Configuring Gateway and Unit Communication
To enable the Prime Performance Manager gateway to communicate with units through a firewall, provision the firewall to allow Prime Performance Manager packets to pass through it. Ports used by Prime Performance Manager are configured in the System.properties file. System.properties is located in /opt/CSCOppm-gw/properties or /opt/CSCOppm-unit/properties. If you installed Prime Performance Manager in a different directory, the file resides in that directory.
Table 15-1 lists the Prime Performance Manager ports and firewall requirements.
Table 15-1 Prime Performance Manager Ports
|
|
RMIREGISTRY_PORT |
The port on which the RMI naming server listens. You must specify a port number; 0 is not allowed. |
DATASERVER_PORT |
The port on which the data service listens. If you specify 0, Prime Performance Manager uses a random available port, 1024 and above. Prime Performance Manager maintains the chosen port until the next server restart. 45751 and 55751 are good alternate ports for gateways and units respectively. |
LOGINSERVER_PORT |
The port on which the log in service listens. If you specify 0, Prime Performance Manager uses a random available port, 1024 and above. Prime Performance Manager maintains the chosen port until the next server restart. 45752 and 55752 are good alternate ports for gateways and units respectively. |
WEB_PORT |
The port on which the Prime Performance Manager gateway listens. You must specify a port number; 0 is not allowed. To change it to a different port, you can use the ppm webport command. See ppm javaver, for more information. |
CLIENT_PORT |
The port on which the Prime Performance Manager server listens for RMI callbacks (unsolicited notifications):
- If you specify CLIENT_PORT = 0, Prime Performance Manager uses any available port, 1024 and above.
- If you specify CLIENT_PORT with a single value other than 0, such as CLIENT_PORT = 33459, Prime Performance Manager uses that port, and you can run only one Prime Performance Manager unit process at a time.
- If you specify CLIENT_PORT with a range of values other than 0, such as CLIENT_PORT = 33459-33479, Prime Performance Manager can use any of the ports in the range, including the beginning and ending ports, and you can run more than one Prime Performance Manager unit process at a time.
Because a gateway server can connect to multiple units, specify a range if more than one unit is defined in the deployment. Because a unit connects to only one gateway, you only need to specify a single port. |
To provision the firewall for gateway and unit communications:
Step 1 Identify the TCP ports that you want to use for two-way TCP connections between the gateway and unit and gateway and web client. See Table 15-1 .
Step 2 Log into the gateway.
Step 3 Navigate to the directory containing the System.properties file.
If you installed Prime Performance Manager in the default directory, System.properties is located in the /opt/CSCOppm-gw/properties or /opt/CSCOppm-unit/properties directory.
If you installed Prime Performance Manager in a different location, specify the path where you installed Prime Performance Manager in place of the default (/opt) path.
Step 4 Back up the System.properties file.
Caution
Always back up of the System.properties file before you edit it.
Step 5 Use a text editor to modify the DATASERVER_PORT, LOGINSERVER_PORT, and CLIENT_PORT gateway and unit ports as indicated below. See Table 15-1 for port descriptions and values.
Default gateway:
Gateway modified for firewall:
CLIENT_PORT = 33459-33479
Default unit:
Unit modified for firewall:
Step 6 Modify the device configuration files with the selected port numbers.
On Cisco devices, you can use extended access lists to allow the chosen TCP port numbers to pass between the appropriate interface(s). Assuming a single device separates the Prime Performance Manager gateway and unit servers, you can use the following extended access list:
Unit interface:
Interface FastEthernet 1/1
ip address 192.168.1.100 255.255.255.0
ip access-group unit-to-gateway in
Gateway interface:
interface FastEthernet 2/1
ip address 192.168.2.100 255.255.255.0
ip access-group gateway-to-unit in
These entries allow data to flow between the gateway and unit that initiated the session. Without these entries, units cannot access the gateway server.
Here is an access list entry to allow the unit and web browser connections to the gateway:
ip access-list extended unit-to-gateway
10 permit tcp any established
20 permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.2 eq 45742
30 permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.2 eq 45751
40 permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.2 eq 45752
50 permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.2 eq 33459
60 permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.2 eq 4440
Here is an access list to allow gateway connections to the unit:
ip access list extended gateway-to-unit
20 permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.2 eq 55742
30 permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.2 eq 55751
40 permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.2 eq 55752
50 permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.2 eq 33459
Step 7 Restart the gateway to use the new TCP ports. As the root user, enter:
#cd /opt/CSCOppm-gw/bin/ppm restart
The gateway and collocated unit processes restart using the new ports.
Step 8 If the unit properties changed, restart the units:
#cd /opt/CSCOppm-unit/bin/ppm restart
Both access list examples allow established TCP connections. When a unit or gateway establishes a TCP connection to the other end, it uses a fixed destination port. However, the source port from the initiating party is random. The established keyword allows a returning TCP packet to go back to the random initiating source port.