Firewall Concepts and Configuration - HP Operations Manager
Firewall Concepts and Configuration - HP Operations Manager
Firewall Concepts and Configuration - HP Operations Manager
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Known Issues in NAT Environments<br />
<strong>Firewall</strong> <strong>Configuration</strong> in OVO<br />
Network Address Translation<br />
In a NAT environment, the following problems can be encountered.<br />
FTP Does Not Work<br />
Problem<br />
There is a general problem with FTP in a NAT environment. This will<br />
cause the OVO agent installation mechanism to fail. The following<br />
scenarios might occur:<br />
❏ The Installation to Microsoft Windows nodes just hangs for a while<br />
after entering the Administrator’s password.<br />
❏ The UNIX installation reports that the node does not belong to the<br />
configured operating system version.<br />
This issue can be verified by manually trying FTP from the OVO<br />
management server to an agent outside the firewall. The FTP login will<br />
succeed but at the first data transfer (GET, PUT, DIR), FTP will fail.<br />
Possible error messages are:<br />
500 Illegal PORT Comm<strong>and</strong><br />
425 Can’t build data connection: Connection refused.<br />
500 You’ve GOT to be joking.<br />
425 Can’t build data connection: Connection refused.<br />
200 PORT comm<strong>and</strong> successful.<br />
hangs for about a minute before reporting<br />
425 Can’t build data connection: Connection timed out.<br />
Usually, FTP involves opening a connection to an FTP server <strong>and</strong> then<br />
accepts a connection from the server back to the client on a<br />
r<strong>and</strong>omly-chosen, high-numbered TCP port. The connection from the<br />
client is called the control connection, <strong>and</strong> the one from the server is<br />
known as the data connection. All comm<strong>and</strong>s <strong>and</strong> the server’s responses<br />
go over the control connection, but any data sent back, such as directory<br />
lists or actual file data in either direction, go over the data connection.<br />
Some FTP clients <strong>and</strong> servers implement a different method known as<br />
passive FTP to retrieve files from an FTP site. This means that the client<br />
opens the control connection to the server, tells the FTP server to expect<br />
a second connection <strong>and</strong> then opens the data connection to the server<br />
itself on a r<strong>and</strong>omly-chosen, high-numbered port.<br />
Chapter 1 45