We don't let *anybody* into the network between the HMC and the SE. Too many SEs have default passwords on some of the 'special' IDs that can not be easily changed.

We bought a small two-nic nas box and placed it on both the SE network and the company network. IOCPs and ICCs go to it as an interim location. I.E., copy the IOCP to the nas. Then, access the nas via the company network. You could just add another nic card to your FTP server, but make sure that the server has all routing turned off.


Also, we set the default route on the SE to 0.0.0.0. An additional protection against anybody getting into that network segment.

Tony Thigpen

Eric Chevalier wrote on 08/08/2017 04:42 PM:
On 8/3/17 10:13 AM, Tony Thigpen wrote:

1) The ip address has to be available from SE laptop in the cpu. If
you have the connections between the HMC and the SE on a isolated
network, then the ftp box has to also be on that same isolated network.

We have our HMC on an internal company network so it can be accessed
from anywhere, even remotely via VPN. Is there any good technical reason
why the SE can't also be on that network for better access to FTP
servers in our organization? I realize that having the SE on a separate
private network might be better security, but that caused some grief
recently. We needed to import an IOCDS into our z13, but that file was
in our headquarters office. Because port forwarding isn't enabled on the
HMC, so we couldn't get access to the FTP server hosting the IOCDS.

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN



----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Reply via email to