help-cfengine
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Multi-homed client issues

From: Mark . Burgess
Subject: Re: Multi-homed client issues
Date: Wed, 9 Jun 2004 23:19:12 +0200 (MEST) 
You can bind the connection sockets to a particular interface
to avoid problems with multiinterfaces. You can also store
keys by hostname rather than ipaddress.

Interfaces and DNS are tricky I have come to realize.
If I could start again, I would not do authentication
in the same way.

M

On  9 Jun, Scott Omar Burch wrote:
> Hi,
> 
> We are currently working on deploying Cfengine where I work. We have a 
> dedicated policy server that will be used throughout the enterprise. 
> Initial testing is being done on Solaris8/9 with version 2.1.6. The 
> policy server will be communicating with systems beyond serveral layers 
> of firewalls. We have a dedicated management interface on all systems 
> that are behind firewalls. The current policy on these hosts is to allow 
> traffic to traverse the management interface, but deny all traffic by 
> default on the production (primary) interface. Now I can communicate 
> back to the policy server from these hosts in a number of different ways 
> (host routes, defining the policy server as a natted address that these 
> hosts can directly talk with, etc.). The problem we are having is as 
> follows:
> 
> (Assume the following):
> 
> 1) The remote host is called snoopy; it has an interface called snoopy 
> and a management interface called snoopy-mgmt (both are physical 
> interfaces and their forward/reverse entries are in DNS)
> 2) I have bound cfagent and cfservd on snoopy to the -mgmt interface.
> 3) cfagent -v on snoopy works fine.
> 
> Cfrun will not work to a host with this type of configuration. I believe 
>   this is because the key is associated with the hostname snoopy not 
> snoopy-mgmt. Of course I could be wrong. Is there any way to work around 
>   this problem other than opening up port 5308...I really want all 
> traffic and keys associated with the secondary (management interface). I 
> should say everything is working just fine on hosts that have a single 
> interface.
> 
> Thanks,
> Scott
> 
> 
> _______________________________________________
> Help-cfengine mailing list
> Help-cfengine@gnu.org
> http://lists.gnu.org/mailman/listinfo/help-cfengine



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Work: +47 22453272            Email:  Mark.Burgess@iu.hio.no
Fax : +47 22453205            WWW  :  http://www.iu.hio.no/~mark
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
reply via email to
[Prev in Thread] Current Thread [Next in Thread]