Red Hat Technical Series Deploying RHN Proxy Server in the Enterprise

Similar documents
Red Hat Network Satellite 5.4 Installation Guide. Red Hat Network Satellite

Managing your Red Hat Enterprise Linux guests with RHN Satellite

Using Red Hat Network Satellite Server to Manage Dell PowerEdge Servers

Red Hat Network Satellite Management and automation of your Red Hat Enterprise Linux environment

Red Hat Satellite Management and automation of your Red Hat Enterprise Linux environment

Red Hat Network Satellite (On System z) 18-JUNE CAVMEN Meeting

Implementing Reverse Proxy Using Squid. Prepared By Visolve Squid Team

Media Exchange really puts the power in the hands of our creative users, enabling them to collaborate globally regardless of location and file size.

What is included in the ATRC server support

Technical White Paper BlackBerry Enterprise Server

Virtual Appliance Setup Guide

Sage Grant Management System Requirements

Quick Start for Network Agent. 5-Step Quick Start. What is Network Agent?

An Oracle White Paper July Oracle Primavera Contract Management, Business Intelligence Publisher Edition-Sizing Guide

SSL VPN Technology White Paper

Best Practices for Deploying and Managing Linux with Red Hat Network

Semantic based Web Application Firewall (SWAF V 1.6) Operations and User Manual. Document Version 1.0

PINsafe Multifactor Authentication Solution. Technical White Paper

IBM Endpoint Manager Version 9.1. Patch Management for Red Hat Enterprise Linux User's Guide

The Benefits of Verio Virtual Private Servers (VPS) Verio Virtual Private Server (VPS) CONTENTS

SECURELINK.COM REMOTE SUPPORT NETWORK

Siemens HiPath ProCenter Multimedia

SysAidTM Product Description


Deploying in a Distributed Environment

SharePoint 2013 Logical Architecture

Improving the Customer Support Experience with NetApp Remote Support Agent

ACE Management Server Deployment Guide VMware ACE 2.0

THE BCS PROFESSIONAL EXAMINATIONS BCS Level 6 Professional Graduate Diploma in IT. April 2009 EXAMINERS' REPORT. Network Information Systems

PLATO Learning Environment System and Configuration Requirements. for workstations. April 14, 2008

Installing Management Applications on VNX for File

An Overview of Oracle Forms Server Architecture. An Oracle Technical White Paper April 2000

Red Hat Enterprise Linux and management bundle for HP BladeSystem TM

Esri ArcGIS Server 10 for VMware Infrastructure

IIS SECURE ACCESS FILTER 1.3

Performance Optimization Guide

HOMEROOM SERVER INSTALLATION & NETWORK CONFIGURATION GUIDE

Develop a process for applying updates to systems, including verifying properties of the update. Create File Systems

Alfresco Enterprise on Azure: Reference Architecture. September 2014

Interwise Connect. Working with Reverse Proxy Version 7.x

Veeam Cloud Connect. Version 8.0. Administrator Guide

Microsoft Dynamics NAV 2013 R2 Sizing Guidelines for Multitenant Deployments

Bridgit Conferencing Software: Security, Firewalls, Bandwidth and Scalability

( ) ( ) TECHNOLOGY BRIEF. XTNDConnect Server: Scalability SCALABILITY REFERS TO HOW WELL THE SYSTEM ADAPTS TO INCREASED DEMANDS AND A GREATER

Technical White Paper

msuite5 & mdesign Installation Prerequisites

ReadyNAS Remote White Paper. NETGEAR May 2010

Imaging License Server User Guide

Secure Web Access Solution

Install Instructions and Deployment Options

LabTech Installation Prerequisites

AuditMatic Enterprise Edition Installation Specifications

Implementing Failover Capabilities in Red Hat Network Satellite

technical brief browsing to an installation of HP Web Jetadmin. Internal Access HTTP Port Access List User Profiles HTTP Port

Cisco Application Networking Manager Version 2.0

Cisco Prime Home 5.0 Minimum System Requirements (Standalone and High Availability)

2X ApplicationServer & LoadBalancer Manual

Syncplicity On-Premise Storage Connector

Volume SYSLOG JUNCTION. User s Guide. User s Guide

Ignify ecommerce. Item Requirements Notes

UBS KeyLink Quick reference WEB Installation Guide

Best Practices for VMware ESX Server 2

Installation and Deployment

Load Balancing Web Applications

Contents Release Notes System Requirements Administering Jive for Office

WHITE PAPER. ClusterWorX 2.1 from Linux NetworX. Cluster Management Solution C ONTENTS INTRODUCTION

Patch Management Reference

By the Citrix Publications Department. Citrix Systems, Inc.

