Seems like the load balancer in front of the remedy servers is not useful. Sounds like your load balancer is just acting as a router that provides nat.
My understanding of what you are saying: - remedy server is in a private network (10/8, 192.168/16, or 172.16/12) behind a load balancer - remedy server has a private ip - load balancer has a public ip and a private ip - mid-tier has a public ip - assume both public ip's are routable The fact that the unix/network admins don't want to expose the private ip of the remedy host tells me that they are misappropriating a load balancer as a security device. You have to understand how nat and rpc work. rpc across nat is going to require a bit of configuration. rpc is going to negotiate a port to use for communication, which means that your nat device is going to have to forward the ephemeral port range used by rpc to the remedy host. My suggestions are: - use a specific tcp port, then forward only that traffic to the remedy host - use a bridging firewall or a router with firewall for your security requirements The best way to troubleshoot the configuration, should you decide to not use a specific port, is to watch the logs on the load balancing device to see what it redirects and what it disregards. Axton Grams On Wed, Jun 4, 2008 at 11:19 AM, Ann Kosch <[EMAIL PROTECTED]> wrote: > On Wed, 4 Jun 2008 09:40:53 -0500, Grooms, Frederick W > <[EMAIL PROTECTED]> wrote: > > Responses below. I appreciate the time you took to respond, Fred. > > Q: So, you must use explicit port(s) and not portmapper? > What is a good way to trace what is happening? I just > use netstat a bit at a beginners level. > >>I'm a bit confused (which is normal for me)... You have a load balancer >>and only 1 Remedy server? What load are you balancing? > > That is where they had resources available. No choice. It is part of > their overall strategy. > >> >>Does the Remedy server know itself by both the public and private >>values? > > Yes, for the most part. The public R server name is the one > used in desktop clients and workflow, etc. that is coming across > from the environment we are leaving. > >>In the ar.conf (ar.cfg for Windows) do you have the IP-Name: entries for >>both public and private DNS (personally we use IP-Name instead of >>Map-IP-Address)? > > Yes, every variation I can think of w/ IP:-Name. > >> >>On the Remedy server what happens if you ping the public values? > > You can ping the public DNS and also telnet responds using it. >> >>One thing we did on our server setting was to add the load balancer as >>an alias to the Remedy server (in the local hosts file). This way once > > Good idea! We learned this trick for testing but didn't think of it > for production. I have been kind of worried about all the bouncing around. > >>you are on a Remedy server any call to the load balancer inside Remedy >>would just stay on the server (reducing the network load). Without this >>we found that traffic would bounce to the load balancer and back. >> > > OS is Solaris 10 zone. Oracle 9.2. Sun box. ARS 7.0.1, MT 6.3. > Latest stable rpcbind is in use. Help Desk 5.5.1 carrying over. > >>You didn't state which O/S you are using >> >>Fred >> >>-----Original Message----- >>From: Action Request System discussion list(ARSList) >>[mailto:[EMAIL PROTECTED] On Behalf Of Ann Kosch >>Sent: Wednesday, June 04, 2008 12:34 AM >>To: arslist@ARSLIST.ORG >>Subject: Re: portmapper and load balancer >> >>I'm sorry..a couple clarifications below... >> >>On Tue, 3 Jun 2008 22:55:01 -0500, Ann Kosch <[EMAIL PROTECTED]> wrote: >> >>>Has anyone got a working system that uses a MidTier server not behind a >> >>>load balancer and one (yes, one) Remedy server behind a load balancer >>>AND... >>>are using a public DNS/IP to get to the Remedy server so that the load >>>balancer DNS/IP are private? >> >>The single Solaris Zone w/ R server is *behind* the load balancer and IT >>has a private IP/DNS that unix admins don't want exposed. >> >>I have the Map-IP-Address: setting in place and hopefully I'm using the >>correct IPs. The "sticky bit" is ON, I'm informed, but it doesn't >>matter much since we only have one R server. >> >>> >>........ >>>Q: Is what we are doing completely impossible if we can't use the the >>>private DNS/Remedy server? >> >>I meant the public DNS/Remedy server.... Sorry. >>> >>..... >>>~*~ ~*~ ~*~ >>>A. R. Kosch >>>Special Projects/Analyst >>>Remedy ARS Administrator/Coordinator >>> >>>[EMAIL PROTECTED] >>>785-532-4933 >>>Kansas State University >>>Computing and Network Services >> >>_______________________________________________________________________________ >>UNSUBSCRIBE or access ARSlist Archives at www.arslist.org >>Platinum Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are" >>======================================================================== > > _______________________________________________________________________________ > UNSUBSCRIBE or access ARSlist Archives at www.arslist.org > Platinum Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are" > _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are"
