Set Up Access to 20.3 CABI using a DMZ for external access
search cancel

Set Up Access to 20.3 CABI using a DMZ for external access

book

Article ID: 203689

calendar_today

Updated On:

Products

DX Unified Infrastructure Management (Nimsoft / UIM)

Issue/Introduction

UIM & UMP 8.51 on the inside and use Apache with AJP on a DMZ server to allow external users access to UMP incl custom dashboards. Now with the upgrade to 20.3 UMP gets replaced with OC. The new OC supports Apache AJP access so that is great. 
With the 20.3 upgrade, need to install a seperate CABI server to host the CABI dashboards. When I using the OC alarms or inventory then behind the scenes the browser is opening a TCP connection direct to the CABI server on port 80. So that means the CABI server cannot sit on the inside since external users will not be able to access it from the outside. So how will that work in this situation. Installing a robot on DMZ server and installing the CABI server with ports open to the inside UIM hub, and port 80 open to the external users? The problem is further complicated in that, the DMZ server has multiple NICs and the CABI WASP will no doubt bound itself to the NIC facing into the HUB, whilst and probably need it to be bound to the NIC facing the external users. Any documentation about how to setup and access CABI from the DMZ..

Environment

Release : 20.3

Component : UIM - CABI

Resolution

First you need

  • 2 DNS names (oc.lan and cabi.lan which point to the LB front-end address (we looked at using same address but different ports but it got too messy/hard)
  • all protocols have to be the same ie Browser -> LB = https then LB -> OC and LB -> CABI have to be https (you cannot do ssl off-load on the LB, though only the Browser -> LB needs to be a registered cert
  • either both internal and external traffic goes through the LB or you have to use a split DNS, as the DNS names need to be the same for all users

Now you have sorted out the pre-requisites, the configuration

  • the LB needs to send oc.lan to the oc pool (can be 1 server) and cabi.lan to the cabi pool (again can be 1 server)
    No rewrite is required (effectively a pass through)
  • On the OC no special config needs to be done
  • On the CABI server in the cabi probe need to define the setup/cabi_url key to contain the full name from the browser perspective (eg https://cabi.lan/cabijs).  this is the url that will be inserted into the pages so that the connection will be opened via the LB rather than directly to the CABI server.  If this key is not defined then the url used is a mess of the browser protocol and the cabi server address or even ip
  • We also define in the CABI server and OC server wasp setup/cabi key to point to the full path of the cabi probe (eg /<domain>/<hub>/<robot>/cabi


Restart everything and give it try.

Additional Information

Set Up Access to UMP Using a DMZ