DX Unified Infrastructure Management

 View Only
Expand all | Collapse all

hub configuration for internet facing servers

  • 1.  hub configuration for internet facing servers

    Posted Feb 24, 2020 04:23 PM
    hi

    can anyone suggest the ip that the internet facing robot and the hub should use if the server beyond the firewall is to be used as hub

    i have been trying to configure a hub with above mentioned IP if i use external IP for the robots then they are getting detected but are giving ilegal SID or login into the right domain error, if i internal IP for robots then they are not getting detected
    i tried external IP and internal IP for hub when i use the internal ip the hub is communicating to the primary hub through tunnel but is not able to communicate to the hub, if i use external ip the tunnel is not working

    regards
    nijin



  • 2.  RE: hub configuration for internet facing servers

    Broadcom Employee
    Posted Feb 24, 2020 05:09 PM
    this is what a hub is designed for.
    put a local hub in the same network as the robot and use a tunnel back to the other hub.
    if you have just the one robot make it a hub and create a tunnel.

    ------------------------------
    Gene Howard
    Principal Support Engineer
    Broadcom
    ------------------------------



  • 3.  RE: hub configuration for internet facing servers

    Posted Feb 24, 2020 05:53 PM
    These may be of help:
    How to setup Nimsoft Monitor Tunnels Quick tunnel setup howto/guide How to setup Nimsoft Monitor Tunnels Quick tunnel setup howto/guide
    Article Id: 34262
    https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=34262

    Tunnel Client Cannot Connect to Tunnel Server Tunnel Client Cannot Connect to Tunnel Server  
    Article Id: 35372
    https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=35372

    HUB Performance Optimization & Troubleshooting Guide
    Article Id: 9733
    https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=9733




    ------------------------------
    Support Engineer
    Broadcom
    ------------------------------



  • 4.  RE: hub configuration for internet facing servers

    Posted Feb 25, 2020 08:47 AM
    gene 

    if we try this there are almost 25 subnet to which these robots are located so that would require 25 hub servers in all which will be hard to justify to client

    is there any other way to workaround this



  • 5.  RE: hub configuration for internet facing servers

    Broadcom Employee
    Posted Feb 25, 2020 09:43 AM
    If your client has 24 subnets it sounds like they have a complicated infrastructure.
    The best solution will be to set up a hub in each subnet and create a tunnel.

    ------------------------------
    Gene Howard
    Principal Support Engineer
    Broadcom
    ------------------------------



  • 6.  RE: hub configuration for internet facing servers
    Best Answer

    Posted Feb 25, 2020 10:47 AM
    There seems to be a terminology issue here too so let me try to use different words.

    Generally speaking you can not successfully configure a robot to communicate with a hub where there is a NAT involved. Essentially when the robot connects to the hub, it includes the address that the hub should use to communicate back and because the robot knows nothing about the NAT the address the robot sends to the hub will be unable to be used by the hub.

    That's the source of your problem.

    To fix this, you have the hub probe. There is no such thing really as a "Hub server". Every hub is just a robot that's also running the hub probe. This is nothing that your customer would even know about really, same way that they'd not really know whether you are running the rsp probe or CDM probe to get disk usage. So one simple fix is just to deploy the hub probe to every robot. That's what we do on more than 7k systems.

    If you can't, then why not on the customer's network create a hub (one existing robot + hub probe) that's reachable by all the 25 subnets? Robots have no problem pushing traffic across subnets because it's all TCP/IP traffic and should be routeable on the customer's network. Then that Robot+hub has a tunnel to your tunnel server for all the traffic it collected.


  • 7.  RE: hub configuration for internet facing servers

    Posted Feb 26, 2020 05:47 AM
    hi all

    can removing the external ip and using the public ip as external ip while keeping the internal as it was work in this scenario work ?



  • 8.  RE: hub configuration for internet facing servers

    Broadcom Employee
    Posted Feb 26, 2020 07:35 AM
    no

    ------------------------------
    Gene Howard
    Principal Support Engineer
    Broadcom
    ------------------------------



  • 9.  RE: hub configuration for internet facing servers

    Posted Feb 27, 2020 08:17 AM
    hi all

    we tried removing the external IP from the network and use public ip as external ip keeping internal network as it was.

    this seems to be working and hub is able to fetch data from robots now

    what all parameters should i check to see if this architecture will hold up?



  • 10.  RE: hub configuration for internet facing servers

    Broadcom Employee
    Posted Feb 27, 2020 08:44 AM
    hub do not fetch data from robots. robots send data to the hub.
    The hub connects to the robot to make changes to configuration files.
    If you can deploy a probe edit the configuration and see alarms and QoS in USM it would sound like it is working.
    based on what you have described though this is not a tested configuration and as such not supported.
    If you call into support with an issue with the robot to hub communication there will not be much they can do to help you and it can not be taken to the dev team.

    ------------------------------
    Gene Howard
    Principal Support Engineer
    Broadcom
    ------------------------------



  • 11.  RE: hub configuration for internet facing servers

    Posted Feb 27, 2020 10:10 AM
    As Gene has said, this should not work and from your questions, it sounds like it is not fully. 

    Why are you resistant to installing the hub probe on these server as is intended by the product's design? 

    The hub probe exists, in part, so that you can use DX IM across a network that uses NAT.


  • 12.  RE: hub configuration for internet facing servers

    Posted Feb 27, 2020 12:46 PM
    hi gene 

    yes i am able to generate alarm by changing the configuration in the cdm probe

    garin

    i agree the easiest way is to go with 25 hubs but was declined sine the client sees this as extra software on there major application software


  • 13.  RE: hub configuration for internet facing servers

    Posted Feb 27, 2020 12:33 PM
    This may help if you want to re-establish the NAT.

    Network Aliases

    Robots don't have to be in the same network as the Hub; if that's the case the user must manually tell the Robot what Hub to connect to (NimBUS Manager). If the Robot is in a NAT'ed environment the IP address that the Robot registers to the Hub (193.1.1.1) with may not be an address that the Hub or Consoles can use to communicate with the Robot with (10.1.1.1).
                                                    Robot A (10.1.1.1)
                                                        <--------------

     Robot A (193.1.1.1) ---------> firewall/router --------------------------> Hub A

    If you have a situation like this you have two options; installing a Hub with Robot A and use tunnels (recommended if you have more than one Robot in that network) or configure a Network Alias in Hub A's configuration.

     

    A Network alias is an override mechanism that allows you to map either a range of IP addresses or a single address to another IP address. This mapping is triggered by a NimBUS Name Service lookup; when you try to access any of the probes running on Robot A the registered IP addressed is translated by the Alias mechanism during the lookup process and the address that is usable from Hub A is provided.



    ------------------------------
    [Designation]
    [City]
    ------------------------------