Management servers and nodes communicate with each other over
the network. Normally, management servers open outbound network
connections to nodes and nodes open inbound network connections to
management servers.
The figure below shows the network connections where there is no
firewall that blocks inbound HTTPS connections to the management
server as follows:
The management server (1) opens outbound connections to
agents, for example to deploy policies and instrumentation, for
heartbeat polling, or to launch actions.
Agents (2) open inbound connections to the management
server, for example to send messages, actions responses, or to
launch remote actions.
If a firewall blocks inbound HTTPS connections from a node to a
management server, the node cannot communicate with the management
server properly. To enable proper communication, you configure an
HTTPS agent to act as a reverse channel proxy (RCP).
An RCP handles communication between management servers and
nodes, so that they do not need to communicate with each other
directly. An RCP can run on the managed node that it serves, or on
a separate system that serves multiple managed nodes. The RCP is on
the same side of the firewall as the node or nodes that it
serves.
Outbound-only communication through one firewall
The figure below shows the network connections where there is a
firewall that blocks inbound HTTPS connections to the management
server as follows:
The management server (1) makes an outbound connection
through the firewall (2) to an RCP (3). This
connection is called a reverse administration channel. The
management server maintains the reverse administration channel, so
that the RCP never needs to make an inbound connection to the
management server.
Agents (4) open connections to the RCP, instead of the
management server. The RCP (3) forwards the agents'
communications to the management server using the reverse
administration channel.
The management server (1) also makes outbound
connections directly to agents (4).
To configure outbound-only communication in this scenario, you
must:
Configure the RCP, so that it listens for incoming
connections.
Configure the management server, so that it opens the reverse
administration channel to the RCP.
Configure the agents, so that they use the RCP for their
outbound connections to the management server.
Outbound-only communication through two firewalls
The figure below shows the network connections where there are
two firewalls. One firewall blocks inbound connections to the
management server. The other firewall blocks inbound connections to
the nodes.
The management server (1) opens a reverse administration
channel through the firewall (2) to the RCP (3). The
management server maintains the reverse administration channel, so
that the RCP never needs to make an inbound connection to the
management server.
Each agent (5) opens a reverse administration channel
through the firewall (4) to the RCP (3). The agents
maintain these connections, so that the RCP never needs to make
inbound connections to the agents.
The management server (1) and agents (5) open
outbound connections to the RCP, instead of directly to each other.
The RCP (3) forwards the these communications to the using
the reverse administration channel.
To configure outbound-only communication in this scenario, you
must:
Configure the RCP, so that it listens for incoming
connections.
Configure the management server, so that it opens a reverse
administration channel to the RCP.
Configure the management server, so that it uses the RCP as a
proxy for its outbound connections to agents.
Configure the agents, so that they each open a reverse
administration channel to the RCP.
Configure the agents, so that they use the RCP for their
outbound connections to the management server.
