52 IBM Tivoli Remote Control Across Firewalls
nd_start_target method is sent to the Target using the standard
Endpoint Communication Protocol packets. In a TFST environment,
these packets are encapsulated by the Endpoint Proxy inside
common HTTP packets. HTTP protocol has been chosen, as it is
considered a “firewall friendly” protocol. The packets are then rebuilt
into Tivoli proprietary protocol by the Gateway proxy to let the distant
Targets understand the order to start an RC session.
When the request arrives from the standard Tivoli environment, it
contains the label of the distant Endpoint, which is the Target in this
case. The Endpoint Proxy owns its proper Endpoint Database where
key information about each distant Endpoint is stored and notably its
Gateway Proxy. Using this information, the Endpoint Proxy is able to
forward the request to the right Gateway Proxy which will forward it at
the end to the Endpoint.
In the situation depicted in Figure 1-9 on page 51, there are two
firewalls separating the standard Tivoli environment from the distant
Endpoints. To let the Endpoint Proxy (which needs to be on the same
network zone as the Tivoli Endpoint Gateway) communicate with the
Gateway Proxy (which needs to be close to the distant Endpoints), a
second instance of the Relay is needed in the zone between the
firewalls. Its role is just to forward the packets to the final destination
between the different network zones. Multiple Relays could be
chained to cross multiple secure zones.
L Both sessions on the Target and on the Controller are now started.
At this step, the Controller need to establish the link to control the
Target. The rc_def_proxy policy has been configured to force the
usage of the Remote Control Proxies and the Remote Control Server
has been informed of that on step I. The Remote Control server then
has informed the Controller (step K) to use the RC Target Proxy in
order to contact the Target. The Controller is able now to transfer the
connection request to the RC Target Proxy.
As only the RC Target Proxy port is defined in the rc_def_proxy
policy in an auto mode, the Controller only receives the address of
the Endpoint Proxy. As the RC Target Proxy must be installed on the
same machine as the Endpoint Proxy, the Controller can forward the
Target request to the RC Target Proxy using the address of the
Endpoint Proxy.
When the Target Proxy receives the request, it needs to find on
which RC Controller Proxy the Endpoint is attached to. In a TFST
environment, the Endpoint Proxy is in charge to manage the key
information of the Endpoint. To know the right path to contact the
Target, the RC Target Proxy needs to ask the Endpoint Proxy for this
information. The Endpoint Proxy provides the host name of the