|
This document describes how to configure an existing SD environment to work across a
firewall. This procedure has been verified and implemented across a real firewall
and is known to work. This document is applicable to any site that wants to install
software to an external firewall system from an internal depot. When using this
document, please verify all security procedures are observed and properly implemented to
avoid any security exposure. It is highly recommended to use a DMZ style firewall
configuration if possible to reduce unauthorized access to your internal systems.
For purposes of this discussion, the following system configuration is being used.
<-------- Inside Firewall -----|----- Outside Firewall ------>
|
------------ ------------ ---------------
| | | | | |
| SystemA |-------------| Firewall |------------| SystemB |
| (agent) | | | |(controller) |
------------ ------------ ---------------
/ |
__/_____ |
( DepotA ) |
-------- |
|
<-------- Inside Firewall -----|----- Outside Firewall ------>
- SystemA is inside the firewall and can have a class A, B, or C address.
- SystemB is outside the firewall and can have a class A, B, or C address.
- The firewall has restrictions on all ports and requires any access to be explicitly defined.
- SystemB will act as the SD controller. This is the external system where the swlist, swcopy,
or swinstall command will be executed.
- SystemA will act as the SD agent. This is the internal system where the depots exist and the swagentd
daemon process runs.
To understand the configuration that needs to be conducted, it is important to
understand how SD uses DCE/RPC ports to establish/complete communication across
agent and controller.
In this explanation, it is assumed that the controller is initiating a command
such as swlist, swcopy, or swinstall to an SD agent.
The sequence of steps that occur when an SD controller and agent communicate are
as follows:
- A controller process such as a swlist, swcopy or
swinstall is executed on SystemB.
- The swagentd on SystemA responds on the controller initiating
port.
- The swagentd on SystemA spawns a swagent process that
uses DCE/RPC to dynamicaly choose a new port on A, and it listens on the new port.
- The swagentd on SystemA sends the controller on SystemB
the new port the agent is listening on.
- The swagentd on SystemB spawns a swagent to communicate
with the SystemA swagent using the new port.
- The SystemA swagent sends the SystemB swagent
the requested data.
- After all the data has been transferred, the child swagent process on
SystemA completes and terminates. The SystemB swagent
also completes and terminates. Communication is closed on the new port.
The network firewall access must have an entry for the daemon (swagentd)
process and entries for the agent (swagent) processes. The daemon
(swagentd) by default listens on port 2121. This example uses the default
port 2121.
The agent (swagent) normally is not restricted to a range of ports, but it can
be configured to use a sequential range of ports. The system administrator can decide
how many concurrent sessions will be allowed with the SD controller inside the firewall.
Remember, the internal system should have enough concurrent sessions to answer external
and internal SD requests. Most lightly- to medium-used installations will suffice with
approximately ten (10) concurrent sessions. This example will request ten concurrent
sessions at port 4000 thru 4009.
To allow SD to work across this firewall, first request that your Network security
group open the ports in the following manner:
| From |
To |
Ports |
| SystemB |
SystemA |
2121 (swagentd)
4000-4009 (swagent)
|
| SystemA |
SystemB |
4000-4009 (swagent) |
On both SystemA and SystemB, the swagent process needs configuration to
limit communication on the firewall-allowed ports. This is done by creating a wrapper process
that sets the port restriction on the swagent process.
To create a new swagent2 wrapper process, perform the following steps:
- Log in as root on SystemA (agent).
- Create the file /usr/lbin/swagent2. This will limit the /usr/lbin/swagent
process to use the RPC_RESTRICTED_PORTS allowed by the firewall.
vi /usr/lbin/swagent2
#! /sbin/sh
# Specify DCE/RPC ports to allow firewall access
export RPC_RESTRICTED_PORTS="ncacn_ip_tcp[4000-4009]"
/usr/lbin/swagent $*
Save the file.
- Set the proper ownership and mode on the /usr/lbin/swagent2 file:
chown bin:bin /usr/lbin/swagent2
chmod 555 /usr/lbin/swagent2
- Repeat steps 1-3 on SystemB (controller)
On both SystemA and SystemB, the SD port usage defaults must be
set. These defaults are used by SD processes when communicating between
agent and controller.
To set the SD port usage defaults, perform the following steps:
- Log in as root on SystemA (agent).
- Edit the
/var/adm/sw/defaults file:
vi /var/adm/sw/defaults
- Ensure the file contains the following entries (add if not present):
swinstall.rpc_binding_info = ncacn_ip_tcp:[2121]
swcopy.rpc_binding_info = ncacn_ip_tcp:[2121]
swremove.rpc_binding_info = ncacn_ip_tcp:[2121]
swconfig.rpc_binding_info = ncacn_ip_tcp:[2121]
swverify.rpc_binding_info = ncacn_ip_tcp:[2121]
swlist.rpc_binding_info = ncacn_ip_tcp:[2121]
swreg.rpc_binding_info = ncacn_ip_tcp:[2121]
swacl.rpc_binding_info = ncacn_ip_tcp:[2121]
swjob.rpc_binding_info = ncacn_ip_tcp:[2121]
swacl.rpc_binding_info = ncacn_ip_tcp:[2121]
sd.rpc_binding_info = ncacn_ip_tcp:[2121]
swagentd.agent = /usr/lbin/swagent2
Save the file.
- Repeat steps 1-3 on SystemB (controller).
On both SystemA and SystemB, the swagentd process
must limit access on the firewall-allowed ports. This is set at the
swagentd process startup.
To set the swagentd port range, perform the following steps:
- Log in as root on SystemA (agent).
-
Insert two lines in the file /sbin/rc2.d/S870swagentd before
/usr/sbin/swagentd -r, so that file contains the four lines
shown grouped together below. Lines 1 and 2 of these four lines are the
added ones, lines 3 and 4 are pre-existing lines. The new lines restrict
DCE/RPC connections to the range 4000-4009. The insertion location in the
file will be after approximately line 77 of 188:
vi /sbin/rc2.d/S870swagentd
# Specify DCE/RPC ports to allow firewall access.
export RPC_RESTRICTED_PORTS="ncacn_ip_tcp[4000-4009]"
# The daemon issues an error message if it fails to initialize.
/usr/sbin/swagentd -r
- Stop the swagentd process:
/sbin/rc2.d/S870swagentd stop
- Restart the swagentd process:
/sbin/rc2.d/S870swagentd start
- Repeat steps 1-4 on SystemB (controller).
Once firewall and SD configuration has been completed, conduct connectivity
tests between the systems. Since all SD communication is limited to the
allowed port range, all SD commands MUST be preceded with the allowed
port range. For example to conduct a swlist on SystemA
from SystemB, use the following syntax:
export RPC_RESTRICTED_PORTS="ncacn_ip_tcp[4000-4009]"
/usr/sbin/swlist -l bundle @ SystemA
This will limit the swlist command to respond only within the
allowed DCE/RPC port ranges.
To conduct a swinstall installation, use the following syntax:
export RPC_RESTRICTED_PORTS="ncacn_ip_tcp[4000-4009]"
/usr/sbin/swinstall -s SystemA:/DepotA <software_spec>
The best way to handle the RPC_RESTRICTED_PORTS is to set the global
variable in the shell:
export RPC_RESTRICTED_PORTS="ncacn_ip_tcp[4000-4009]"
Then run any SD command as you normally would:
/usr/sbin/swlist -dl product @ SystemA:/DepotA
This configuration has been tested and working for production systems within
the Hewlett-Packard environment.
| 
Printable version
