HPE GreenLake Administration
- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- SG A11.18 in a new subnet
Operating System - HP-UX
1834796
Members
2999
Online
110070
Solutions
Forums
Categories
Company
Local Language
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Go to solution
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-20-2009 07:21 AM
01-20-2009 07:21 AM
Hi there,
I currently have a two node cluster with lock lun in a 172.16.6.x subnet (apache) and a two node with lock lun in the 172.16.5.x (MySQL).
LAN users only have access to the apache cluster and the apache cluster have access to the MySQL cluster. Users do not "see" or have access to the MySQL cluster/network. Both cluster use a heartbeat network of 10.10.10.x and 10.10.11.x.
The network is being redesign by an external contractor, a new firewall is being placed, the DMZ network on the firewall is 192.168.1.x. Due to new needs we need to provide access from Internet to the Apache cluster (hosting a special app) so I guess my first choice will be to move (reconfigure) the Apache SG from the original subnet to the new subnet, but im open to suggestions.
1- Should I move the entire Apache SG cluster to the new DMZ network (creating rules for hearbeat, reconfiguring SG, etc). So LAN and WAN users access the Apache SG using only the DMZ IP address for the cluster?
2- What if I create another two node cluster installation of Apache, but this cluster only for DMZ/Internet users?
Licensing/cost is not an issue at this time, I am seeking the less complicated way to do things. As I write this I think that the less complicated thing will be:
1- to leave the existing cluster for LAN users and create a new cluster for WAN/Internet users.
2- if the option 1 is not possible, then move the entire cluster to the new config, planning for minimal downtime.
I am open to comments and suggestions!!!!
Thanks,
I currently have a two node cluster with lock lun in a 172.16.6.x subnet (apache) and a two node with lock lun in the 172.16.5.x (MySQL).
LAN users only have access to the apache cluster and the apache cluster have access to the MySQL cluster. Users do not "see" or have access to the MySQL cluster/network. Both cluster use a heartbeat network of 10.10.10.x and 10.10.11.x.
The network is being redesign by an external contractor, a new firewall is being placed, the DMZ network on the firewall is 192.168.1.x. Due to new needs we need to provide access from Internet to the Apache cluster (hosting a special app) so I guess my first choice will be to move (reconfigure) the Apache SG from the original subnet to the new subnet, but im open to suggestions.
1- Should I move the entire Apache SG cluster to the new DMZ network (creating rules for hearbeat, reconfiguring SG, etc). So LAN and WAN users access the Apache SG using only the DMZ IP address for the cluster?
2- What if I create another two node cluster installation of Apache, but this cluster only for DMZ/Internet users?
Licensing/cost is not an issue at this time, I am seeking the less complicated way to do things. As I write this I think that the less complicated thing will be:
1- to leave the existing cluster for LAN users and create a new cluster for WAN/Internet users.
2- if the option 1 is not possible, then move the entire cluster to the new config, planning for minimal downtime.
I am open to comments and suggestions!!!!
Thanks,
Solved! Go to Solution.
4 REPLIES 4
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-20-2009 09:52 AM
01-20-2009 09:52 AM
Re: SG A11.18 in a new subnet
Shalom,
1 - I would say no. You need only for LAMP applications to make sure web traffic reaches the server. The firewall should permit that traffic both ways.
2 - This will work.
To be less complicated I would make the firewall people responsible for routing traffic and avoid putting the server in the DMZ.
That being said, if the application users from the public internet are not supposed to have any access to your lan then you should move the entire operation to the DMZ and conversely have the firewall people make sure users from your internal network can access the application via the public internet.
SEP
1 - I would say no. You need only for LAMP applications to make sure web traffic reaches the server. The firewall should permit that traffic both ways.
2 - This will work.
To be less complicated I would make the firewall people responsible for routing traffic and avoid putting the server in the DMZ.
That being said, if the application users from the public internet are not supposed to have any access to your lan then you should move the entire operation to the DMZ and conversely have the firewall people make sure users from your internal network can access the application via the public internet.
SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-20-2009 10:21 AM
01-20-2009 10:21 AM
Re: SG A11.18 in a new subnet
Thanks Steven,
As per conversations with the contractor, he is following some security practices that mandate servers to be in DMZ instead of LAN.
And Yes, another cluster just for WAN access seems overkill (both in price and effort).
As per conversations with the contractor, he is following some security practices that mandate servers to be in DMZ instead of LAN.
And Yes, another cluster just for WAN access seems overkill (both in price and effort).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-20-2009 11:39 AM
01-20-2009 11:39 AM
Solution
I see. Well then you move it to the DMZ and your do the standard configuration change for serviceguard after the network configuration is redone:
cmquerycl
cmcheckconf
cmapplyconf
With a good plan it should be pretty simple.
Internet exposed web application or LAMP servers should be in DMZ, not a Corporate LAN.
SEP
cmquerycl
cmcheckconf
cmapplyconf
With a good plan it should be pretty simple.
Internet exposed web application or LAMP servers should be in DMZ, not a Corporate LAN.
SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-21-2009 08:36 AM
01-21-2009 08:36 AM
Re: SG A11.18 in a new subnet
Answer provided by Steven Protter:
Well then you move it to the DMZ and your do the standard configuration change for serviceguard after the network configuration is redone:
cmquerycl
cmcheckconf
cmapplyconf
With a good plan it should be pretty simple.
Internet exposed web application or LAMP servers should be in DMZ, not a Corporate LAN.
----------------
Is what i was looing for.
Well then you move it to the DMZ and your do the standard configuration change for serviceguard after the network configuration is redone:
cmquerycl
cmcheckconf
cmapplyconf
With a good plan it should be pretty simple.
Internet exposed web application or LAMP servers should be in DMZ, not a Corporate LAN.
----------------
Is what i was looing for.
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
Company
Events and news
Customer resources
© Copyright 2025 Hewlett Packard Enterprise Development LP