Configure firewall and NAT for DCE-based server communication
Server-based flexible management allows message forwarding and
synchronization between management servers that are separated by a
firewall, a network address translation (NAT) router, or both.
NOTE: In HPOM for Windows version 8.10,
server-based flexible management uses the HTTPS communication
protocol. If you have two HPOM for Windows version 8.10 management
servers, you can configure server-to-server communication through a
firewall in the same way that you configure agent communication
through a firewall. For more information, see
Configuring two-way communication.
By default, HPOM for Windows 8.10 uses the HTTPS protocol for
server-to-server communication. If you need to forward messages to
management servers that support only the DCE protocol, you can
change this default. For more information, see
Configure communication protocols for server-based flexible
management.
The configuration information provided here is for server-based
flexible management between HPOM for Windows management servers
using DCE communication protocol.
For more information, see the Firewall Concepts and
Configuration Guide, which is available in the
/Documentation/Whitepapers folder on the HPOM
installation media and also from the HP Software Product
Manuals web page.
Firewall and NAT basics
A firewall is a router system between two or more subnets. In
addition to the routing, the firewall also filters all
communication. Only packets that pass at least one filter rule are
allowed to pass the firewall. All other packets are discarded. A
filter rule usually consists of the following items:
A protocol type, such as TCP, UDP, or ICMP
A direction ("inside outside" or "outside
inside")
A source port
A destination port
Instead of a specific port, you can give a port range. In a typical
remote communication, a client uses the source port to connect to a
server, which is listening on the destination port on a remote
system. For firewall configuration, it is important to know which
system initiates the communication (client) and which receives
communication requests (server), so that the firewall rules can be
set up accordingly.
A Network Address Translation (NAT) router connects two subnets,
a public one and a private one. The NAT router has an IP address on
the public subnet and translates this public IP address to one or
more IP addresses on the private subnet, based on a given set of
rules. The private IP addresses are not directly accessible on the
public subnet, so an IP packet from the public subnet has to be
rewritten to the private subnet by the NAT router, exchanging the
public IP address with an IP address of the private subnet.
There are two kinds of NAT:
Basic NAT (static NAT): translates each public IP address to a
private IP address; so for each private IP address there needs to
be one public IP address.
Port Address Translation (PAT): has only a single public IP
address and maps it to multiple private IP addresses based on the
ports used.
Configuration scenario
This example explains the necessary configuration steps based on a
PAT scenario. It should be easily possible to derive the necessary
configuration steps for any real server-based flexible management
environment from this example. The example shows one management
server (manager1.example.com) directly connected to a LAN; the
other two management servers are hidden behind a NAT router. The
configuration task is to set up server-based flexible management
between manager1.example.com and manager2.example.com.
Server-based flexible management works using RPC requests from
the source management server (acting as DCE RPC client) to the
message receiver on the target management server (acting as DCE RPC
server). With these RPC requests, HPOM for Windows forwards
messages and message operations. To get the port number of the
message receiver on the target management server, the client has to
request it from the DCE RPC endpoint mapper on the fixed port 135
of the target server system.
As RPC requests from inside a NAT or firewall (in this example:
from manager2.example.com to manager1.example.com) are usually
allowed without special configuration, this example concentrates on
the configuration for RPC requests from manager1.example.com to
manager2.example.com. For environments where both servers are
behind a firewall or inside separate NATs, you have to repeat the
configuration done for RPC requests from manager1.example.com to
manager2.example.com also for the other direction.
To configure firewall communication using PAT
Follow these steps to configure firewall communication using PAT.
Provide the correct target server name in the server-based
flexible management policy. If you want to forward messages and
message operations to a management server hidden by a NAT, you must
specify the public network name of the NAT router in the policy,
not the hidden name of the management server. In the example
illustrated above, the server-based flexible management policy on
manager1.example.com contains nat.example.com as target server in
the MSGTARGETMANAGERS sections for all messages that should be
forwarded to manager2.example.com.
Force the target management server to use a fixed port for the
message receiver RPC server, so that you can open this port in the
firewall respectively map this port in the NAT configuration.
In the console tree on the target management server,
right-click Operations Manager, and then click
ConfigureServer.... The Server
Configuration dialog box appears.
Click Namespaces, and then click Message Action
Server General . A list of values appears.
Set the value of DCE RPC server port to the port number
you want to use.
Restart the RPC server on the target management server
(manager2.example.com) by restarting the OvEpMessageActionServer
service.
Verify RPC port usage
You can check the RPC server port usage using the opcrpccp utility
which is located in <InstallDir>\Installed
Packages\{790C06B4-844E-11D2-972B-080009EF8C2A}\contrib\OpC\opcrpccp.exe.
The following command lists all RPC servers on the local system:
# opcrpccp show mapping
A list having many entries similar to the following will be
printed:
<object> nil <interface id>
6d63f833-c0a0-0000-020f-887818000000,7.0 <string binding>
ncadg_ip_udp:15.136.123.62[12001] <-- port used <annotation> OvEpRpcDataRcvr
Next, open the configured port in the firewall and respectively
map this port in the NAT configuration to the target management
server system. Make sure that port 135 for the DCE RPC endpoint
mapper is opened in the firewall respectively mapped in the NAT
configuration to the target management server system, so that the
RPC client on the source management server can request the message
receiver port of the target management server system.
Communication without DCE RPC endpoint mapper
In many environments, opening the DCE RPC endpoint mapper port 135
in the firewall is considered a security risk. Using a PAT (Port
Address Translation) router, it may also not be possible to map
port 135 to a hidden system because the PAT router needs port 135
for its own purposes. Server-based flexible management can do
without port 135.
For this purpose, the RPC client on the source management server
(manager1.example.com) needs to know on which port the message
receiver on the target management server (manager2.example.com) is
listening. The client can get this information from a port
configuration file instead of from the DCE RPC endpoint mapper.
Specify the location of the port configuration file on the
source management server:
In the console tree, right-click Operations Manager, and
then click ConfigureServer.... The
Server Configuration dialog box appears.
Click Namespaces, and then click Message Action
Server General. A list of values appears.
Configure the value DCE RPC server
port specification file with the full path of the port
configuration file. For example:
C:\restricted\ports.txt
Of course you can also use other file locations and names for
the port configuration file. For security reasons you should
restrict the file access rights for this file (especially
write).
Create the port specification file and specify which port
should be used for a given target server. If you want to access a
management server hidden by a NAT, you have to specify the network
name of the NAT router as the node name. An example of the server
port specification file for the given scenario is shown below:
In an environment with Port Address Translation (PAT), only one
management server in the private network of the PAT router can be
accessed from a management server in the public (outside) network.
If you use the RPC endpoint mapper, then only the one management
server is accessible, to which port 135 of the PAT router is
mapped. If you turned off the use of the RPC endpoint mapper, then
only the management server is accessible, to which the port is
mapped that is specified in the port specification file.