Chapter 6. Using a firewall and securing EWLM 165
and port of the SOCKS server that is protecting the zone where the domain manager is
located.
The sample definition in shown in Example 6-6.
Example 6-6 Sample commands to define SOCKS server configuration in DMZ
on the Domain manager:
./changeDM.sh /opt/ewlmDM -ma 9.12.6.142 -mp 3333 -fp 4444 -fb 9.12.10.150:5555:SOCKS
-sa 9.12.4.140 -sp 1080
on the Firewall broker:
./createFB.sh /opt/ewlmFB -ma 9.12.10.150 -mp 3333 -da 9.12.6.142 -dp 4444 -fp 5555
-auth None
./changeFB.sh /opt/ewlmFB -sa 9.12.8.151 -sp 1080
on the Managed server:
./createMS.sh /opt/ewlmMS -ma 9.12.10.150 -mp 3333 -auth None
Handling the firewall broker
As you have seen briefly in the sample, you need to run the createFB script to create and
configure a firewall broker and the changeFB script to change the firewall broker configuration.
You can create the firewall broker on the managed server or some other server in the same
trusted zone as the managed servers. This script and all of its parameters are supported on
AIX, Solaris, and Windows. The only difference is that AIX and Linux require a .sh extension
while Windows requires a .bat extension. To create a firewall broker on OS/400, you must
use the STRWLM CL command.
For the command syntax, refer to the InfoCenter at:
http://public.boulder.ibm.com/eserver/
6.1.3 Our EWLM firewall configurations
This section shows the two firewall configurations we used in our lab environment. The
StoneGate firewall was set up between the HTTP Plug-in managed server and the rest of the
managed servers and domain manager. In a production environment, there would probably
be more firewalls in place, but this will demonstrate the managed server and the domain
manager communication across a firewall. Therefore, in Figure 6-5, the only managed server
to domain manager communication across the firewall is from the HTTP Plug-in managed
server to the domain manager.