HP OpenView System Administration Handbook [Electronic resources] : Network Node Manager, Customer Views, Service Information Portal, HP OpenView Operations

20.12 THE FIREWALL

A firewall, as defined in

Cisco© Press's Dictionary of Internetworking Terms and Acronyms , is a "router or access server, or several routers or access servers, designated as a buffer between any connected public networks and a private network. A firewall router uses access lists and other methods to ensure the security of the private network."The HTTPS-based agent makes it possible to configure and support nodes outside the firewall. A firewall configuration might be necessary to communicate with the managed nodes in one of the following three locations:

• The demilitarized zone (DMZ) Usual location for web servers, ftp servers, and b2b transaction servers.

• Internet Untrusted areas of the internetwork; outside the DMZ.

• Intranet Trusted area for devices within the private network(s).

Information on configuring OpenView for DCE (NCS)/RPC-based communications can be found in the document, "Firewall Configuration White Paper," available at http://ovweb.external.hp.com/lpe/doc_serv/.

The

HTTPS Agent Concepts and Configuration Guide contains detail on configuring the HTTPS-based agent for use with firewalls.

20.12.1 Proxy Filter

Communication sessions between the management server and the managed node that travel through the Internet may require a proxy filter. A "proxy" filter is a firewall that authenticates user (or application) sessions that originate inside the firewall and allows the communication to proceed to the destination, outside the firewall. The proxy firewall generally configures port 8080 to receive, authenticate, and forward inbound or outbound network traffic. Communications to/from the management server might originate from the following processes: certificate server (ovcs), config/deploy component (ovconfgd), remote control (opcragt), request sender (ovoareqsdr), message receiver (opcmsgrb), and configuration adaptor (opcbbcdist). The communications from an OVO managed node originating from the message agent first contact the "proxy" firewall (on the default port 8088) where authentication takes place and the traffic is forwarded to the destination inside the firewall. The HTTPS-based agent can take advantage of the proxy concept for secure communications. The proxy environment requires additional application software such as Apache©, which is not provided by the OVO installation. Read more about firewall and proxy filters at http://www.itsecurity.com/dictionary/dictionary.