AppWorx, Dollar Universe and Sysload Community

Have checked the forum and in order to allow servers communicate throught a firewall into a DMZ is in the comment below.

[i]'The simplest way to make two $U nodes communicate is indeed to open this port range (10600-10615) in [b]both directions[/b] between the two $U nodes.'[/i]

Taking this further how can Univiewer be used to monitor a server in the DMZ if the management server is located on the other side of the firewall. Is there a port number that Univiewer management server uses to communicate with nodes? If there is then sounds like allowing traffic through that port would allow Univiewer to monitor the node in the DMZ.

Is there a specific userid that Univiewer uses to conect to a node. just thinking if extra security is required.

This would be running $U 5.6 patch FX24917 on a Windows 2003 server and Univiewer management server 3.0.7 on Unix itanium.

SilverDollar

My answer to this is so simple I'm beginning to wonder if I understood the question, so I checked things out with a colleague.


Communications with UVMS use the port 4184 by default. This port should therefore be open for outward communications on your UniViewer Console machine and open for incoming communications on the UVMS machine.

User accounts don't come into it at this point (so I'm told).

You'll need either to create accounts in each DUAS corresponding to the UVMS user or alias the UVMS user to a suitable local DUAS account using Dollar Unievrse proxies.

Hope that does it

Gary

Ok to clarify the setup that is being attempted in a simple way.

1 server in DMZ with $U separated from network by an inner firewall. Another server with $U inside the firewall used to distribute files to various parts of the network. There is also a 3rd server inside the firewall which is the UVMS. The idea is $U in the DMZ looks for files, if it finds any it tells the server on the other side of the firewall. The server inside the firewall then pulls the file thru the firewall using a specific mechanism. This would all need to be monitored by Univiewer with the Univiewer server inside the firewall. Want this to be done in as secure way as possible.

few things required.[list] [*]Control of $U on both the server in the DMZ and the server inside the firewall preferably using the UVMS inside the firewall [*] No files to be transferred through the firewall unless thru a specific mechanism (this is actual files rather than info that would be required to control $U) [*]Dependency between $U on the servers on both sides of the firewall (make them part of the same company) same idea as above no file transfers allowed. [/list] Does the simple solution outlined still hold?

I enclose a dated but nonetheless relevant diagram showing how Dollar Universe can be set up to communicate across firewalls:
[attachment=477:firewall_dmz.jpg]

UniViewer communicates with UVMS on port 4184
UniViewer coomunicates with the Dollar Universe I/O server (10600 default for X Area)

UVMS communicates with Dollar Universe I/O server and CDJ server. (10600 and 10611).

Between 2 DUAS open up ports 10600 to 10615 as used in the Network confgurtion section if the Univiewer Nodes document.

I'll look around for more info on the subject.

Gary

[sup] [/sup]
[sup]Raised the query with support and got this nice reply which explains pretty much everything and ports that will need to be opened.[/sup]
[sup] [/sup]
[sup]Depending on which area you need to use, ports need to be opened between Dollar Universe servers in both ways:[/sup]

[sup]                   IO             BVS         CDJ[/sup]
[sup]X:              10600    10605    10611[/sup]
[sup]S:              10601    10606    10612[/sup]
[sup]I:                10602    10607    10613[/sup]
[sup]A:              10603    10608    10614[/sup]

[sup]The IO manages the network communication (via the Exchanger)[/sup]
[sup]The BVS process to handle the Business Views/Job Chains[/sup]
[sup]The CDJ gathers the execution information[/sup]

[sup]Please note that:[/sup]
[sup]- these same ports need to be opened between the UniViewer Management Server (UVMS) and the Dollar Universe servers in the DMZ zone.[/sup]
[sup]- Only the UniViewer Web Console (UVWC) will allow you to access the DMZ servers without opening ports between users' workstations and the DMZ.[/sup]
[sup]  Indeed only the same ports have to be opened between the server where resides UniViewer Web Console and the DMZ zone.[/sup]
[sup]- FTP (or sFTP) port has to be opened as well.[/sup]

[sup]To summarize[/sup]
[sup]- DUAS1 in DMZ[/sup]
[sup]- DUAS2 outside[/sup]
[sup]- UVMS outside[/sup]
[sup]- UVWC outside[/sup]

[sup]Ports described above to open between:[/sup]
[sup]- DUAS1 and DUAS2[/sup]
[sup]- DUAS1 and UVMS[/sup]
[sup]- DUAS1 and UVWC[/sup]

Hi Silverdollar,

Univiewer can be installed in 3 different modes: Standalone, Webstart and Webconsole.
In the first 2 modes, the Univiewer Application runs on the remote workstation; it would therefore be necessary to open communication between each Univiewer workstation on the website and:
- the UVMS on port 4184
- the IO Server and CDJ Server on each DUAS.
In Webconsole mode the Univiewer Application runs on a Web Application Server(eg: Tomcat, Servlet engine). If the Web Application Server is on internal Network, then you'll only need to open the http port to communicate from the web to the Univiewer Console.
If you need to communicate from the Univiewer Web Console on the internal network with the DUAS in the DMZ, you'll need to open the IO Server, BVS  and CDJ Server ports.

Hope that helps.

Octavie and Gary

Install $U onto the DMZ server then found firewall rules need changed as access is required directly from my workstation. Looks like I misunderstood the Univiewer setup. Thought the Management server handled the traffic to and from the $U node which is incorrect, the management server only stores information like login or port numbers.

Means either more complex firewall rules to allow connection to the target server from a number of workstations of using the Univiewer Web console - full version which allows https connections.