help-cfengine
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Multi-homed client issues


From: Scott Omar Burch
Subject: Multi-homed client issues
Date: Wed, 09 Jun 2004 14:14:38 -0500
User-agent: Mozilla Thunderbird 0.5 (X11/20040306)

Hi,

We are currently working on deploying Cfengine where I work. We have a dedicated policy server that will be used throughout the enterprise. Initial testing is being done on Solaris8/9 with version 2.1.6. The policy server will be communicating with systems beyond serveral layers of firewalls. We have a dedicated management interface on all systems that are behind firewalls. The current policy on these hosts is to allow traffic to traverse the management interface, but deny all traffic by default on the production (primary) interface. Now I can communicate back to the policy server from these hosts in a number of different ways (host routes, defining the policy server as a natted address that these hosts can directly talk with, etc.). The problem we are having is as follows:

(Assume the following):

1) The remote host is called snoopy; it has an interface called snoopy and a management interface called snoopy-mgmt (both are physical interfaces and their forward/reverse entries are in DNS)
2) I have bound cfagent and cfservd on snoopy to the -mgmt interface.
3) cfagent -v on snoopy works fine.

Cfrun will not work to a host with this type of configuration. I believe this is because the key is associated with the hostname snoopy not snoopy-mgmt. Of course I could be wrong. Is there any way to work around this problem other than opening up port 5308...I really want all traffic and keys associated with the secondary (management interface). I should say everything is working just fine on hosts that have a single interface.

Thanks,
Scott




reply via email to

[Prev in Thread] Current Thread [Next in Thread]