Previous  |  Next  >  
Product: Storage Foundation Guides   
Manual: Storage Foundation 4.1 Enterprise Administrator (VEA 500 Series) Getting Started   

Firewall Support

In VEA, the client connects to the server using a specific port number: 2148. In order to connect to the server through a firewall, a port on the firewall is mapped to the 2148 port of the VEA server.

When the client wishes to connect to the server through the firewall, it needs to specify the host and port in the following format.

Firewallhost:port

where:

Firewallhost is the name or IP address of the firewall.

port is the port on the firewall that is internally mapped to the VEA server.

When the client connects to the server, the VEA client displays the host name (server name) that it connected to, and not the firewall-port combination in the list of connected hosts. The host name is also displayed in the history and favorites nodes. The firewall and port information is stored in the user profile (wallet) and is used for subsequent connections to the same server. The firewall-port combination is displayed only in the connection dialog.

Example 1

If a.b.c.d is a firewall machine, then

Port 1234 on a.b.c.d = 2148 on veaserver1 and

Port 3456 on a.b.c.d = 2148 on veaserver2

... and so on

Now, if the client wishes to connect to veaserver1 then, it should specify the following in the connection box:

a.b.c.d:1234.

This then connects to veaserver1 and displays veaserver1 in the connected hosts, history and favorites databases. The firewall:port combination is stored in the wallet for subsequent connection to the server if requested by the user.

Example 2

client ---> internet ----> firewall ----> server

and

client ----> firewall ----> server

We need to do the following:

  1. Allow for an alias of port 2148 on server A to be a particular port on the firewall machine.
  2. Let Pf be the port on the firewall machine F which is an alias for port 2148 on server A.
  3. Connect using the GUI to port Pf on F. You are actually managing server A
    Note   Note    VEA uses Anonymous Deffie Hellman key exchange and is therefore vulnerable to the man-in-the-middle attack. Therefore it is recommended that SSH or some kind of tunneling software be used if going across the internet. If SSH is used set up port forwarding from client to firewall port Pf and use SSH to tunnel.

Example 3

For the case where 2148 is forwarded through the firewall (punch through):

  1. Let machines A and B be the servers on the secure side of the firewall.
  2. Let client be on the internet/intranet side

    client -----> firewall ----> A|B

  3. Configure TCP/IP routing on the client such that packets destined for A|B are routed to firewall F.
  4. Add A and B to /etc/hosts (or equivalent) for name resolution if required.
  5. Connect to A and/or B (depending which one to manage)

 ^ Return to Top Previous  |  Next  >  
Product: Storage Foundation Guides  
Manual: Storage Foundation 4.1 Enterprise Administrator (VEA 500 Series) Getting Started  
VERITAS Software Corporation
www.veritas.com