MCC through Firewall Last Updated 12/19/05
CAM
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 3 CAM -MCC Clients will communicate to the DMZ Server namespaces via CAM -CAM, by default, uses UDP port. -CAM must be configured to use TCP port.
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 4 Firewall Global Catalog DMZ Local Catalog 4105 MDB Global Catalog EMAgents Console Logs 4105 BLOCKED
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 5 Configuring CAM to use TCP port -Execute camsave config -This will generate save.cfg in the cam directory with the current CAM settings -copy save.cfg to cam.cfg. -Update cam.cfg to add *PATH entry -Repeat the same on the MDB server -Recycle CAM to pick the TCP port
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 6 Configure CAM to use TCP port
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 7 Copy save.cfg to cam.cfg
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 8 Update cam.cfg
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 9 Verify TCP port
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 10 Verify TCP port
Global Catalog
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 12 Requirements -Secured zone namespaces should not be displayed for DMZ MCC clients -All DMZ namespaces should be displayed for secured zone MCC Clients -CAM port 4105 to be blocked for inbound traffic
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 13 Firewall Global Catalog DMZ Local Catalog 4105 MDB Global Catalog EMAgents Console Logs 4105 BLOCKED
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 14 Global Catalog -For Global Catalog to the DMZServer temporarily select “Only show namespaces published in the new catalog” option -This will synchronize the dmzServer namespaces into the secured zone local catalog -Once this is done, reset the master catalog to the secured zone.
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 15 Global Catalog This will copy the DMZServer namespaces into the secured zone local catalog but will not update the DMZServer catalog
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 16 DMZ Local Catalog -This confirms none of the secured zone namespaces are copied in the DMZ catalog
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 17 Secured Zone Catalog -This confirms DMZ namespaces are copied into the secured zone namespaces
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 18 Reset Master Catalog
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 19 MCC Client – Secured Zone Displays DMZServer Namespaces
Walk EM through Firewall via MCC
Console Logs
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 22 Requirements -Launch MCC clients from the secured zone without opening any CAM port for inbound traffic
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 23 MCC Client – Secured Zone
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 24 Displays DMZ Console Log
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 25 Console Log -Classic conlog gui requires mapping of unishare$ share to display console log. This requires UDP port to be opened for inbound traffic which will not be acceptable to the Firewall Administrator -MCC conlog requires outbound TCP port to be unblocked
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 26 Console Log Outbound TCP Port
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 27 DMZ Conlog via MCC
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 28 Console Logs DMZServer
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 29 Questions and Answers Any questions?