Simpler Navigation for Servers and Operating Systems - Please Update Your Bookmarks
Completed: a much simpler Servers and Operating Systems section of the Community. We combined many of the older boards, so you won't have to click through so many levels to get at the information you need. Check the consolidated boards here as many sub-forums are now single boards.
If you have bookmarked forums or discussion boards in Servers and Operating Systems, we suggest you check and update them as needed.
cancel
Showing results for 
Search instead for 
Did you mean: 

Ignite across firewalls

SOLVED
Go to solution
Highlighted
Chris Cruz_1
Occasional Advisor

Ignite across firewalls

We would like to setup an Ignite server to backup clients across multiple subnets, and possibly firewalls.

I understand that HP does not support Ignite across firewalls but wondered if you were aware of a preferred method of getting this done.

At the moment, we are looking into providing boot helpers on each relevant subnet and then archiving using NFS.

It is NFS that is causing us a problem across firewalls.

Any help you can provide with this will be most appreciated.
4 REPLIES
Duncan Edmonstone
Honored Contributor
Solution

Re: Ignite across firewalls

Chris,

This document talks about setting up Ignite with Bastille:

http://docs.hp.com/en/5991-0734/5991-0734.pdf

As some of the security levels in bastille involve enabling the IPfilter firewall, there is plenty of data in here on what ports you need open for Ignite to run.

Unfortunately as NFS is involved thats a LOT of ports.

HTH

Duncan

HTH

Duncan
Steven E. Protter
Exalted Contributor

Re: Ignite across firewalls

Shalom,

Realistically there is no practical way to run Ignite across a firewall. NFS is used to tranfer the image, tftp is used to boot. The client and server need to be on the same network or have a boothelper.

No firewall administrator in her right mind would have those ports open on a firewall that is designed to protect something.

NFS 4 does have the ability to specify what ports portmapper will use. I did this in RHCE class. So in a situation where you were using NFS 4, you might be able to do this. NFS 3 needs a random port for portmapper in version 3. Dave Olker however probably has a solution to this issue concerning the NFS portion of the problem.

The real solution problem is booting. That uses priviledged ports below 1024 and protocols such as bootp that are simply not very secure.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
DCE
Honored Contributor

Re: Ignite across firewalls


What I found is that in order for Ignite to work across a firewall, you have to compromise security to a point where there is no security.

We wound up purchasing a tape drive and performing a local make_tape_recovery

If you have multiple systems on the other side of the firewall, you could set one of them up to an ignite server for the those systems.
Bill Hassell
Honored Contributor

Re: Ignite across firewalls

The only secure solution is to use a VPN connection between the different sites. As mentioned, NFS is not only totally unsecure, it is also VERY unstable across a WAN or open Internet (it cannot tolerate WAN network errors). For production machines, this means that they will hang on a regular basis.


Bill Hassell, sysadmin