Configure firewall and NAT for DCE-based server communication

Server-based flexible management allows message forwarding and synchronization between management servers that are separated by a firewall, a network address translation (NAT) router, or both.

NOTE:
In HPOM for Windows version 8.10, server-based flexible management uses the HTTPS communication protocol. If you have two HPOM for Windows version 8.10 management servers, you can configure server-to-server communication through a firewall in the same way that you configure agent communication through a firewall. For more information, see Configuring two-way communication.

By default, HPOM for Windows 8.10 uses the HTTPS protocol for server-to-server communication. If you need to forward messages to management servers that support only the DCE protocol, you can change this default. For more information, see Configure communication protocols for server-based flexible management.

The configuration information provided here is for server-based flexible management between HPOM for Windows management servers using DCE communication protocol.

For more information, see the Firewall Concepts and Configuration Guide, which is available in the /Documentation/Whitepapers folder on the HPOM installation media and also from the HP Software Product Manuals web page.

Firewall and NAT basics

A firewall is a router system between two or more subnets. In addition to the routing, the firewall also filters all communication. Only packets that pass at least one filter rule are allowed to pass the firewall. All other packets are discarded. A filter rule usually consists of the following items:

A protocol type, such as TCP, UDP, or ICMP
A direction ("inside outside" or "outside inside")
A source port
A destination port

Instead of a specific port, you can give a port range. In a typical remote communication, a client uses the source port to connect to a server, which is listening on the destination port on a remote system. For firewall configuration, it is important to know which system initiates the communication (client) and which receives communication requests (server), so that the firewall rules can be set up accordingly.

A Network Address Translation (NAT) router connects two subnets, a public one and a private one. The NAT router has an IP address on the public subnet and translates this public IP address to one or more IP addresses on the private subnet, based on a given set of rules. The private IP addresses are not directly accessible on the public subnet, so an IP packet from the public subnet has to be rewritten to the private subnet by the NAT router, exchanging the public IP address with an IP address of the private subnet.

There are two kinds of NAT:

Basic NAT (static NAT): translates each public IP address to a private IP address; so for each private IP address there needs to be one public IP address.
Port Address Translation (PAT): has only a single public IP address and maps it to multiple private IP addresses based on the ports used.

Configuration scenario

This example explains the necessary configuration steps based on a PAT scenario. It should be easily possible to derive the necessary configuration steps for any real server-based flexible management environment from this example. The example shows one management server (manager1.example.com) directly connected to a LAN; the other two management servers are hidden behind a NAT router. The configuration task is to set up server-based flexible management between manager1.example.com and manager2.example.com.

Server-based flexible management works using RPC requests from the source management server (acting as DCE RPC client) to the message receiver on the target management server (acting as DCE RPC server). With these RPC requests, HPOM for Windows forwards messages and message operations. To get the port number of the message receiver on the target management server, the client has to request it from the DCE RPC endpoint mapper on the fixed port 135 of the target server system.

As RPC requests from inside a NAT or firewall (in this example: from manager2.example.com to manager1.example.com) are usually allowed without special configuration, this example concentrates on the configuration for RPC requests from manager1.example.com to manager2.example.com. For environments where both servers are behind a firewall or inside separate NATs, you have to repeat the configuration done for RPC requests from manager1.example.com to manager2.example.com also for the other direction.

To configure firewall communication using PAT

Follow these steps to configure firewall communication using PAT.

Provide the correct target server name in the server-based flexible management policy. If you want to forward messages and message operations to a management server hidden by a NAT, you must specify the public network name of the NAT router in the policy, not the hidden name of the management server. In the example illustrated above, the server-based flexible management policy on manager1.example.com contains nat.example.com as target server in the MSGTARGETMANAGERS sections for all messages that should be forwarded to manager2.example.com.
Force the target management server to use a fixed port for the message receiver RPC server, so that you can open this port in the firewall respectively map this port in the NAT configuration.
1. In the console tree on the target management server, right-click Operations Manager, and then click ConfigureServer.... The Server Configuration dialog box appears.
2. Click Namespaces, and then click Message Action Server General . A list of values appears.
3. Set the value of DCE RPC server port to the port number you want to use.
Restart the RPC server on the target management server (manager2.example.com) by restarting the OvEpMessageActionServer service.

Verify RPC port usage

You can check the RPC server port usage using the opcrpccp utility which is located in

<InstallDir>\Installed
Packages\{790C06B4-844E-11D2-972B-080009EF8C2A}\contrib\OpC\opcrpccp.exe

. The following command lists all RPC servers on the local system:

# opcrpccp show mapping

A list having many entries similar to the following will be printed:

<object> nil
<interface id> 6d63f833-c0a0-0000-020f-887818000000,7.0
<string binding> ncadg_ip_udp:15.136.123.62[12001] <-- port used
<annotation> OvEpRpcDataRcvr

Next, open the configured port in the firewall and respectively map this port in the NAT configuration to the target management server system. Make sure that port 135 for the DCE RPC endpoint mapper is opened in the firewall respectively mapped in the NAT configuration to the target management server system, so that the RPC client on the source management server can request the message receiver port of the target management server system.

Communication without DCE RPC endpoint mapper

In many environments, opening the DCE RPC endpoint mapper port 135 in the firewall is considered a security risk. Using a PAT (Port Address Translation) router, it may also not be possible to map port 135 to a hidden system because the PAT router needs port 135 for its own purposes. Server-based flexible management can do without port 135.

For this purpose, the RPC client on the source management server (manager1.example.com) needs to know on which port the message receiver on the target management server (manager2.example.com) is listening. The client can get this information from a port configuration file instead of from the DCE RPC endpoint mapper.

Specify the location of the port configuration file on the source management server:
1. In the console tree, right-click Operations Manager, and then click ConfigureServer.... The Server Configuration dialog box appears.
2. Click Namespaces, and then click Message Action Server General. A list of values appears.
3. Configure the value DCE RPC server port specification file with the full path of the port configuration file. For example: C:\restricted\ports.txt
  
  Of course you can also use other file locations and names for the port configuration file. For security reasons you should restrict the file access rights for this file (especially write).
Create the port specification file and specify which port should be used for a given target server. If you want to access a management server hidden by a NAT, you have to specify the network name of the NAT router as the node name. An example of the server port specification file for the given scenario is shown below:
#
# SelectionCriteria SrvType Port Node
# -------------------------------------------------------------------
NODE_NAME opcmsgrd 12001 nat.example.com
NODE_NAME opcdistm 12001 nat.example.com

NOTE:
somename.example.com matches <*>somename.example.com<*>

^somename.hp.com matches$ matches somename.hp.com exactly.

Restrictions

In an environment with Port Address Translation (PAT), only one management server in the private network of the PAT router can be accessed from a management server in the public (outside) network. If you use the RPC endpoint mapper, then only the one management server is accessible, to which port 135 of the PAT router is mapped. If you turned off the use of the RPC endpoint mapper, then only the management server is accessible, to which the port is mapped that is specified in the port specification file.

Related Topics:

DCE RPC Communication without using the Endpoint Mapper