Setting up a Network Shell proxy server

A Network Shell proxy server is an Application Server defined to manage:

  • Interactive traffic from Network Shell clients
  • Traffic from jobs that invoke Network Shell

This topic describes the different Application Server configurations requiring a Network Shell proxy server. Note that the initial installation of a BMC Server Automation Application Server does not set up a Network Shell proxy server by default.

Application Server types

When you create an Application Sever, you can specify its type. The initial installation of an Application Server sets its type to All, which means the Application Server can perform all possible functions, including that of a Network Shell proxy server. When you deploy additional Application Servers on a host, they can be any combination of the following types. You can also redefine the initial installation of the Application Server so its type is any combination of the following types:

  • Configuration — Manages traffic from the console
  • Job — Manages job traffic
  • NSH_Proxy — Manages Network Shell traffic
  • All — Performs all of the functions listed above

Configuration required when using a Network Shell proxy server

The following table describes actions that you must take to implement a Network Shell proxy server for different Application Server configurations.

If you have deployed multiple Application Servers and a load balancer, additional configuration is necessary for a Network Shell proxy server. For details, see Recommendations for Application Servers of type NSH_Proxy.

For an example of an end-to-end configuration scenario and various configuration tips, see Configuring a NSH Proxy Server.

Application Server configuration

Additional configuration required

Application Server is set to type All or to a type that includes NSH_Proxy (for example, Configuration+NSH_Proxy) and the Application Server must function as a Network Shell proxy server.

  1. Run the Network Shell proxy service on the Application Server so the Network Shell proxy server can service Network Shell authentication requests and redirect traffic to the Network Shell proxy server.
  2. Configure hosts where Network Shell is installed so the hosts can run in proxy mode.

Application Server is not functioning as a Network Shell proxy server but it must redirect traffic to a Network Shell proxy server.

  1. Configure the proxy service URL on the Application Server so it points to an Application Server that is running the Network Shell proxy service.
  2. Configure hosts where Network Shell is installed so the hosts can run in proxy mode.

The Application Server must be configured to use a Network Shell proxy server under the following circumstances:

  • If your environment uses a SOCKS proxy. This is relevant for the processing of the following types of jobs:
    • NSH Script Job - type 1
    • NSH Script Job - type 2
  • If you use an Automation Principal to connect with target servers. Configuring the use of a Network Shell proxy in such a case ensures that the Automation Principal credentials are picked up when the Application Server communicates with the target servers. This is relevant for processing of the following types of jobs:
    • Compliance/Snapshot/Audit Job that uses extended objects
    • Patch Analysis Job

    • NSH Script Job

    • Agent Installer Job

    • File Deploy Job

  1. Do one of the following:
    • If the Application Server set to type All or to a configuration that includes a type of NSH_Proxy, run the Network Shell proxy service.
    • If the Application Server is not functioning as a Network Shell proxy server, configure the proxy service URL so it points to an Application Server that is running the Network Shell proxy service.
  2. Use a secadmin command to route Network Shell traffic to the Network Shell proxy server.
  3. If users must run a Network Shell client interactively from this Application Server's host, configure the host to run in proxy mode.
  4. Configure other hosts where Network Shell is installed so the hosts can run in proxy mode.

Note

When you deploy Application Servers to multiple hosts, you must configure the Application Servers so they access the same database, use the same keystore information, and run synchronized clocks. Network Shell proxy servers are a type of Application Server, so you must perform this configuration on them too. For details, see Configuring multiple Application Servers on different hosts.

Run the Network Shell proxy service

Any Application Server defined to be a Network Shell proxy server must be running the Network Shell proxy service. To run the service, enable the Network Shell proxy port — the port on which the Network Shell proxy server listens for Network Shell traffic.

The initial installation of an Application Server on a host creates a default Application Server with its type set to All. A Network Shell proxy server is not enabled on a default Application Server. You must perform this procedure to enable the Network Shell proxy server.

