So I figured I'd give the group a shot at this.
I've got a client that wants to have 2 linux-based ftp/http servers, one in the LAN and one in the DMZ, share some data. NFS would be perfect.
However-
The security group will not allow server in the DMZ to access the LAN-based Netapp through the firewall for its NFS resource. Also, I cannot put an interface from the Netapp into the DMZ.
They WILL allow it if it's encrypted.
I saw WebNFS, does Netapp support some sort of NFS over HTTPS? or SSH?
Alternatively, the client said that what would be allowed is if the two servers could share the same LUN- FC only, no iSCSI. Has anyone out there tried that before, what needs to be done on the linux side to make that happen?
Thanks
Glenn (the other one)
You need something redhats GFS Which I believe requires the clients to be able to communicate in some form over tcp to allow "fencing" to work...software that controls multiple client access.
The may be other too like STORnext from ADIC.
Sent from my Verizon Wireless BlackBerry
-----Original Message----- From: "Glenn Dekhayser" gdekhayser@voyantinc.com Date: Fri, 6 Apr 2007 14:55:22 To:toasters@mathworks.com Subject: Weird NFS need
So I figured I'd give the group a shot at this.
I've got a client that wants to have 2 linux-based ftp/http servers, one in the LAN and one in the DMZ, share some data. NFS would be perfect.
However-
The security group will not allow server in the DMZ to access the LAN-based Netapp through the firewall for its NFS resource. Also, I cannot put an interface from the Netapp into the DMZ.
They WILL allow it if it's encrypted.
I saw WebNFS, does Netapp support some sort of NFS over HTTPS? or SSH?
Alternatively, the client said that what would be allowed is if the two servers could share the same LUN- FC only, no iSCSI. Has anyone out there tried that before, what needs to be done on the linux side to make that happen?
Thanks
Glenn (the other one)
Glenn> I've got a client that wants to have 2 linux-based ftp/http Glenn> servers, one in the LAN and one in the DMZ, share some data. Glenn> NFS would be perfect.
How closely in-sync do they need to be?
Glenn> However-
Glenn> The security group will not allow server in the DMZ to access Glenn> the LAN-based Netapp through the firewall for its NFS resource. Glenn> Also, I cannot put an interface from the Netapp into the DMZ.
Sure, makes perfect sense.
Glenn> They WILL allow it if it's encrypted.
Huh? This makes no sense...
Glenn> I saw WebNFS, does Netapp support some sort of NFS over HTTPS? Glenn> or SSH?
None that I know of...
Glenn> Alternatively, the client said that what would be allowed is if Glenn> the two servers could share the same LUN- FC only, no iSCSI. Glenn> Has anyone out there tried that before, what needs to be done Glenn> on the linux side to make that happen?
You'd have to get something like GFS (RedHats Global FileSystem) setup on both boxes, but that might not work over a firewall.
Instead, I'd just do an rsync from the internal system to the outside system.
Or make the internal people use 'sftp' or 'scp' to push/pull files from the DMZ host to their internal side.
Maybe understanding what the purpose of the two systems is, and what's going to be accomplished would help more here.
John
John:
First thing I suggest was rsync, but they are using availl right now and it's not 'doing it' for them. Rsync isn't gonna much better than that. It is a weird need, and the assumptions regarding security are a little off, but this organization is big enough that I won't question how they arrived at them, I'm sure I don't have all the facts that went into why they do this and not that.
GFS is looking the most promising however, and I've checked and Netapp does support it. We'll see if the firewall can let that through.
Thanks
Glenn
-----Original Message----- From: John Stoffel [mailto:john.stoffel@taec.toshiba.com] Sent: Friday, April 06, 2007 3:58 PM To: Glenn Dekhayser Cc: toasters@mathworks.com Subject: Re: Weird NFS need
Glenn> I've got a client that wants to have 2 linux-based ftp/http Glenn> servers, one in the LAN and one in the DMZ, share some data. Glenn> NFS would be perfect.
How closely in-sync do they need to be?
Glenn> However-
Glenn> The security group will not allow server in the DMZ to access Glenn> the LAN-based Netapp through the firewall for its NFS resource. Glenn> Also, I cannot put an interface from the Netapp into the DMZ.
Sure, makes perfect sense.
Glenn> They WILL allow it if it's encrypted.
Huh? This makes no sense...
Glenn> I saw WebNFS, does Netapp support some sort of NFS over HTTPS? Glenn> or SSH?
None that I know of...
Glenn> Alternatively, the client said that what would be allowed is if Glenn> the two servers could share the same LUN- FC only, no iSCSI. Glenn> Has anyone out there tried that before, what needs to be done Glenn> on the linux side to make that happen?
You'd have to get something like GFS (RedHats Global FileSystem) setup on both boxes, but that might not work over a firewall.
Instead, I'd just do an rsync from the internal system to the outside system.
Or make the internal people use 'sftp' or 'scp' to push/pull files from the DMZ host to their internal side.
Maybe understanding what the purpose of the two systems is, and what's going to be accomplished would help more here.
John
One option, if you have budget associated with the project (more than just your time of course :)) is the Decru line of products that NetApp purchased:
http://www.decru.com/products/datafort0.htm
On Apr 6, 2007, at 11:55 AM, Glenn Dekhayser wrote:
So I figured I'd give the group a shot at this.
I've got a client that wants to have 2 linux-based ftp/http servers, one in the LAN and one in the DMZ, share some data. NFS would be perfect.
However-
The security group will not allow server in the DMZ to access the LAN-based Netapp through the firewall for its NFS resource. Also, I cannot put an interface from the Netapp into the DMZ.
They WILL allow it if it's encrypted.
I saw WebNFS, does Netapp support some sort of NFS over HTTPS? or SSH?
Alternatively, the client said that what would be allowed is if the two servers could share the same LUN- FC only, no iSCSI. Has anyone out there tried that before, what needs to be done on the linux side to make that happen?
Thanks
Glenn (the other one)
-
Glenn Dekhayser -
John Stoffel -
Shane Garoutte -
Tim McCarthy