Implementing CONTROL-M and Enterprise Controlstation Across Firewalls

Contents:
Overview: ........................................................................................................................1 Standard CONTROL-M Implementation .......................................................................2 Connecting CONTROL-M/Server and CONTROL-M/Agent Through a Firewall ........3 Customizing CONTROL-M/Agent: ..............................................................................3 Customizing CONTROL-M/Server: .............................................................................3 Connecting CONTROL-M/Server and Enterprise Controlstation Through a Firewall....4 Customizing Enterprise Controlstation:.......................................................................4 Customizing CONTROL-M/Server: .............................................................................4 Connecting Enterprise Controlstation Components Through a Firewall .................5 Establishing a GatewayGUI connection through a firewall: ......................................6 Establishing a GatewayGlobal Conditions Server connection through a firewall:.....6 Establishing a GUI ClientGUI Server connection through a firewall: ........................6 Establishing a GUIGlobal Alerts Server connection through a firewall: ....................6

Overview:
As a result of the ever-increasing importance and need for secure environments, organizations are implementing firewalls extensively. Most CONTROL-M and Enterprise Controlstation implementations are spread across a large number of machines. These machines vary in type and physical location, and are found typically in environments that are shielded by firewalls. CONTROL-M and Enterprise Controlstation implementations must maintain high availability and exibility, without affecting the security of the customers computing environment. This document focuses on the best practices for implementing CONTROL-M and Enterprise Controlstation in rewall-protected environments.

Page 1

Standard CONTROL-M Implementation

The CONTROL-M three-tier architecture includes Enterprise Controlstation and multiples of CONTROL-M/Server and CONTROL-M/Agent. A rewall can exist between any two connected components.

The above diagram demonstrates a possible CONTROL-M implementation.

Page 2

Connecting CONTROL-M/Ser ver and CONTROL-M/Agent Through a Firewall

Customizing CONTROL-M/Agent:
Each connecting CONTROL-M/Agent uses the host name of the relevant CONTROL-M/ Server and two ports to establish communication. One of these ports is used for agent-toserver communication and the other is used for server-to-agent communication. All parameters are specied during the CONTROL-M/Agent installation process and can be changed later by using the conguration parameters option of the ag_menu utility. The changes are made in the exact same manner as the parameters that are specied for the backup CONTROL-M/Server(s). If a rewall separates the CONTROL-M/Agent from the CONTROL-M/Server, the server-to-agent port should be dened as accept in the rewall to allow communication between the two machines. Please note that the server-to-agent port should enable open communication with the backup CONTROL-M/Server to ensure smooth failover (database restoration).

Customizing CONTROL-M/Server:
To establish communication, the CONTROL-M/Server uses the host names of all connecting CONTROL-M/Agents and two ports per each agent. One of these ports is used for server-to-agent communication and the other is used for agent-to-server communication. All parameters are specied during CONTROL-M/Server installation and can be changed later using the parameters customization option of the ctm_menu utility. The host name and server-to-agent port number parameters can be found under the Default Parameters for Communication with Agent Platforms and Parameters for Communication with a Specic Agent Platform menu options. The agent-to-server port number parameter can be found under Communication and Operational Parameters. If a firewall separates the CONTROL-M/Server from the connected CONTROL-M/Agent(s), the agent-to-server port(s) should be defined as accept in the firewall to allow communication between the machines. Please note that when using node groups, this process should be repeated for each node included in the group.

Page 3

Connecting CONTROL-M/Server and Enterprise Controlstation Through a Firewall

Customizing Enterprise Controlstation:
To establish communication, the Enterprise Controlstation uses the specic host name and port number identied in the comm table for each connected CONTROL-M/Server. The port is used for communication from the Enterprise Controlstation to the CONTROL-M/ Server, and the consecutive port is used for communication from the CONTROL-M/ Server to the Enterprise Controlstation. The port number used for communication from the Enterprise Controlstation to the CONTROL-M/Server and the CONTROL-M/Server host name are dened using the Enterprise Controlstation GUI. If a rewall separates the Enterprise Controlstation from a CONTROL-M/Server, the port used for communication from the CONTROL-M/Server (i.e., the port number dened in Enterprise Controlstation + 1) should be defined as accept in the firewall to allow communication between the two machines.

Customizing CONTROL-M/Server:
Each connected CONTROL-M/Server uses the host name of the relevant CONTROLM/Server and two ports. One of these ports is used for communication from the Enterprise Controlstation to CONTROL-M, and the other port is used for communication in the opposite direction. The port number used for communication from the Enterprise Controlstation is dened using the ctm_menu utility. Select the parameters customization option under Communication and Operational Parameters. If a rewall separates the CONTROL-M/Server from the Enterprise Controlstation, the port used for communication from the Enterprise Controlstation should be dened as accept in the rewall to allow communication between the two machines.

Page 4

Connecting Enterprise Controlstation Components Through a Firewall

Enterprise Controlstation components can be spread across multiple machines, and may be separated by a rewall. The most likely connections to cross rewalls include: 1. Gateway and GUI 2. Gateway and Global Conditions Server 3. GUI Client and GUI Server 4. GUI and Global Alerts Server

Page 5

Establishing a GatewayGUI connection through a rewall:

The Gateway writes its host name and port number automatically in the Enterprise Controlstation database upon initiation, and continues monitoring the relevant port. The host name and port number are used by GUIs to connect to the Gateway. By default, the Gateway selects any available port number; however, port definition is not permitted within the firewall. To solve this problem, use static ports through the HostPortList system parameter. The format for this parameter is <dc name>=<hostname/IP address>:<port>. These ports are used for bidirectional communication, and should be defined as accept on both the Gateway machine firewall and the GUI machine firewall.

Establishing a GatewayGlobal Conditions Server connection through a rewall:

The Global Conditions Server connects to the Gateway in the exact same manner as the GUI (see previous paragraph).

Establishing a GUI ClientGUI Server connection through a rewall:

The connection is established via Orbix Daemon. An Orbix server is installed on the machine on which the GUI Server resides, and an Orbix Client is installed on the machine on which the GUI Client resides. In the orbix.cfg le, three parameters determine the communication port numbers to be used: IT_DAEMON_PORThe initial port number for which the client requests a connection from the Orbix server. Default: 1570. IT_DAEMON_SERVER_BASEThe starting TCP port number for servers launched by the Orbix server. Default: 1590. IT_DAEMON_SERVER_RANGEThe number of ports that begin with IT_DAEMON_SERVER_BASE that are available for Orbix servers. Default: 50. If a firewall separates the GUI Client from the GUI Server, the IT_DAEMON_PORT should be defined as accept in the firewall to allow communication between the two machines, and the port numbers within the range should be defined by IT_DAEMON_SERVER_BASE. The IT_DAEMON_SERVER_RANGE should be defined as accept on both the Orbix server and the Orbix client machines. If desired, the value of the IT_DAEMON_SERVER_RANGE can be decreased to minimize the number of ports necessary to open in the firewall (the GUI Server requires only one port for any number of connected GUI Clients).

Establishing a GUIGlobal Alerts Server connection through a firewall:

The GUI connects to the Global Alerts Server in the exact same manner that the GUI Client connects to the GUI Server (see previous paragraph).
Page 6

For more information visit BMC Software on the Web at www.bmc.com

BMC Software, the BMC Software logos and all other BMC Software product or service names are registered trademarks or trademarks of BMC Software, Inc. All other registered trademarks or trademarks belong to their respective companies. 2000 BMC Software, Inc. All rights reserved. 100035657 12/00