Ignite across firewalls (489 Views)
Reply
Occasional Advisor
Chris Cruz_1
Posts: 21
Registered: ‎10-20-2002
Message 1 of 5 (489 Views)
Accepted Solution

Ignite across firewalls

We would like to setup an Ignite server to backup clients across multiple subnets, and possibly firewalls.

I understand that HP does not support Ignite across firewalls but wondered if you were aware of a preferred method of getting this done.

At the moment, we are looking into providing boot helpers on each relevant subnet and then archiving using NFS.

It is NFS that is causing us a problem across firewalls.

Any help you can provide with this will be most appreciated.
Honored Contributor
Duncan Edmonstone
Posts: 5,678
Registered: ‎08-05-2000
Message 2 of 5 (489 Views)

Re: Ignite across firewalls

Chris,

This document talks about setting up Ignite with Bastille:

http://docs.hp.com/en/5991-0734/5991-0734.pdf

As some of the security levels in bastille involve enabling the IPfilter firewall, there is plenty of data in here on what ports you need open for Ignite to run.

Unfortunately as NFS is involved thats a LOT of ports.

HTH

Duncan

HTH

Duncan
Exalted Contributor
Steven E. Protter
Posts: 33,806
Registered: ‎08-15-2002
Message 3 of 5 (489 Views)

Re: Ignite across firewalls

Shalom,

Realistically there is no practical way to run Ignite across a firewall. NFS is used to tranfer the image, tftp is used to boot. The client and server need to be on the same network or have a boothelper.

No firewall administrator in her right mind would have those ports open on a firewall that is designed to protect something.

NFS 4 does have the ability to specify what ports portmapper will use. I did this in RHCE class. So in a situation where you were using NFS 4, you might be able to do this. NFS 3 needs a random port for portmapper in version 3. Dave Olker however probably has a solution to this issue concerning the NFS portion of the problem.

The real solution problem is booting. That uses priviledged ports below 1024 and protocols such as bootp that are simply not very secure.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Honored Contributor
Honored Contributor
DCE
Posts: 1,593
Registered: ‎05-16-2005
Message 4 of 5 (489 Views)

Re: Ignite across firewalls


What I found is that in order for Ignite to work across a firewall, you have to compromise security to a point where there is no security.

We wound up purchasing a tape drive and performing a local make_tape_recovery

If you have multiple systems on the other side of the firewall, you could set one of them up to an ignite server for the those systems.
Honored Contributor
Bill Hassell
Posts: 14,205
Registered: ‎05-29-2000
Message 5 of 5 (489 Views)

Re: Ignite across firewalls

The only secure solution is to use a VPN connection between the different sites. As mentioned, NFS is not only totally unsecure, it is also VERY unstable across a WAN or open Internet (it cannot tolerate WAN network errors). For production machines, this means that they will hang on a regular basis.
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.