ZoneRanger Allows NNM to Transparently Reach into DMZ over a Single TCP Port

THE CHALLENGE

Extending HP OpenView NNM into a firewall partitioned network is possible but not trivial. Opening ports in the firewall to pass the needed network management protocols (ICMP/ping, SNMP, SNMPTRAP, telnet) is not acceptable for many companies. Deploying a NNM Collection Station is a common approach but requires an additional NNM license, a server to run it on and configuration expertise. A MOM/CS architecture prevents snmpCollect from collecting data in real-time to one server. snmpCollect data files from each CS must be rolled up to the MOM for reporting. Overlapping Address Domains are now supported with NNM but require static NAT configuration on the gateway between the NNM station and managed nodes.

THE ZONERANGER SOLUTION

Tavve’s ZoneRanger appliance allows NNM to transparently reach into the DMZ over a single encrypted TCP Port. ICMP and SNMP into the DMZ are sent over one port and SNMP traps to trapd are sent over this same encrypted connection. This allows for one central NNM server to monitor internal and external (DMZ) devices. There are no additional servers in the DMZ to administer (operating system maintenance). One instance of snmpCollect can now poll all nodes into a central reporting database. SNMP traps and syslog messages are forwarded out of the DMZ to the NNM server over a single secure TCP port. Bi-directional NAT is possible with the ZoneRanger. This allows status polling of overlapping IP addresses with ICMP and SNMP. It also can be used to modify the source address of SNMP traps and syslog messages from nodes with duplicate IP addresses so that they appear unique.

In environments where NNM maps are not used, but rather “management by exception” is the rule, the ZoneRanger can be configured as a stand-alone status poller. This off loads the central NNM server and frees node licenses for deployment elsewhere in the enterprise. The ZoneRanger can perform auto-discovery using Tavve’s patented technology or to only poll nodes that are added to its database manually. Its status poller can use ICMP and/or SNMP to poll interfaces. There is also a TCP port poller for testing application availability. The syslog and trap receiver on the ZoneRanger can filter messages before forwarding them on to a central NNM or ITO server. Syslog messages can be converted to SNMP traps for processing with NNM on Windows.