60 IBM Tivoli Remote Control Across Firewalls
2. Scenarios where the Targets and/or Controllers are separated from their
standard Tivoli Endpoint Gateway by a firewall. In this case, a Tivoli Firewall
Security Toolbox is needed to manage these Endpoints. IBM Tivoli Remote
Control must be installed on top of the Tivoli Firewall Security Toolbox
architecture in order for it to be able to contact the Endpoint separated from
their TMR Server by, at least, one firewall or more. Such a solution is often
referred to as a Non-Standalone or RCProxy-TFST solution.
At this point, you should know if an IBM Tivoli Remote Control Proxy Standalone
solution or a Non-Standalone solution has to be deployed.
In a case of a Non-Standalone solution, you need to identify the placement of
both the Endpoint Proxy and Gateway Proxy. If the RC Controller is in the same
network zone as the Endpoint Proxy, the RC Target Proxy must be installed on
top of the Endpoint Proxy (same physical machine). Similarly, the RC Controller
Proxy must be installed on top of the Gateway Proxy. Otherwise, if the RC
Controller is in the same network zone as the Gateway Proxy, the RC Target
Proxy must installed on top of the Gateway Proxy, and the RC Controller Proxy
on top of the Endpoint Proxy.
However, if the intention is to have RC Controllers and RC Targets in both
network zones (more secure and less secure), an RC Target Proxy and an RC
Controller could be installed at the same time on top of the Endpoint Proxy and
also on top of the Gateway Proxy. If one or many Relays are already installed to
let the Endpoint Proxy communicate with the Gateway Proxy through more than
one firewall, a new instance of the Relay needs to be installed on top of all
Relays already installed (same physical machine) in order to permit the RC
Proxies to communicate together through a dedicated channel.
In a case of a Standalone solution, if the RC Controller is in the same network
zone as the TMR Server, the RC Target Proxy must be installed inside the more
secure zone and the RC Controller Proxy in the less secure zone. Otherwise, if
the RC Controller is in the less secure network zone, the RC Target Proxy must
be installed in the less secure zone, and the RC Controller Proxy in the more
secure zone. However, if you plan to have RC Controllers and RC Targets in
both network zones (more secure and less secure), an RC Target Proxy and an
RC Controller Proxy could be installed at the same time in the less secure and
also in the more secure network zone.
In some situations, the RC Target Proxy needs to cross more than one firewall to
contact the RC Controller Proxy. In this case, you must plan to use a Tivoli
Firewall Security Toolbox Relay. This component is also able to transfer the RC
Target Proxy information to the RC Controller Proxy information even in a
Standalone solution.