SecureWay Firewall Plus for Tivoli
Configuring the firewall to allow communication between a Tivoli server in the internal network and Tivoli Managed Nodes in the perimeter network in order to have the Plus module work correctly is a multiple step process.
1) There are a set of firewall services and their rules that are configured on the firewall to distribute the code for the plus module, which is shown in the section Initial Installation of the plus module through the Firewall below. Once the plus module has been installed, these rules and services should no longer be used. Instead, use the set of rules and services described in step 2.
2) A set of firewall services and their rules permit the Tivoli server to monitor the Tivoli Managed Nodes. Rather than open all the ports above port 1023, you choose a smaller range of ports. The number of ports are a function of the number of Tivoli Managed Nodes and the applications that are being monitored (e.g., MQ Series, DB2, SAP). The greater the number of Tivoli Managed Nodes and the greater the number of applications being monitored, the larger the port range that must be opened on the firewall. We started with a small range of ports and increased the port range until the Tivoli server could successfully monitor the Tivoli Managed Nodes. The rules that worked for our configuration are shown below in the section Normal Communication between TME Server and Tivoli Managed Nodes through the Firewall.
Initial Installation of the plus module through the
Firewall In order to install the plus module from the Tivoli Management
Enterprise Server
(TME), the following services and their rules must be
configured on the IBM Firewall. Service name: Tivoli Server and Tivoli Managed
Node Communication
for Install Note: This service is used by the Tivoli Server
to the Tivoli Managed Node and from the Tivoli Managed Node to the Tivoli
Server. Rules: Inter-ORB
communication between the Tivoli Server and the Tivoli Managed Nodes
Rules: Inter-ORB communication between the Tivoli Server and the Tivoli Managed Nodes
|
permit |
Tcp |
gt |
1,023 |
eq |
94 |
secure |
route |
both |
|
permit |
tcp/ack |
eq |
94 |
gt |
1,023 |
secure |
route |
both |
Rules: Inter-object messaging between the Tivoli Server and the Tivoli Managed Nodes
|
permit |
tcp |
gt |
1,023 |
gt |
1,023 |
secure |
route |
both |
|
permit |
tcp/ack |
gt |
1,023 |
gt |
1,023 |
secure |
route |
both |
Rules: Negotiate ports for Inter-ORB communication between the Tivoli Server and the Tivoli Managed Nodes for messages that are longer than 16k in length
|
permit |
tcp |
eq |
94 |
eq |
94 |
secure |
route |
both |
|
permit |
tcp/ack |
eq |
94 |
eq |
94 |
secure |
route |
both |
Service name: Tivoli Server to install code for the plus module
|
tcp |
permit |
Gt |
1,023 |
eq |
512 |
secure |
route |
both |
|
permit |
tcp/ack |
eq |
512 |
gt |
1,023 |
secure |
route |
both |
Normal Communication between TME Server and Tivoli Managed Nodes through the Firewall Service name: Tivoli Server and Managed Node Communication Note: This service is used by the Tivoli Server to the Tivoli Managed Node and from the Tivoli Managed Node to the Tivoli Server. Rules: Inter-ORB communication between the Tivoli Server and the Tivoli Managed Nodes
|
permit |
Tcp |
gt |
65,300 |
eq |
94 |
secure |
route |
both |
|
permit |
tcp/ack |
eq |
94 |
gt |
65,300 |
secure |
route |
both |
Rules: Inter-object messaging between the Tivoli Server and the Tivoli Managed Nodes
|
permit |
tcp |
gt |
65,300 |
gt |
65,300 |
secure |
route |
both |
|
permit |
tcp/ack |
gt |
65,300 |
gt |
65,300 |
secure |
route |
both |
Rules: Negotiate ports for Inter-ORB communication between the Tivoli Server and the Tivoli Managed Nodes
|
permit |
tcp |
eq |
94 |
eq |
94 |
secure |
route |
both |
|
permit |
tcp/ack |
eq |
94 |
eq |
94 |
secure |
route |
both |
Service name: TME Tivoli Enterprise Console (TEC) Adapter Support Rules: Tivoli Managed Nodes to non-secure TEC adapter
|
tcp |
permit |
gt |
1,023 |
eq |
5,529 |
secure |
route |
both |
|
permit |
tcp/ack |
eq |
5,529 |
gt |
1,023 |
secure |
route |
both |
Note: The TEC Adapter code was generated by the SecureWay Firewall Plus for Tivoli plus module and distributed to the Tivoli Managed Nodes. Currently, for some reason, these rules do not work for the logfile adapter. A bug is open with Tivoli, PMR 52259. The TEC Server was manually configured to listen on port 5529 and the Tivoli Managed nodes were manually configured to send their events to the TME Server at port 5529. 6. Build connections on the firewall This table contains the firewall connections and services required by the protocols flowing through the firewall with the exception of the protocols for Tivoli. The Tivoli firewall connections and services are in separate tables.
Tivoli Once the Tivoli Managed Nodes are distributed through the firewall, you may reduce the range of ports that are open on the firewall. See section Normal Communication between TME Server and Tivoli Managed Nodes through the Firewall. Rather than opening all the ports above port 1023, a range of ports can be configured on the Tivoli Server and the Tivoli Managed Nodes. There is no set formula for determining the size of the range. It is trial and error until you find a range that is large enough. If the range is not large enough, the Tivoli server may appear to hang. If you configure your firewall to log all denied rules, you may see another indication in the log. Either the Tivoli Server or the Tivoli Managed Nodes will start to use ports outside of the range of ports that was configured. The firewall rules will not allow these messages to traverse the firewall. Increasing the port range to a sufficient size will permit Tivoli communication through the firewall within the defined port range.
In order to configure a set range for your TMR, use odadmin set_port_range x-y, where x is the low end of the range and y is the high end. In this particular scenario, the
port range was set to 65301 – 65400, as only the SecureWay Firewall plus module was in use at the time. Your setup may need more ports depending on a wide variety of
factors.