WHITE PAPER Managing Linux in the Enterprise: The Red Hat Network Approach

MailEnable Scalability White Paper Version 1.2

The following sections provide information on the features and tasks of Server Inventory:

Chapter 8 Monitoring and Logging

Enterprise Solution for Remote Desktop Services System Administration Server Management Server Management (Continued)...

Oracle Applications Release 10.7 NCA Network Performance for the Enterprise. An Oracle White Paper January 1998

Considerations In Developing Firewall Selection Criteria. Adeptech Systems, Inc.

Blackbaud NetCommunity Configuration Overview

ZEN LOAD BALANCER EE v3.04 DATASHEET The Load Balancing made easy

Content Distribution Management

Security Event Management. February 7, 2007 (Revision 5)

Millbeck Communications. Secure Remote Access Service. Internet VPN Access to N3. VPN Client Set Up Guide Version 6.0

PLATO Learning Environment System and Configuration Requirements for workstations. October 27th, 2008

Firewalls Overview and Best Practices. White Paper

Identikey Server Performance and Deployment Guide 3.1


Web Development. Owen Sacco. ICS2205/ICS2230 Web Intelligence

scalability OneBridge

SUSE Manager. A Comprehensive Linux Server Management the Linux Way. Name. Title

Symantec Integrated Enforcer for Microsoft DHCP Servers Getting Started Guide

StreamServe Persuasion SP5 StreamStudio

PLATO Learning Environment 2.0 System and Configuration Requirements. Dec 1, 2009

24online FAQs. 24Online FAQs. Copyright Elitecore Technologies Ltd., Ahmedabad, INDIA. Elitecore Technologies ltd. 1

Installing and Configuring Websense Content Gateway

SHARPCLOUD SECURITY STATEMENT

Installing and Configuring vcenter Multi-Hypervisor Manager

Random Walk Shoes. Setting Up a Web Server

Step-by-Step Configuration

DEPLOYMENT GUIDE Version 1.1. Deploying the BIG-IP LTM System with Citrix XenDesktop

Open Source Datacenter Conference 2011 System Management with RHN Satellite. Dirk Herrmann, Solution Architect, Red Hat

Transcription:

Red Hat Technical Series Deploying RHN Proxy Server in the Enterprise Copyright 2001, 2002 by Red Hat, Inc. Tammy Fox, Mihai Ibanescu, and Todd Warner RHN Proxy Server is a service deployed at a customer s site that caches packages for distribution across the local Intranet while maintaining a single, secure connection to Red Hat Network. Additionally, RHN Proxy Server enables a customer to develop custom channels containing locally built packages.

Table of Contents 1. Introduction... 5 2. Hardware Requirements... 8 3. Additional Requirements... 8 4. Example Topologies... 9 5. Conclusion... 11

1. Introduction 1.1. Red Hat Network Red Hat Network (RHN) is the environment for system-level support and management of Red Hat Linux systems and networks of systems. Red Hat Network brings together the tools, services, and information administrators need to maximize the reliability, security, and performance of their systems. To use RHN, system administrators register the software and hardware profiles, known as System Profiles, of their client systems with Red Hat Network. When the client systems request package updates, only the applicable packages for the client are returned (based on the software profile stored on the RHN Servers). Advantages of using Red Hat Network include: Scalability set up and manage a network of dozens of Red Hat Linux systems with equal ease. With Red Hat Network and Red Hat Linux, a single system administrator can set up and maintain hundreds or thousands of Red Hat Linux systems more easily, accurately, and quickly than that same administrator could maintain a single system without Red Hat Network. Standard Protocols standard protocols are used to maintain security and increase capability. For example, XML-RPC gives Red Hat Network the ability to do much more than merely download files. Security all communication between registered systems and Red Hat Network are over secure Internet connections. View Errata Alerts easily view Errata Alerts for all your client systems through one Web interface. Scheduled Actions use the Web interface to schedule actions including Errata Updates, package installation, and software profile updates. Simplification maintaining Red Hat Linux systems becomes a simple automated process. 1.2. RHN Proxy Server A RHN Proxy Server is a service deployed within a corporate network with advanced Red Hat Network functionality such as a package caching mechanism for reduced bandwidth usage and custom package deployment via customizable channels. This service allows a business or corporation to cache RPM Updates on an internal, centrally located RHN Proxy Server and have the client systems download the updates from that server instead of from one of the RHN Servers 1 over the Internet. The clients System Profiles and user information are stored on the secure RHN servers. Only the RPM files are stored on the RHN Proxy Server. Every transaction is authenticated, and the Red Hat Update Agent checks the GPG signature of each package retrieved from the local RHN Proxy Server. In addition to storing official Red Hat packages, the RHN Proxy Server can be configured to deliver an organization s own custom RPM packages from private RHN channels, using the RHN Package Manager. For instance, an organization could develop its own software, package it in an RPM, sign it with its own GPG signature, and have the local RHN Proxy Server update all the individual systems in the network with the latest versions of the custom software. Advantages of using RHN Proxy Server include: Scalability there can be multiple local RHN Proxy Servers within one organization. 1. Throughout this document, replace RHN Servers with RHN Satellite Server if the RHN Proxy Server connects to a RHN Satellite Server instead.

