IBM Tivoli Monitoring > Version 6.3 Fix Pack 2 > Installation Guides > Installation Guide > Pre-deployment phase > Understanding Tivoli Monitoring and your network
IBM Tivoli Monitoring, Version 6.3 Fix Pack 2
Determine if you require a firewall gateway
For most environments, using the firewall gateway is not required when deploying the Tivoli Monitoring software. However, in some cases, the firewall gateway is the only way to traverse the complex firewalls in a network.
The following section describes the scenarios when the firewall gateway is required. In addition, the section outlines the optimal locations for the firewall gateway.
Use the firewall gateway for any of the following scenarios:
- A single TCP connection cannot be made to span between Tivoli Monitoring components. One example is when there are multiple firewalls between these components and a policy that does not allow a single connection to traverse multiple firewalls.
- Connection requirements do not allow the Tivoli Monitoring default pattern of connections to the hub Tivoli Enterprise Monitoring Server. One example is when agents located in a less-secure zone connect to the monitoring server located in a more-secure zone. Security policy allows a connection to be established only from a more-secure zone to a less-secure zone, but not the other way round.
- You must reduce open firewall ports to a single port or connection. For example, rather than opening the port for every system being monitored, consolidate the ports into a single concentrator.
- You must manage agent failover and Tivoli Enterprise Monitoring Server assignment symbolically at the hub monitoring server end of the gateway. Because gateway connections are made between matching service names, an administrator can change the failover and monitoring server assignment of downstream gateway agents by changing the client proxy bindings next to the hub monitoring server.
Network address translation (NAT) alone is not a reason to use the firewall gateway, which is content-neutral and can proxy any TCP connection. In most cases, NAT processing can be handled by the PIPE protocol (IP.PIPE or IP.SPIPE) without the firewall gateway.
For detailed information on installing and configuring the firewall gateway, see Firewalls.
Parent topic:
Understanding Tivoli Monitoring and your network