AIOps

AIOps

Join this online group to communicate across IBM product users and experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

Monitoring Academy ITM Nuggets: ITM KDE Firewall Gateway Redundancy Configurations

By IMWUC Community Team posted Wed August 23, 2017 06:06 AM

  

By Mark Leftwich

As normal, I like to blog about areas of ITM that I cover when working with you, either through PMRs or direct on customer site. Today's series topics is all related to creating hot standby / failover of the KDE gateway.

Terminology

Before we start, here are some of the basic terminology you need to know as you read this blog....

image

Configurations

There are two types of configurations for the setup of the KDE_GATEWAY.  The examples below demonstrate each type in turn.

Configuration #1 - Redundant configuration

Configuration #2 - Failover configuration 

Configuration #1

This configuration uses no firewall redundancy,  but uses a secondary TEMS connection (CT_CMSLIST) in the agents configuration file to allow multiple connections.    

This configuration uses a secondary TEMS connection (CT_CMSLIST) for agents in the untrusted zone.

This configuration uses the proven logic in the agent to determine when it should switch to another TEMS (if it loses its primary connection)    

 

image

Configuration #2

Starting with configuration #1 as a base model, we are adding failover capability to the gateways in the trusted zones.  

There is additional capability in this set up. The configuration below will add a layer of resiliency to the Upstream Gateways and proxy TEMA clients requests to either of the two available TEMS. This is completed in the gateway XML configuration files. 

 

image 

Required files

You will need four XML configuration files to achieve this setup. These will need to be placed on the same machines as the nominated OS agent gateways. 

image GATEWAY1_Upstream.xml|View Details
image DMZGW1_Downstream.xml|View Details
image GATEWAY2_Upstream.xml|View Details
image DMZGW2_Downstream.xml|View Details


 

 

 

 




Modifying the files

You will need to modify the following ****(stared) parts in the files to map them to your environments hostname or IP addresses for the various components.

***RTEMS1*** =   Hostname/IP of your primary RTEMS (RTEMS 01 in above diagram) 

***RTEMS2*** =   Hostname/IP of your secondary RTEMS  (RTEMS 02 in above diagram)

 

***WPA*** = Hostname/IP of your WPA

    ***DMZGW2*** = Hostname/IP of your DMZ Gateway 2 OS agent (Agent 4 in above diagram) 

***DMZGW1*** = Hostname/IP of your DMZ Gateway 2 OS agent (Agent 3 in above diagram) 

 

Example:

File shows:

Change ***RTEMS1*** to the IP of your RTEMS1 in this case . My RTEMS IP address is 1.1.1.1.

The line in the file now looks like this:

How to enable the files

Setting the parameters 

As mentioned above you need to place these files on the same machine as the OS agent you wish to use as the gateway.  Once the files are on the machine you need to add the following line to the agents config file and specify the full path name and the file name.

Add this line to each of the agents configuration files that are being used as the gateway::

KDE_GATEWAY=Full path/

Location of the configuration files

Windows OS agent located in the ITMHOME/tmaitm6/KNTENV file.

UNIX OS agent in the ITMHOME/config/ux.ini files.

Linux OS agent in the ITMHOME/config/lz.ini files.

Once the parameter has been added to the configuration file, The agent will need to be restarted for the configuration in the XML files to take effect.

Other information 

Here is some information on what some of the parameters in the files mean

Roles that can be defined in the KDE_GATEWAY xml file and what they mean (this will help you read the files and set any non default ports). 

§3 different functions can be defined at a Gateway:

role="connect“: TEMA opens the defined Port and tries a first time to connect to the defined server port –Counterpart of LISTEN

role="listen“: TEMA starts to listen on de defined Port for incoming connections from the defined server/port –Counterpart of CONNECT

role=“proxy“: TEMA can start 2 different kinds of Proxy:

•ClientProxy: runs in the Secure Zone and connects the incoming Gateway Connections to the TEMS or WPA

•ServerProxy: runs in any of the Less Secure Zones and starts listening on the TEMS (1918) and/or WPA (63358) port 

Further Reading

The best source of information id the install and setup guide in the "appendices C" section for the version of the product you are using

Appendix C. Firewalls

0 comments
5 views

Permalink