6 Red Hat Technical Series Security an end-to-end secure connection is maintained: from the client systems, to the local RHN Proxy Server, to Red Hat s server. Saves time packages are delivered significantly faster over a local area network instead of over the Internet. Saves bandwidth packages are only downloaded from the RHN File Servers once (per local proxy server s caching mechanism) instead of downloading each package to each client system. Saves disk space on individual systems one large disk array is required instead of extra disk space on all the client systems. Customized updates create a truly automated package delivery system for official Red Hat packages as well as any custom software packages required for the client systems. Custom private RHN channels allow an organization to automate delivery of in-house packages. Customized configuration restrict or grant updates to specific architectures and OS versions. Only one Internet connection required the client systems connect through the HTTP Proxy server and do not need an Internet connection. Only the RHN Proxy Servers need an Internet connection to contact the RHN Servers. 1.3. Terms to Understand Before understanding RHN Proxy Server, it is important to become familiar with the following Red Hat Network terms: Channel A channel is a list of Red Hat Linux packages. There are two types of channels: base channels and child channels. A base channel consists of a list of packages based on a specific architecture and Red Hat Linux release. For example, all the packages in Red Hat Linux 7.2 for the x86 architecture compose a base channel. The list of packages in Red Hat Linux 7.2 for the Itanium architecture compose a different base channel. A child channel is a channel associated with a base channel but contains extra packages. For example, an organization can create a child channel that is associated with the Red Hat Linux 7.2 for the x86 architecture and that contains extra packages needed only for the organization, such as a custom engineering application. Organization Administrator Organization Administrator is a user role with the highest level of control over an organization s Red Hat Network account. Members of this role can add other users, systems, and system groups to the organization as well as remove them. A Red Hat Network organization must have at least one Organization Administrator. Red Hat Update Agent The Red Hat Update Agent is the Red Hat Network client application (up2date) that allows users to retrieve and install new or updated packages for the client system on which the application is run. Traceback A traceback is a detailed description of "what went wrong" that is useful for troubleshooting the RHN Proxy Server. Tracebacks are automatically generated when a critical error occurs and are mailed to the individual(s) designated in the RHN Proxy Server s configuration file. For more detailed explanations of these terms and others, refer to the Red Hat Network Enterprise User Reference Guide available at http://www.redhat.com/docs/. 1.4. How it Works The Red Hat Update Agent on the client systems does not directly contact a Red Hat Network Server. Instead, the client (or clients) connect to a RHN Proxy Server that connects to the Red Hat Network Servers. Thus, the client systems do not need direct access to the Internet. They only need access to the RHN Proxy Server.

