HPE Community
Operating System - HP-UX
1838648 Members
2816 Online
110128 Solutions
New Discussion

firewall and serviceguard

 
SOLVED
Go to solution
Wilfred Chau_1
Respected Contributor

‎04-25-2005 10:19 AM

‎04-25-2005 10:19 AM

firewall and serviceguard

Hi all,
I have a MCSG package that needs to an apache server residing at the DMZ. When I work with the firewall admin, should I give the IP of the package or the IP of the node?

Thanks.
0 Kudos
Reply
5 REPLIES 5
TwoProc
Honored Contributor

‎04-25-2005 10:35 AM

‎04-25-2005 10:35 AM

Re: firewall and serviceguard

Assuming that the Apache running in the package presented to the DMZ - I'd say the package. But I don't think there's enough info in the posting to tell you more.
We are the people our parents warned us about --Jimmy Buffett
0 Kudos
Reply
Wilfred Chau_1
Respected Contributor

‎04-25-2005 11:08 AM

‎04-25-2005 11:08 AM

Re: firewall and serviceguard

Let me restate my question again.

The MCSG package resides in the internal network whereas the apache server resides in the DMZ. The package will initiate the http request.

Which ip should I give to the firewall admin,
the ip of the package or the ip of the system?
0 Kudos
Reply
Patrick Wallek
Honored Contributor

‎04-25-2005 01:02 PM

‎04-25-2005 01:02 PM

Re: firewall and serviceguard

Is the apache server making requests to the application in the MC/SG package? If so, then by all means use the IP address of the package. That way if the package fails over to the other node in the cluster then the requests from the apache server will still go to the application and be successful.

If you used the IP of the node itself and that node went down, but the package was up on the other node, then your requests would fail because the machine is down.
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎04-25-2005 01:44 PM

‎04-25-2005 01:44 PM

Re: firewall and serviceguard

Since apache can be configured to listen on any port you want, you'd need to see the Listen directive in the httpd.conf file for the application.

That port would have to be open between the apache server and the MCSG node. At the least.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Duncan Edmonstone
HPE Pro

‎04-25-2005 07:47 PM

‎04-25-2005 07:47 PM

Solution

Re: firewall and serviceguard

If the package is initiating the http connection that will go through the firewall then it totally depends on what software is actually initiating the connection. Many client side applications (such as telnet and ftp) don't actually bind to a specific interface, so the traffic is simply routed out of the first valid interface in the routing table - this is usually the static IP address of the node rather than the dynamic IP. If this app is developed in-house you should have your developers read this:

http://docs.hp.com/en/B3936-90079/apc.html

If its not something you can get the code for, and the support team can't give you a way of binding to the relocatable IP address, then you will need to have rules on your firewall for both hosts.

HTH

Duncan

I am an HPE Employee
Accept or Kudo
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.