Thursday, July 8, 2010

DSCC deployment with firewall

In a production environment, there are always firewalls. This is for sure.

Below is a typical deployment of a pair of Sun Directory Servers deployed in 2 data centers. They are configured for Multi-Master Replication (MMR).

This deployment is simple. Only port 389 (bi-directional) is required to be enabled on the firewall.

Now, if the Administrators are all stationed in Data Center 1 where DS 1 is and they would like to manage all Directory Servers via DSCC (Directory Server Control Control), we have a challenge.

We need to understand how DSCC, Cacao and Directory Server works.

Basically, DSCC manages Directory Server instances through Cacao agent. On each physical server where Directory Server is installed, we need a Cacao agent installed as well. This agent runs on port 11162 by default.

Now, if we make changes to the Directory Server configuration, there is a need to update the DSCC registry. This ensures the states are kept intact. DSCC registry runs on port 3998 and 3999 (SSL) by default.

So, what do we need to configure on the firewall?

  1. Port 11162 (uni-directional) from DS1 to DS2
  2. Port 3998 and 2999 (uni-directional) from DS2 to DS1
  3. Port 636 (bi-directional) <- for starting/stopping Directory Server via DSCC (Thanks, Teck Meng!)


1 comment:

  1. you might have to clear the 389/636 too. example of starting/stoping of ds2 instance from ds1 dscc

    I am using snoop command to sniff the network between these 2 servers

    Using device /dev/eri (promiscuous mode) (starting of ds2 instance thru ds1's dscc)

    ds1 -> ds2 TCP D=636 S=33163 Syn Seq=2698201973 Len=0 Win=49640 Options=

    ds2 -> ds1 TCP D=33163 S=636 Rst Ack=2698201974 Win=0

    Using device /dev/eri (promiscuous mode) (stopping of ds2 instance thru ds1's dscc)

    ds1 -> ds2 TCP D=636 S=33169 Syn Seq=2719433100 Len=0 Win=49640 Options=

    ds2-> ds1 TCP D=33169 S=636 Rst Ack=2719433101 Win=0