Red Hat Technical Series 7 By default, a client is authenticated directly by Red Hat Network servers. Using an RHN Proxy Server, authentication works similarly except that the RHN Proxy Server provides route information as well. After a successful authentication, the Red Hat Network server informs the RHN Proxy Server that it is permitted to execute a specific action for the client. The RHN Proxy Server downloads all the updated packages (if they are not already present in its cache) and delivers them to the client system. Requests from the Red Hat Update Agent on the client systems are authenticated on the server side, but delivering packages is much faster since the packages are cached in the HTTP proxy caching server or the RHN Proxy Server (for local packages); and the RHN Proxy Server and client system are connected via the LAN with the speed of the local network. Authentication is done in the following order: 1. The client performs a login action at the beginning of a client session. This login is passed through one or more RHN Proxy Servers until it reaches a Red Hat Network Server. 2. The Red Hat Network server attempts to authenticate the client. If authentication is successful, then it passes back, via the chain of RHN Proxy Servers, a session token. This token, which has a signature and expiration, contains user information, includes subscribe-to channels, username, etc. 3. Each RHN Proxy Server caches this token on its local file system. Caching reduces some of the overhead of authenticating with Red Hat Network servers and greatly improves the performance of Red Hat Network. 4. This session token is passed back to the client machine and is used in subsequent actions on Red Hat Network. From the client s point of view, there is no difference between an RHN Proxy Server and a Red Hat Network server. From the server s point of view, an RHN Proxy Server is a special kind of client. Thus, clients are not affected by the route a request takes to reach a Red Hat Network server. All the logic is implemented in the RHN Proxy Servers and Red Hat Network Servers. The entire RHN Proxy Server solution actually consists of a several components (refer to Section 4 for details): The RHN Proxy Broker Server The core component that performs the RHN logic for the Red Hat Network Proxy solution. The RHN Proxy SSL Redirect Server The RHN Proxy Server s requests are sent through the RHN Proxy SSL Redirect Server on their way to the Red Hat Network servers, allowing an SSL connection between the RHN Proxy Server and the Red Hat Network servers. This is necessary due to the requirement of the non-ssl caching services. The RHN Proxy SSL Redirect Server sends any request to the Red Hat Network servers as an SSL request. This server can reside on the same machine as the RHN Proxy Server or on a separate machine. If you have multiple RHN Proxy Servers, it is recommend that all requests be sent through one RHN Proxy SSL Redirect Server. The RHN Authentication Daemon A small server daemon that acts as a caching and token verification mechanism. Like the RHN Proxy SSL Redirect Server, it can reside on the same physical server as the RHN Proxy Server. Again, if you have more than one RHN Proxy Server, it is recommended that a single RHN Authentication Daemon serve all RHN Proxy Servers. Optionally the RHN Package Manager can be installed and configured to serve custom packages specifically written for the organization. These packages are not official Red Hat Linux packages. After creating a private RHN channel, the custom RPM packages are associated with the private channel by uploading the package headers to the RHN servers. Only the headers are uploaded, not the actual RPM package files. The headers are required because they contain crucial RPM information, including software dependencies, that allows RHN to automate package installation. The actual custom RPM packages are stored on the RHN Proxy Server server and sent to the client systems from inside the organization s private area network.

8 Red Hat Technical Series In summary, a client s Red Hat Update Agent connects to the RHN Proxy Broker Server which connects to the RHN Proxy SSL Redirect Server which connects to Red Hat Network. Between the RHN Proxy Broker Server and the RHN Proxy SSL Redirect Server is a Squid HTTP proxy caching server and RHN Authentication Daemon. Between the RHN Proxy SSL Redirect Server and Red Hat Network, a corporate HTTP proxy caching server gateway may exist. Finally, a custom channel can be maintained with two tools: the RHN Web interface and the RHN Package Manager. 2. Hardware Requirements To use the RHN Proxy Server, the following hardware is required: The RHN Proxy Server and its components are only supported on the x86 architecture with a minimum requirement of a Pentium processors -- the faster, the better. For a single RHN Proxy Server, the minimum requirement is one server that acts as the RHN Proxy Broker Server, RHN Authentication Daemon, and RHN Proxy SSL Redirect Server. Alternately, the RHN Authentication Daemon and RHN Proxy SSL Redirect Server may reside on separate machines. The amount of memory is very dependent on other services that run on the same machine. 64MB of RAM memory should suffice. 2.1. Disk space Requirements The HTTP proxy caching server used to save bandwidth for the clients should have a fairly reasonable amount of space available. If you are using Squid as the HTTP proxy caching server, the cached packages are stored in /var/cache/squid. The recommended free space allotment should be approximately 120% of the total space taken by the RPMs for all distributions intended to be served. You can compute the space requirements depending on how many different distributions the proxy will have to serve. Configure approximately 1.3G of space per distribution (including updates and source packages) as a maximum; the actual amount can be much lower if you only download package updates. If the RHN Proxy Server is configured to distribute local packages, make sure that the /var mount point on the system storing local packages has sufficient disk space to hold all of the custom packages, which are stored in /var/up2date/packages. The required disk space for local packages depend on the number of custom packages deployed. The RHN Authentication Daemon requires approximately 5 KB of disk space for each client server the RHN Proxy Server will service. The RHN Proxy SSL Redirect Server requires approximately 130 KB for the server itself plus disk space for Apache and Python, which approximately require 2 MB combined. For the RHN Proxy Broker Server (two scenarios): 1. If you are not planning to provide local channels (for example, have your own distribution stored locally on the proxy), the space requirements for the proxy itself are minimal: approximately 2M. 2. Running local channels will add some disk space requirements for the packages you will have: whatever is needed for the packages you plan to serve, plus the space required for step 1.

