[OpenAFS] Trying to figure out how to work this
Derek Atkins
warlord@MIT.EDU
31 Jul 2002 16:06:15 -0400
Not necessairly --
An "outside" client (read: telecommuter) may need to contact the
sync-site. It would be BAD if that sync-site were inaccessible.
Similarly for replicated volumes, a telecommuter's client might choose
to access the internal RO site, which would fail. Sure, it should
failover to a non-internal site, but it would still require a timeout.
What kind of file access do you want to provide a telecommuter? If
you want to protect financial data and NOT allow a telecommuter to
access it, then you could put a _file_server behind the firewall..
But I would not recommend you put db servers behind the firewall
(because of the syncsite issues).
-derek
"Neulinger, Nathan" <nneul@umr.edu> writes:
> Would you even need that? As long as your database servers could reach
> each other, and the clients issuing releases could reach both, you'd be
> fine I'd think.
>
> -- Nathan
>
> ------------------------------------------------------------
> Nathan Neulinger EMail: nneul@umr.edu
> University of Missouri - Rolla Phone: (573) 341-4841
> Computing Services Fax: (573) 341-4216
>
>
> > -----Original Message-----
> > From: Derek Atkins [mailto:warlord@MIT.EDU]
> > Sent: Wednesday, July 31, 2002 2:44 PM
> > To: Neulinger, Nathan
> > Cc: openafs-info@openafs.org
> > Subject: Re: [OpenAFS] Trying to figure out how to work this
> >
> >
> > If you try to have your cell cross between internal and DMZ, just
> > make sure that all your Database servers are in the DMZ, and make
> > sure you don't put any replicated volumes (that you want
> > visible from the outside) on the internal servers.
> >
> > -derek
> >
> > "Neulinger, Nathan" <nneul@umr.edu> writes:
> >
> > > You wouldn't even have to do that... Put some servers
> > internal - and put
> > > "internal only" volumes on those servers. DMZ servers would contain
> > > volumes that could be accessed from outside.
> > >
> > > Not sure exactly what would be required for the kaserver,
> > but you could
> > > probably put some inside, or all in the DMZ.
> > >
> > > -- Nathan
> > >
> > > ------------------------------------------------------------
> > > Nathan Neulinger EMail: nneul@umr.edu
> > > University of Missouri - Rolla Phone: (573) 341-4841
> > > Computing Services Fax: (573) 341-4216
> > >
> > >
> > > > -----Original Message-----
> > > > From: Derek Atkins [mailto:warlord@MIT.EDU]
> > > > Sent: Wednesday, July 31, 2002 2:25 PM
> > > > To: Chris Snyder
> > > > Cc: openafs-info@openafs.org
> > > > Subject: Re: [OpenAFS] Trying to figure out how to work this
> > > >
> > > >
> > > > There is not an easy way to synchronize in this manner,
> > > > certainly not in any automatic function. AFS Cells are
> > > > autonomous units, and do not communicate. For example,
> > > > there is no way for a user to change their password in
> > > > _both cells_ at once, and if they change it in one cell
> > > > there is no way for that change to propagate to the
> > > > other.
> > > >
> > > > Question: Why don't you just run one cell in the DMZ that is
> > > > accessed from both the DMZ and the internal network? Clearly
> > > > you can get from the internal network to the DMZ. What is
> > > > the purpose of having two cells?
> > > >
> > > > -derek
> > > >
> > > > Chris Snyder <csnyder@mvpsoft.com> writes:
> > > >
> > > > > I'm trying to figure out how I should go about setting
> > > > OpenAFS for my
> > > > > network. Here's my network configuration:
> > > > >
> > > > > There are two domains on this network - mvpsoft.internal and
> > > > > mvpsoft.servers. Mvpsoft.servers is behind a NAT firewall, and
> > > > > mvpsoft.internal is behind a firewall that is on
> > mvpsoft.servers,
> > > > > which gives it an additional level of security. Computers on
> > > > > mvpsoft.internal are not accessible by mvpsoft.servers,
> > but boxes on
> > > > > mvpsoft.servers are accesible from mvpsoft.internal.
> > > > Mvpsoft.servers
> > > > > is our DMZ, containing web, mail, DNS, etc. servers.
> > > > >
> > > > > I'm going to have two AFS cells - mvpsoft.internal, and
> > > > > mvpsoft.servers, hosted on servers on the domains that
> > > > match the cell
> > > > > names. Mvpsoft.internal will be primarilly for user
> > file storage,
> > > > > while mvpsoft.servers will have some user file storage
> > (mainly from
> > > > > telecommuters), and will also have our web server files.
> > > > >
> > > > > I'd like to have user data synchronized between the two
> > cells. Is
> > > > > there an easy way to do this automatically? My goal is to
> > > > have users
> > > > > be able to use their usernames and passwords
> > transparently from any
> > > > > computer on the network. Is this possible? Thanks in advance.
> > > > >
> > > > > _______________________________________________
> > > > > OpenAFS-info mailing list
> > > > > OpenAFS-info@openafs.org
> > > > > https://lists.openafs.org/mailman/listinfo/openafs-info
> > > >
> > > > --
> > > > Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
> > > > Member, MIT Student Information Processing Board (SIPB)
> > > > URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
> > > > warlord@MIT.EDU PGP key available
> > > > _______________________________________________
> > > > OpenAFS-info mailing list
> > > > OpenAFS-info@openafs.org
> > > > https://lists.openafs.org/mailman/listinfo/openafs-info
> > > >
> > > _______________________________________________
> > > OpenAFS-info mailing list
> > > OpenAFS-info@openafs.org
> > > https://lists.openafs.org/mailman/listinfo/openafs-info
> >
> > --
> > Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
> > Member, MIT Student Information Processing Board (SIPB)
> > URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
> > warlord@MIT.EDU PGP key available
> >
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available