I agree with all the endorsements of just letting the mainframe itself (VIPA, OSA, CS z/OS) handle TN3270(E). I can't think of too many (any?)(*) reasons for offloading that function these days.
If you absolutely positively have to do it for some well-founded reason -- real curious about what that might be! -- then you could use IBM Communications Server for Linux on System z for "onboard offload" of the TN3270 gateway function. Anything physically offboard would be a distant third choice IMHO. Do you have some more information on what the goal(s) is(are)? That'd help in getting more precise advice back to you. (*) About the only reason I can think of is if you're extending TN3270 to the public Internet (or other "untrusted" network) and want a gateway that's *physically* separate. Security policies are funny things. Very often they have little or nothing to do with technical realities. But somebody might have a policy that says "must be physically separate box" just...because. :-) (There's actually a pretty strong argument that adding boxes can undermine security. More potential attack vectors, basically.) Knowing just a little about WPS, this is my hunch about the genesis of your question. If my hunch is right, I wonder whether you could use two z/OS mainframes "cross connected" to satisfy the letter of the policy. Yes, perhaps silly, but so it goes. :-) There are also firewall-type functions in z/OS (e.g. IPSec), or available for Linux on z, if that's the issue. In the IBM product line, IBM Communications Server is available for z/OS (of course, works great, extremely secure), Linux on System z, AIX, Linux on Intel, and Windows. These are very rich products that support all the latest and greatest protocol variations, including encryption and contention resolution. Other software vendors have TN3270 gateway products with varying capabilities. Cisco is still in the hardware-based TN3270 gateway business, but it sounds like you've already ruled that out for some reason. Yet another option is a TN3270 "redirector," which is to say that you still have the TN3270 gateway function running on z/OS but you might have an IP-level "dumb box in the middle" that simply bounces connections through, possibly encrypting on the front side. The idea here is that you have a box to unplug -- and some people like that if only for psychological reasons. Depending on how fancy you want to get this might even be a piece of existing network hardware. I actually did an awful lot of TN3270E network design work not too long ago, including for a customer that's in your same city (and all around you), so feel free to contact me offline if you'd like some design advice. Best of luck. - - - - - Timothy Sipples IBM Consulting Enterprise Software Architect Specializing in Software Architectures Related to System z Based in Tokyo, Serving IBM Japan and IBM Asia-Pacific E-Mail: [EMAIL PROTECTED] ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