Red Hat Technical Series 9 3. Additional Requirements In addition to the hardware and disk space requirements, the RHN Proxy Server must have the following configuration: Internal computers need full network access to the RHN Proxy Server Solution s services and ports. The RHN Proxy Server Solution connects to itself for some services. Thus, localhost connections must always be allowed between the RHN Proxy Server components. The RHN Proxy Server Solution can be firewalled from the Internet, but it must be able to issue outbound connections to the Internet on ports 80 and 443. The following are recommended requirements: The system running the code should not be publicly available. No user but the system administrators should have shell access to these machines. All unnecessary services should be disabled. You can use ntsysv or chkconfig to disable services. The HTTP proxy caching server should be secured. 4. Example Topologies The RHN Proxy Server can be configured in multiple ways. Select one method depending on the following factors: 1. The number of available physical servers for the RHN Proxy Broker Server, RHN Authentication Daemon, and RHN Proxy SSL Redirect Server. 2. The number of RHN Proxy Servers being used. 3. The maximum number of clients expected to connect concurrently to the RHN Proxy Server. Most organizations can deploy multiple RHN Proxy Broker Servers and have them connect to the same RHN Authentication Daemon. The number of RHN Proxy SSL Redirect Servers servicing the RHN Proxy Broker Servers is dependent upon the SSL connection requirements of the organization since the connection between the RHN Proxy Broker Server and the RHN Proxy SSL Redirect Server is a non-ssl connection. In the simplest case, the RHN Proxy SSL Redirect Server should reside on the same physical server. With multiple RHN Proxy Broker Servers, the recommended configuration is to use one physical server for the RHN Proxy SSL Redirect Server and the RHN Authentication Daemon, funneling requests via SSL through the HTTP Proxy and firewall (or any server(s) that the organization uses between the client systems and the Internet). Note The RHN Proxy SSL Redirect Server is completely optional, but if you intend to have a secure connection between the RHN Proxy Server (specifically the RHN Proxy Broker Server) and Red Hat Network, it must be installed. 4.1. Simple Topology Example The simplest configuration is to have the RHN Proxy Broker Server, RHN Authentication Daemon, and RHN Proxy SSL Redirect Server on the same server as shown in Figure 1. This configuration is

10 Red Hat Technical Series adequate to service a small group of clients and a network that would benefit from caching Red Hat RPM packages and storing custom RPM packages on a local server. The disadvantage of using one physical server for the RHN Proxy Broker Server and the RHN Proxy SSL Redirect Server is that performance will be slightly compromised because the server receives two simultaneous HTTP requests for each client request. Figure 1. Simple Topology 4.2. Two Server Topology Example An alternative method is to use two servers. Use one server as the RHN Proxy Broker Server and RHN Authentication Daemon, and use the other server as the RHN Proxy SSL Redirect Server as shown in Figure 2. Because the RHN Authentication Daemon and the RHN Proxy SSL Redirect Server are on different servers, the network load of HTTP requests are better balanced. This configuration also allows for easier future expansion. The biggest disadvantage is the cost of an additional machine and its maintenance. However, this should not be considered a major disadvantage because the hardware requirements for the server are nominal.

Red Hat Technical Series 11 Figure 2. Two Server Topology Example 4.3. Multiple Server Topology Example A different method is to have multiple RHN Proxy Broker Servers and an additional server for the RHN Authentication Daemon and RHN Proxy SSL Redirect Server as shown in Figure 3. Figure 3. Multiple Server Topology Example 5. Conclusion RHN Proxy Server is a flexible solution for an organization that requires RPM software updates but also requires network security. Clients are not required to have access to the Internet to safely

12 Red Hat Technical Series maintain their software, including custom software only available to the organization. Clients only need a connection to the organization s local area network.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information