3.5 Tunneling

Tunneling improves the usage of Privileged User Manager in firewall enabled deployments. It reduces the security risks and enables the exchange of data within the firewall friendly architecture. The communication between the agents/managers in a firewall deployment is established through a secure channel called a tunnel and is an effective way to deploy client server applications on either side of the firewall infrastructure.

Figure 3-1 Tunneling Feature

For Example: In Figure 3-1, Host 3, Host 2, and the Agents are registered with the Primary Manager (Host 1). Tunnel Agent package and the Tunnel Manager package are installed on Host 3 (Tunnel Agent) and Host 2 (Tunnel Manager) respectively. Tunnel Manager behaves as an interface between the Tunnel Agent and the Primary Manager and the communication between the Tunnel Agent and the Tunnel Manager will be through the established tunnel. If the Tunnel Agent has to communicate with Agent 2, all Privileged User Manager specific communication is channeled through the Tunnel Manager based on the policies configured in the Primary Manager.

NOTE:Tunneling is not supported on Windows and SLES platforms. For the list of supported platforms, see Installation Requirements in NetIQ Privileged User Manager 2.3.3 Installation Guide.

3.5.1 Installing the Packages

Before installing the packages, temporarily allow access from Host 3 to the 29120 port of the Primary Manager and Host 2.

NOTE:

  • Ensure that the hosts or agents are registered with the primary manager before installing the packages.

  • Ensure that the primary manager, tunnel manager, and tunnel agent are on separate systems.

  1. Publish the tunnel agent and the tunnel manager packages in the console.

    For more information to publish the Firewall Tunnel Agent and Firewall Tunnel Manager, see Section 2.1.2, Adding Packages to the Package Manager.

  2. Install the Firewall Tunnel Agent package (tnlagnt). For more information, see Section 3.4.7, Installing Packages on a Host.

    You can install more than one tunnel agents outside the firewall.

    NOTE:You can also install tunnel agent directly from the installers and then register it with the primary manager. The tunnel agent rpm is in the tunnel folder of the ISO.

  3. Install the Firewall Tunnel Manager package (tnlmgr). For more information, see Section 3.4.7, Installing Packages on a Host.

3.5.2 Enabling and Disabling Tunneling

To establish a secure channel of communication between the tunnel agent and tunnel manager:

  1. Click Hosts in the home page of the console.

  2. In the navigation pane select the tunnel agent host, click Packages, then click tnlagnt.

  3. In the task menu, select Enable Tunneling, then click OK.

    To disable tunnel, select Disable Tunneling, then click OK.

3.5.3 Reregistering the Tunnel Agent Package

Before reregistering the tunnel agent package, ensure that you complete the following tasks:

  1. Remove the access from the tunnel agent to the 29120 port of the primary manager and the tunnel manager.

  2. Restart the tunnel agent.

To reregister the tunnel agent package, run the following command in the tunnel agent:

bash# /opt/novell/npum/sbin/unifi regclnt register 127.0.0.1 29121
Please provide the DNS name or IP address of the framework manager : (127.0.0.1) 
Please provide the port number of the framework manager: (29121) 
Please provide the DNS name or IP address of this agent: <agent DNS name> 
Please provide the registered agent name for this agent: <agent DNS name> 

Framework manager: 127.0.0.1:29121
Agent DNS name or IP address : <agent DNS name>
Agent name : <agent name>

Is this correct: (y) 
Please enter the name and password of an account 
with permission to register this host.
User name: <username> 
Password: <password>
Confirm password: <password>

NOTE:To verify the re-registration process, check for the following line in the unifid.log:

Info, Registration successful for <agent DNS name> to 127.0.0.1:29121

3.5.4 Listing Tunnels

To list the agents to which a tunnel is established with the tunnel manager:

  1. Click Hosts in the home page of the console.

  2. In the navigation pane, select the tunnel manager host, click Packages, then click tnlmngr.

  3. In the task menu, select List Tunnels.

    A list of agents to which the tunnel is established with the tunnel manager is displayed.