Follow

Isolate Connector ID Agent Communication to a Different Network

Product: Stratusphere

Product Version: 6.x

Expires on: 365 days from publish date

Updated: October 16, 2019

 

Problem:

For environments with strict and isolated management networks and user access networks for user machines. 

Isolate Connector ID communication to a secured network so that users do not have a back door to the management network.

 

 Symptoms:

Connector ID agent will not communicate with Stratusphere HUB or Collector appliances if placed on Desktops, VMs on an isolated network.

Summary:

This process describes how to enable CID agents to communicate on an isolated user network with appliances set up in a management network.

This will require your Stratusphere in the following matter:

  1. HUB deployed on a HOST with Management network access.
  2. Collector deployed on a HOST with Management and isolated network access (Visibility)
  3. Deploy the Collector with two NICs per our documentation referencing "Host Configuration Changes for Network Collectors.  - https://www.liquidware.com/content/pdf/documents/support/Liquidware-Stratusphere-Installation-Guide.pdf
  4. Configure Collector DNS and IP to communicate with the HUB on the management network.
  5. Configure Collector NIC2 with an IP address of the isolate network.
    1. Edit network settings of the collector to route traffic on the collector to the HUB
  6. On the collector modify the following file mgmt.conf to listen on the specific NIC2
  7. Remove execute rights to the  /opt/lwl/bin/create_httpd_conf.sh file.
  8. Set the callback address in the webui to be the ip or dns of the Collectors NIC2.
  9. Download the new CID agent and deploy to your master image or individual machines.

Solution:

Deploy your HUB  to your Management network, followed by the Collector enabling it for Promiscuous Mode per our instructions in the installation guide linked above. Enable the second NIC in the collector and assign the NIC2 IP or DNS from the isolated network.

 Navigate to the Collectors lwl console in Putty and proceed to N.

1. Logon as friend and the switch user to root.

2 Navigate to the lwl console using this command: 

     lwl

3. Select N.) to navigate into the Network configuration and change the Collector function from both to CID and then write the changes. You will be prompted to to configure NIC2 and type yes.

     - You should now see options to configure the second NIC, options 15 through 20.

     - Allow the Collector to reboot.

4. Configure the following NIC2 with the IP, subnet, dns, HUB callback with the isolated network IPs & subnet (values: 15, 16, 17 & 19) and write your changes then reboot.

     see attached image (IsolatedNetConfig)

IsolatedNetConig.PNG

5. Find the following file /etc/lwl/httpd/conf.d/generated/mgmt.conf on the Collector and add the listening variables for NIC2s IP address:

 vi /etc/lwl/httpd/conf.d/generated/mgmt.conf

 6. Add the following entries in bold to the top of the file and :wq!

Listen 10.0.60.44:443
Listen 10.0.0.254:443

NameVirtualHost 10.0.60.44:443
NameVirtualHost 10.0.0.254:443

<VirtualHost 10.0.60.44:443 10.0.0.254:443>
ErrorLog logs/mgmt_error_log
CustomLog logs/mgmt_ssl_access_log combined

# START /etc/lwl/httpd/conf.d/collector/collector.conf

7. Change permissions on the following file to refrain from regenerating the above file, erasing the changes when reboot or service is restarted: /opt/lwl/bin/create_httpd_conf.sh

chmod -x /opt/lwl/bin/create_httpd_conf.sh

NOTE:  Optionally you can do the same for chmod -x /etc/init.d/lwl-httpd-conf instead of the create_httpd_conf.sh and reboot collector.

8. Verify that the Collector is now listening on desired port:

netstat -tulnp | grep :443
tcp 0 0 10.0.60.44:443 0.0.0.0:* LISTEN 2644/httpd
tcp 0 0 127.0.0.1:443 0.0.0.0:* LISTEN 2644/httpd
tcp 0 0 10.0.0.254:443 0.0.0.0:* LISTEN 2644/httpd

9. In the Stratusphere WebUI Configuration page, set the callback address to the Collector NIC2 address and click "save".

10. Download the new CID agent and deploy to your machines on the isolate network. Verify they made last contact with the HUB in the inventory.

 

NOTE: On client UNIX/LINUX boxes you may require to add the IP and hostname of the collector if option 1 in the network config is set to a dns name, otherwise the isolated network will need to have a dns that resolves to the IP address of NIC2. ex:

more /etc/hosts

 

10.0.0.254 MHLabCollector.spt.lwl.corp

 

Single HUB Deployment Considerations:

* Add a host entry in /etc/hosts for your Primary Domain Controller. 

* Under NICs configuration, /etc/sysconfig/iptables contains duplicate entries allowing traffic over ports 22 and 443 for only one of the interfaces. You may need to change one of the duplicates for each of those ports to allow traffic over the other interface.
* Review eth1 in /etc/sysconfig/network-scripts/route-eth1 to verify the change from the old settings, you may need to add relevant routes for the vlans expected to communicate on.

 

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

0 Comments

Article is closed for comments.