Which Side of the Tunnel Should Be the Tunnel Client? The Tunnel server in CA UIM?
Article ID: 34668
DX Infrastructure ManagementNIMSOFT PROBES
Deciding which side to be used as tunnel server or as tunnel client is an important step when implementing tunnels between UIM hubs regarding to manageability and performance concerns.
Release: CNMSPP99000-7.6-Unified Infrastructure Mgmt-Server Pack-- On Prem Component:
Question: Which side of the tunnel should be the tunnel client/tunnel server?
Answer: Scalability concerns
This is somewhat counter-intuitive. The tunnel server uses a fair amount of computing power. So, in a scenario where you have a central hub and several remote hubs attaching to the central hub it is better for the remote hubs to be the tunnel servers. This means that each incremental remote hub only adds a tiny amount of overhead to the central hub.
This consideration is all about which side initiates the connection (regardless of information flow once connected). The more trusted side should be configured as the client. The best example of this would be a hub in the core of a business connecting with a hub in the DMZ. The firewall between the core and the DMZ would generally be configured to block ALL connection requests from the DMZ into the core. (After all, that's the whole point of a DMZ.) The firewall is told to allow a one-way conversation between the two hubs initiated by the core into the DMZ. (The core is more trustworthy than the DMZ.) In this case, the core hub is configured as the tunnel client which will initiate the connection to the hub in the DMZ (which is configured as the tunnel server.)