[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Multi-homed client issues
From: |
Mark . Burgess |
Subject: |
Re: Multi-homed client issues |
Date: |
Wed, 9 Jun 2004 23:19:12 +0200 (MEST) |
You can bind the connection sockets to a particular interface
to avoid problems with multiinterfaces. You can also store
keys by hostname rather than ipaddress.
Interfaces and DNS are tricky I have come to realize.
If I could start again, I would not do authentication
in the same way.
M
On 9 Jun, Scott Omar Burch wrote:
> Hi,
>
> We are currently working on deploying Cfengine where I work. We have a
> dedicated policy server that will be used throughout the enterprise.
> Initial testing is being done on Solaris8/9 with version 2.1.6. The
> policy server will be communicating with systems beyond serveral layers
> of firewalls. We have a dedicated management interface on all systems
> that are behind firewalls. The current policy on these hosts is to allow
> traffic to traverse the management interface, but deny all traffic by
> default on the production (primary) interface. Now I can communicate
> back to the policy server from these hosts in a number of different ways
> (host routes, defining the policy server as a natted address that these
> hosts can directly talk with, etc.). The problem we are having is as
> follows:
>
> (Assume the following):
>
> 1) The remote host is called snoopy; it has an interface called snoopy
> and a management interface called snoopy-mgmt (both are physical
> interfaces and their forward/reverse entries are in DNS)
> 2) I have bound cfagent and cfservd on snoopy to the -mgmt interface.
> 3) cfagent -v on snoopy works fine.
>
> Cfrun will not work to a host with this type of configuration. I believe
> this is because the key is associated with the hostname snoopy not
> snoopy-mgmt. Of course I could be wrong. Is there any way to work around
> this problem other than opening up port 5308...I really want all
> traffic and keys associated with the secondary (management interface). I
> should say everything is working just fine on hosts that have a single
> interface.
>
> Thanks,
> Scott
>
>
> _______________________________________________
> Help-cfengine mailing list
> Help-cfengine@gnu.org
> http://lists.gnu.org/mailman/listinfo/help-cfengine
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Work: +47 22453272 Email: Mark.Burgess@iu.hio.no
Fax : +47 22453205 WWW : http://www.iu.hio.no/~mark
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~