, this port could be
easily fixed by configuring the rc_def_ports Remote Control Policy.
In order to force the Remote Control session to use a Remote Control Gateway,
the rc_def_gw default policy method needs to be configured as shown in
Example 1-13 on page 33. This has to be done in the Spoke TMR where the
Remote Control Object is located.
1.2.4 Session using Remote Control Proxies Standalone
In the following sections we describe the Remote Control Proxy Standalone
architecture for both single-TMR and multi-TMR environments.
The Remote Control Proxy components enable machines on a side of a firewall
to communicate, through a common definable port, to machines on the other
side of the firewall. Thus, the Controller is able to start a session with a Target by
minimizing the impact on the security infrastructure.
However, the Remote Control Proxy Standalone solution could only be used if a
standard Tivoli Endpoint Gateway is installed in the same network zone as the
Targets. Otherwise, the Remote Control Proxy on top of the Tivoli Firewall
Security Toolbox solution needs to be deployed.