3.3.6.2. Solutions for Operating Through a Firewall
SSM can operate through a firewall in three different ways:
• The hpssgui and hpssadm can use ports exempted by the network administrator as firewall
exceptions. See the -n option described in the hpssgui and hpssadm man pages.
• The hpssgui and hpssadm can contact the System Manager across a Virtual Private Network
connection (VPN). See the -p and -h options described in the hpssgui and hpssadm man
pages.
• The hpssgui and hpssadm can contact the System Manager across an ssh tunnel. See the
instructions for tunneling in the hpssgui man page.
The firewall exception is the simplest of these. However, security organizations are not always willing to
grant exceptions.
The vpn option is usually simple and transparent regardless of how many ports are needed, but requires
the site to support vpn. The site must also allow the vpn users access to the ports listed in Section
3.3.6.1 The Firewall Problem on page 44; not all sites do.
The ssh tunneling option has the advantage that it can be used almost anywhere at no cost. It has the
disadvantage that the tunnel essentially creates its own firewall exception. Some security organizations
would rather know about any applications coming through the firewall and what ports they are using
rather than have users create exceptions themselves without the awareness of security personnel. A
second disadvantage of tunneling is that if a particular client machine is compromised, any tunnels open
on that client could also be compromised. The client machine may become a point of vulnerability and
access to the other machines behind the firewall. A third disadvantage is that tunneling can be complex
to set up, requiring slight or significant variations at every site.
The firewall and tunneling options both benefit from reducing the number of ports required:
• The need for port 111 can be eliminated by making the System Manager listen on a fixed port.
To do this, set the HPSS_SSM_SERVER_LISTEN_PORT environment variable to the
desired port and restart the System Manager. Then use the -n option with the hpssgui and
hpssadm startup scripts to specify this port.
• The need for port 88 can be eliminated only by avoiding Kerberos and using UNIX
authentication.
• There is no way to eliminate the need for the port on which the System Manager listens.
3.3.6.3. Example: Using hpssgui Through a Firewall
Here is an example of how a particular site set up their hpssgui SSM client sessions using krb5
authentication outside a firewall. Many of the items are site specific so modifications will need to be
made to suit each site's specific needs. Where this procedure would differ for a site using Unix
authentication, the Unix instructions are also included.
At this site, vpn users were not allowed access to all the ports listed in Section 3.3.6.1 The Firewall
Problem on page 44 so they had to use a combination of vpn and ssh tunneling.
• Create a directory on the client machine to hold the SSM client files. It is recommended that
a separate directory be created for each server hostname that the client will contact.
HPSS Management Guide November 2009
Release 7.3 (Revision 1.0) 45