nv-l
[Top] [All Lists]

Re: NetView Webclient through Firewall

To: nv-l@lists.tivoli.com
Subject: Re: NetView Webclient through Firewall
From: Gareth_Holl@tivoli.com
Date: Mon, 5 Feb 2001 08:31:42 -0500
I don't think the documentation states that you can use the Web Client
through a firewall either. I'm pretty sure you won't see mention of support
for a firewall until the Web Client is ever changed to only use restricted
ports. As it stands, the Web Client can be used through a firewall but with
limited flexibility and with the requirement that the secure side of the
firewall be allowed to open random ports.

Many customers use the Web Client as their only GUIs, probably to take
advantage of existing web based Windows boxes and to eliminate the need to
administer unix boxes - this is also the usual way to use the Web Client.

Gareth Holl
Software Engineer
gholl@tivoli.com

Tivoli Systems / IBM Corporation
Research Triangle Park,  North Carolina.    1-800-TIVOLI-8


jleal@oc.mde.es@tkg.com on 02/05/2001 05:59:09 AM

Please respond to IBM NetView Discussion <nv-l@tkg.com>

Sent by:  owner-nv-l@tkg.com


To:   nv-l@tkg.com
cc:
Subject:  Re: [NV-L] NetView Webclient through Firewall






Nowhere in the documentation does it advise you that you cannot run across
a
firewall. The usual way to use a web navigator is through firewalls.





James_Shanks@tivoli.com con fecha 30/01/2001 13:01:35

Por favor, responda a IBM NetView Discussion <nv-l@tkg.com>

Destinatarios:     IBM NetView Discussion <nv-l@tkg.com>
CC:      (cci: Julio Leal Maruri/DEFENSA)

Asunto:   Re: [NV-L] NetView Webclient through Firewall





I am saying that there is no solution to your problem in current code.  You
must telnet or log into a machine on the protected side of the firewall, on
the same side as the NetView server, and run the web client there.  You
cannot run it successfully with the server on one side of the firewall and
the web client running on a box outside the firewall.  The code was simply
not designed to allow you to restrict all the ports it will  use.  You can
contact Support for some more suggestions about your specific situation,
but so far as I know, the maptree server will request additional ports you
have no control over.  Nowhere in our documentation does it advise you that
you can run across a firewall.

James Shanks
Team Leader, Level 3 Support
 Tivoli NetView for UNIX and NT



sandro.bonarrigo@ch.ibm.com@tkg.com on 01/30/2001 03:04:31 AM

Please respond to IBM NetView Discussion <nv-l@tkg.com>

Sent by:  owner-nv-l@tkg.com


To:   IBM NetView Discussion <nv-l@tkg.com>
cc:
Subject:  Re: [NV-L] NetView Webclient through Firewall





Hi James,
i can't understand from which Box you're talking about? Can you describe
this more clearly?
We have exactly the same problems as described by Uwe here in Basle, we
also tried to manipulate the maptreeserver.reg without success.
The impact for us concerning this problem was very high, because up to
eight big customers were involved.

Thanks for your help.

Sandro



James_Shanks@TIVOLI.COM on 29.01.2001 19:17:56

Please respond to IBM NetView Discussion <nv-l@tkg.com>

To:   IBM NetView Discussion <nv-l@tkg.com>
cc:
Subject:  Re: [NV-L] NetView Webclient through Firewall






I believe that the answer you received in your PMR is the authoritative
one.  As I uderstand it, the current web client will attempt to use
additonal ports whenever it sees the need and will not honor your attempt
to restrict it to just a few, though you may specify the primary or
original one.  It is unfortunate that it was not designed to allow
communication across a firewall in this manner.  I expect that to be
addressed in a future release.  But until then I think  that your client
will have to get access to a box behind that firewall and run the web
client on that box, just as we in IBM do here.

James Shanks
Team Leader, Level 3 Support
 Tivoli NetView for UNIX and NT



Uwe.Richter@synthesis.de@tkg.com on 01/29/2001 12:06:12 PM

Please respond to IBM NetView Discussion <nv-l@tkg.com>

Sent by:  owner-nv-l@tkg.com


To:   nv-l@tkg.com
cc:
Subject:  [NV-L] NetView Webclient through Firewall




  We have severe problems connecting the NVWC through a firewall with the
  NV server. We have opened ports 80, 8080 and 8892, 8893 on the firewall
  and
  forced NV to use port 8893 as secondary port (with the option
  "-DportToUse=8893" in the "maptreeserver.reg" file ). Only one map is
  open.
  However a trace on the NVWC-Computer and the firewall shows that the
  NetView Server
  opens another arbitrary port to communicate with the Web Client.
  We have open a PMR.  Here the answer:

  The process invoked is as follows:-
  1.  client connects to advertised server port (8893)
  2.  server breaks out of accept() & creates new thread w/
  returnedport number to service requests for client (The Mainline
  Thread/Client Thread connection is still on 8893)
  3.  client creates thread/port to service async events, sits in
  accept() & informs server's new client thread of this new port
  number (Client creates a port for the NV Event Thread/OVw Thread
  connection and listens on it.  It sends this port number to the
  server via the Mainline Thread/Client Thread connection.)
  4.  server connects to this clients async port  (The server then
  connects to this port, and thus establishes the NV Event
  Thread/OVw Thread connection.)
  5.  client break out of accept() and starts listening for new async
  events (NV Event Thread/OVw Thread connection is  established
  and functional.)
  So although the web client connects on port 8893, it will eventually
  drop port 8893 and listen on a randomly created port x Currently port x
  can't be restircted in netview, and netview is working as designed.
  If possible, the customer should configure their firewall to allow these
  connections to be made for the web client to work.  Otherwise they can
  raise an enhancement request through their csam.




I thing, this isn't a solution for our customer.
Now the question: Who knows a way to get the NVWC through the
firewall or to force NetView to use a certain port ?

Thanks for any help
Uwe



_________________________________________________________________________
NV-L List information and Archives: http://www.tkg.com/nv-l



_________________________________________________________________________
NV-L List information and Archives: http://www.tkg.com/nv-l


<Prev in Thread] Current Thread [Next in Thread>

Archive operated by Skills 1st Ltd

See also: The NetView Web