HPE Community
Operating System - HP-UX
1753427 Members
4849 Online
108793 Solutions
New Discussion юеВ

Re: Ignite across firewalls

 
SOLVED
Go to solution
Chris Cruz_1
Occasional Advisor

тАО06-07-2007 01:32 AM

тАО06-07-2007 01:32 AM

Ignite across firewalls

We would like to setup an Ignite server to backup clients across multiple subnets, and possibly firewalls.

I understand that HP does not support Ignite across firewalls but wondered if you were aware of a preferred method of getting this done.

At the moment, we are looking into providing boot helpers on each relevant subnet and then archiving using NFS.

It is NFS that is causing us a problem across firewalls.

Any help you can provide with this will be most appreciated.
0 Kudos
Reply
4 REPLIES 4
Duncan Edmonstone
HPE Pro

тАО06-07-2007 02:08 AM

тАО06-07-2007 02:08 AM

Solution

Re: Ignite across firewalls

Chris,

This document talks about setting up Ignite with Bastille:

http://docs.hp.com/en/5991-0734/5991-0734.pdf

As some of the security levels in bastille involve enabling the IPfilter firewall, there is plenty of data in here on what ports you need open for Ignite to run.

Unfortunately as NFS is involved thats a LOT of ports.

HTH

Duncan

I am an HPE Employee
Accept or Kudo
Reply
Steven E. Protter
Exalted Contributor

тАО06-07-2007 02:20 AM

тАО06-07-2007 02:20 AM

Re: Ignite across firewalls

Shalom,

Realistically there is no practical way to run Ignite across a firewall. NFS is used to tranfer the image, tftp is used to boot. The client and server need to be on the same network or have a boothelper.

No firewall administrator in her right mind would have those ports open on a firewall that is designed to protect something.

NFS 4 does have the ability to specify what ports portmapper will use. I did this in RHCE class. So in a situation where you were using NFS 4, you might be able to do this. NFS 3 needs a random port for portmapper in version 3. Dave Olker however probably has a solution to this issue concerning the NFS portion of the problem.

The real solution problem is booting. That uses priviledged ports below 1024 and protocols such as bootp that are simply not very secure.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
DCE
Honored Contributor

тАО06-07-2007 02:33 AM

тАО06-07-2007 02:33 AM

Re: Ignite across firewalls


What I found is that in order for Ignite to work across a firewall, you have to compromise security to a point where there is no security.

We wound up purchasing a tape drive and performing a local make_tape_recovery

If you have multiple systems on the other side of the firewall, you could set one of them up to an ignite server for the those systems.
Reply
Bill Hassell
Honored Contributor

тАО06-07-2007 03:04 AM

тАО06-07-2007 03:04 AM

Re: Ignite across firewalls

The only secure solution is to use a VPN connection between the different sites. As mentioned, NFS is not only totally unsecure, it is also VERY unstable across a WAN or open Internet (it cannot tolerate WAN network errors). For production machines, this means that they will hang on a regular basis.


Bill Hassell, sysadmin
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.