When you deploy additional Application Servers on a host with their type set to ALL or any type that includes NSH_Proxy (such as, Configuration+NSH_Proxy), this procedure is not necessary. In those situations, the proxy service is automatically enabled.

To run the proxy service

  1. Using the BMC Server Automation Console, select Configuration > Infrastructure Management.
  2. Expand the Application Servers node. Right-click an Application Server defined to function as a Network Shell proxy server and select Edit.
    The Application Server must have its type set to All or to a type that includes NSH_Proxy, such as Configuration+NSH_Proxy.
  3. On the Edit Application Server Profile dialog box, provide a value for ProxySvcPort.
    This value is the number of the port on the Application Server that listens for Network Shell traffic. By default, the Network Shell proxy server listens for traffic on a port equal to the base port plus 42 (typically 9842).
  4. Click OK.
  5. Restart the Application Server. See Managing multiple Application Servers on the same host.

Configure the proxy service URL

To use a Network Shell proxy server, any Application Server that is not functioning as a Network Shell proxy server must be configured to send Network Shell traffic to a Network Shell proxy server.

To configure the proxy service URL

  1. Using the BMC Server Automation Console, select Configuration > Infrastructure Management.
  2. Expand the Application Servers node. Right-click an Application Server that is defined not to function as a Network Shell proxy server and select Edit.
  3. On the Edit Application Server Profile dialog box, provide a value for ProxyServiceURLs.
    This value should identify a Network Shell proxy service running in the Application Server environment. The value you provide should have the format
    service:proxysvc.bladelogic:blsess://<nshProxyServerHost>:<portNumber>
    In the value shown above, <nshProxyServerHost> is the fully qualified name of a host where a Network Shell proxy server is running and <portNumber> is the value provided for ProxySvcPort on that Network Shell proxy server. By default, ProxySvcPort is set to base port plus 42.
  4. Click OK.
  5. Restart the Application Server. See Managing multiple Application Servers on the same host.

Route Network Shell traffic to a Network Shell proxy server

Use this procedure to configure an Application Server so that Network Shell traffic is routed through a Network Shell proxy service for any Application Server that processes jobs.

To route Network Shell traffic to a Network Shell proxy server

  1. Configure the secure file on the Application Server by running the following secadmin command:
    secadmin -m default -p 5 -appserver_protocol ssoproxy -T encryption_only -e tls
    This command generates the following default entry in the secure file:

    default:protocol=5:appserver_protocol=ssoproxy:tls_mode=encryption_only:encryption=tls
    

    For more information about the secure file, see Configuring the secure file. For more information about secadmin, see Using the secadmin utility.

  2. If users must run a Network Shell client interactively from this Application Server's host, configure the host to run in proxy mode.
  3. Repeat this procedure for any other Application Server that is defined to process jobs.
  4. If the particular deployment of the Application Server is not running an NSH Proxy Server itself, then you must update the ProxyServiceURLs setting in that deployment to reference to the relevant NSH Proxy URL. 

    For example, Application Server Deployment A is of type CONFIG, NSH_PROXY, and Application Server Deployment B is of type JOB. You must update the ProxyServiceURLs setting to contain the URL for the NSH Proxy Service on Deployment A.
  5. If you have target systems that run the RSCD agent on customer ports, you must modify the secure file on your application servers to contain the following entry format, in addition to the default entry:
    <host>:port=<custom port>:appserver_protocol=
    ssoproxy:protocol=5:tls_mode=encryption_only:encryption=tls:

Additional configuration for using a Network Shell proxy server

Note

When you log in using RCP client, the session credentials may contain URLs with multiple IP addresses which may result in connection failures to the NSH proxy server. If these failures indicate an IP address mismatch in the proxy server log, refer to one of the following workarounds:

Change the value of set appserver ValidateClientIpAddress command to false (see Configuring the Application Service for details about the command).

To avoid this error, the application server host name in /etc/hosts file should resolve to a single IP address. 

Was this page helpful? Yes No Submitting... Thank you

Comments