Tunneling improves the usage of Privileged User Manager in firewall enabled deployments. It reduces the security risks and enables the exchange of data within the firewall friendly architecture. The communication between the agents/managers in a firewall deployment is established through a secure channel called a tunnel and is an effective way to deploy client server applications on either side of the firewall infrastructure.
Figure 3-1 Tunneling Feature
For Example: In Figure 3-1, Host 3, Host 2, and the Agents are registered with the Primary Manager (Host 1). Tunnel Agent package and the Tunnel Manager package are installed on Host 3 (Tunnel Agent) and Host 2 (Tunnel Manager) respectively. Tunnel Manager behaves as an interface between the Tunnel Agent and the Primary Manager and the communication between the Tunnel Agent and the Tunnel Manager will be through the established tunnel. If the Tunnel Agent has to communicate with Agent 2, all Privileged User Manager specific communication is channeled through the Tunnel Manager based on the policies configured in the Primary Manager.
NOTE:Tunneling is not supported on Windows and SLES platforms. For the list of supported platforms, see Installation Requirements
in NetIQ Privileged User Manager 2.3.3 Installation Guide.
Before installing the packages, temporarily allow access from Host 3 to the 29120 port of the Primary Manager and Host 2.
NOTE:
Ensure that the hosts or agents are registered with the primary manager before installing the packages.
Ensure that the primary manager, tunnel manager, and tunnel agent are on separate systems.
Publish the tunnel agent and the tunnel manager packages in the console.
For more information to publish the Section 2.1.2, Adding Packages to the Package Manager.
and , seeInstall the Section 3.4.7, Installing Packages on a Host.
package ( ). For more information, seeYou can install more than one tunnel agents outside the firewall.
NOTE:You can also install tunnel agent directly from the installers and then register it with the primary manager. The tunnel agent rpm is in the tunnel folder of the ISO.
Install the Section 3.4.7, Installing Packages on a Host.
package ( ). For more information, seeTo establish a secure channel of communication between the tunnel agent and tunnel manager:
Click
in the home page of the console.In the navigation pane select the tunnel agent host, click
, then click .In the task menu, select
, then click .To disable tunnel, select
, then click .Before reregistering the tunnel agent package, ensure that you complete the following tasks:
Remove the access from the tunnel agent to the 29120 port of the primary manager and the tunnel manager.
Restart the tunnel agent.
To reregister the tunnel agent package, run the following command in the tunnel agent:
bash# /opt/novell/npum/sbin/unifi regclnt register 127.0.0.1 29121 Please provide the DNS name or IP address of the framework manager : (127.0.0.1) Please provide the port number of the framework manager: (29121) Please provide the DNS name or IP address of this agent: <agent DNS name> Please provide the registered agent name for this agent: <agent DNS name> Framework manager: 127.0.0.1:29121 Agent DNS name or IP address : <agent DNS name> Agent name : <agent name> Is this correct: (y) Please enter the name and password of an account with permission to register this host. User name: <username> Password: <password> Confirm password: <password>
NOTE:To verify the re-registration process, check for the following line in the unifid.log:
Info, Registration successful for <agent DNS name> to 127.0.0.1:29121
To list the agents to which a tunnel is established with the tunnel manager:
Click
in the home page of the console.In the navigation pane, select the tunnel manager host, click
, then click .In the task menu, select
.A list of agents to which the tunnel is established with the tunnel manager is displayed.