Summary: dish across a firewall

"Luis P. Caamano" <lpc@sware.com> Mon, 27 February 1995 23:01 UTC

Received: from ietf.nri.reston.va.us by IETF.CNRI.Reston.VA.US id aa15772; 27 Feb 95 18:01 EST
Received: from CNRI.Reston.VA.US by IETF.CNRI.Reston.VA.US id aa15751; 27 Feb 95 18:01 EST
Received: from haig.cs.ucl.ac.uk by CNRI.Reston.VA.US id aa18257; 27 Feb 95 18:00 EST
Received: from bells.cs.ucl.ac.uk by haig.cs.ucl.ac.uk with local SMTP id <g.04179-0@haig.cs.ucl.ac.uk>; Mon, 27 Feb 1995 19:29:57 +0000
Received: from bastion.sware.com by bells.cs.ucl.ac.uk with Internet SMTP id <g.09909-0@bells.cs.ucl.ac.uk>; Mon, 27 Feb 1995 19:28:04 +0000
Received: from shlep.sware.com (shlep.sware.com [139.131.1.14]) by bastion.sware.com (8.6.5/8.6.5) with SMTP id OAA04190; Mon, 27 Feb 1995 14:13:18 -0500
Received: by shlep.sware.com (5.65/2.0) from alehouse.sware.com id AA01624; Mon, 27 Feb 95 14:27:40 -0500
Received: by alehouse.sware.com (5.65/2.1) from localhost id AA21847; Mon, 27 Feb 95 14:11:48 -0500
X-Orig-Sender: "Luis P. Caamano" <lpc@sware.com>
Message-Id: <9502271911.AA21847@alehouse.sware.com>
Sender: ietf-archive-request@IETF.CNRI.Reston.VA.US
From: "Luis P. Caamano" <lpc@sware.com>
X-Mailer: InterMail [2.0 pre-alpha]
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
To: ISODE <ISODE@nic.ddn.mil>, OSI-DS <osi-ds@cs.ucl.ac.uk>, quipu <quipu@cs.ucl.ac.uk>
Subject: Summary: dish across a firewall
Date: Mon, 27 Feb 1995 14:11:47 -0500

Here's a summary of the answers I've got.  BTW when I was reviewing the
old archives of these mailing lists, I noticed that there were lots of
questions but no answers.  I guess it's because people replay directly
to the poster.  I believe it would be useful to post the answer back to
the list or to summarize.  However, I'm new to these lists and I don't
know what the procedure is.  so, pls tell me if this ok.  thanks

Summary:  dish across a firewall

Answer: configure the DSA on the firewall and use chaining.

- Andrew Findlay <Andrew.Findlay@brunel.ac.uk>
>Does anybody know about a quipu DUA that handles firewall proxies?  I've
>configured quipu and everything works locally so far, but I haven't
>been able to make it across our firewall.  Before going in an modifying
>dish, I thought this might have happened to others. :)

Is it really dish that needs to cross the firewall? I would have
thought that dish should talk to a local DSA and the DSA should relay
through the firewall.

In either case, you may be able to run `tsbridge' on the firewall. It
would need configuring with great care to make sure that it does not
provide a general route through the firewall for all and sundry.

I would have thought that running a relay DSA in the firewall's DMZ
might be safer.

Andrew

----------------------------------------------------------------------------
|      From Andrew Findlay at Brunel University, Uxbridge, UB8 3PH, UK     |
| Andrew.Findlay@brunel.ac.uk     +44 1895 203066 or +44 1895 274000 x2512 |
----------------------------------------------------------------------------


---------------

-Richard Letts <R.J.Letts@salford.ac.uk>
Luis P. Caamano wrote....
> 
> Hello.  Sorry about the crossposting, but all three mailing lists seem
> appropriate.
> 
> 
> Does anybody know about a quipu DUA that handles firewall proxies?  I've
> configured quipu and everything works locally so far, but I haven't
> been able to make it across our firewall.  Before going in an modifying
> dish, I thought this might have happened to others. :)
> 
I guess the easiest  way of doing this is to configure a DSA in the firewall
system.
define a secure (firewall-side) transport community the DUA will use to talk
to the DSA

Make the DSA listen on two different network addresses (on inside the
firewall, the other on the outside)
configure the DUA only to exist in the firewall transport community
The DSA should then chain all the requests, rather than returning a referal..

some service controls (eg -dontusecopy) may fail, as will anyhting which
disables chaining (-nochain ?)

If you want to use something more user-orienttated (rather than DISH) if you
run the LDAP server in the firewall then that only chains, and never returns
referals. there are lots of windows applications that make use of it..

Richard Letts  
-------------------------------------------------------------------------------
Network Manager                               mail:    R.J.Letts@salford.ac.uk  
University of Salford                         phone:     +44 161 745 5252
Great Britain                                 fax:       +44 161 745 5888

------------------

- Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
> Does anybody know about a quipu DUA that handles firewall proxies?  I've
> configured quipu and everything works locally so far, but I haven't
> been able to make it across our firewall.


Probably the DSA (running at your firewall, I presume) returns a
"referral" when you look up external data instead of "chain"ing the
request to the external DSA and returning the result to dish.  When dish
receives the referral, it tries to connect to the remote DSA and fails.

Read about chaining and referral in the isode/tailoring manual, and in
the Service Controls section, and let the DSA use chaining and dish not
use referral.  I don't remember the options offhand, but some of them are
	Dish-> show -chaining -preferchaining
	       search -norefer
When you get these to work, I think you can put these in ~/.quipurc, or
maybe dsaptailor og .dish_tailor.  I also remember something like
	chainingprohibit: off
in quiputailor (or dsaptailor?).


Regards,

Hallvard

------------

end of summary

----------------------------------------------------------------
Luis P. Caamano  (LC2385)             |           lpc@sware.com
SecureWare, Inc. Atlanta, GA, USA     |           (404) 315-6296