Article Number | 000038975 |
Applies To | RSA Product Set: NetWitness Platform RSA Product/Service Type: NetWitness Admin Server, NetWitness UI, Virtual Log Collector (VLC) RSA Version/Condition: 11.x |
Issue | Host status that is deployed outside of a private network in NAT shows red stopped or yet to start processing in Health&Wellness page.
 |
Tasks | The following steps describe how to establish communication between the NetWitness Admin Server and the Virtual Log Collector (VLC) deployed outside of a private network in a Network Address Translation (NAT) environment. |
Resolution | - Configure iptables on the NW Admin Server and the VLC.
- Update netwitness.json file with customer firewall line in order to propagate forward on all future updates.
https://community.rsa.com/docs/DOC-93651 - Save current iptables to disk (so it ends up with /etc/sysconfig/iptables and /etc/sysconfig/iptables.save where .save is backup)
# service iptables save - Copy iptables as file with date (Optional, if want to retain multiple backups)
# cp /etc/sysconfig/iptables /etc/sysconfig/iptables.backup.$(date +"%Y%m%d_%H%M") - Stop iptables
# service iptables stop - Edit /etc/hosts and /etc/sysconfig/iptables as follows.
- On NW Admin Server
- Add VLC entry with NAT IP.
# vi /etc/hosts <VLC_NAT_IP> vlchostname
- Add the following rules in gray under nat in green in iptables.
# cd /etc/sysconfig # vi iptables
*nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A OUTPUT -d <VLC_Real_IP>/32 -p tcp -m tcp --dport 5671 -j DNAT --to-destination <VLC_NAT_IP>:5671 -A OUTPUT -d <VLC_Real_IP>/32 -p tcp -m tcp --dport 56001 -j DNAT --to-destination <VLC_NAT_IP>:56001 -A OUTPUT -d <VLC_Real_IP>/32 -p tcp -m tcp --dport 56006 -j DNAT --to-destination <VLC_NAT_IP>:56006 -A OUTPUT -d <VLC_Real_IP>/32 -p tcp -m tcp --dport 50001 -j DNAT --to-destination <VLC_NAT_IP>:50001 -A OUTPUT -d <VLC_Real_IP>/32 -p tcp -m tcp --dport 50101 -j DNAT --to-destination <VLC_NAT_IP>:50101 -A OUTPUT -d <VLC_Real_IP>/32 -p tcp -m tcp --dport 50006 -j DNAT --to-destination <VLC_NAT_IP>:50006 -A OUTPUT -d <VLC_Real_IP>/32 -p tcp -m tcp --dport 50106 -j DNAT --to-destination <VLC_NAT_IP>:50106 -A OUTPUT -d <VLC_Real_IP>/32 -p udp -m udp --dport 123 -j DNAT --to-destination <VLC_Real_IP>:123 COMMIT
- Save iptables by wq! and start iptables.
# service iptables start
- On VLC
Perform the above steps from 1) to 4). - Add NW Admin Server entry with NAT IP in /etc/hosts.
# vi /etc/hosts <NW_Server_NAT_IP> nw-node-zero UUID-of-NW-server
- Add the following rules in gray under nat in green in iptables.
# cd /etc/sysconfig # vi iptables
*nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A OUTPUT -d <NW_Server_Real_IP>/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination <NW_Server_NAT_IP>:80 -A OUTPUT -d <NW_Server_Real_IP>/32 -p tcp -m tcp --dport 443 -j DNAT --to-destination <NW_Server_NAT_IP>:443 -A OUTPUT -d <NW_Server_Real_IP>/32 -p tcp -m tcp --dport 5671 -j DNAT --to-destination <NW_Server_NAT_IP>:5671 -A OUTPUT -d <NW_Server_Real_IP>/32 -p tcp -m tcp --dport 15671 -j DNAT --to-destination <NW_Server_NAT_IP>:15671 -A OUTPUT -d <NW_Server_Real_IP>/32 -p tcp -m tcp --dport 27017 -j DNAT --to-destination <NW_Server_NAT_IP>:27017 -A OUTPUT -d <NW_Server_Real_IP>/32 -p tcp -m tcp --dport 4505 -j DNAT --to-destination <NW_Server_NAT_IP>:4505 -A OUTPUT -d <NW_Server_Real_IP>/32 -p tcp -m tcp --dport 4506 -j DNAT --to-destination <NW_Server_NAT_IP>:4506 -A OUTPUT -d <NW_Server_Real_IP>/32 -p tcp -m tcp --dport 53 -j DNAT --to-destination <NW_Server_NAT_IP>:53 -A OUTPUT -d <NW_Server_Real_IP>/32 -p udp -m udp --dport 53 -j DNAT --to-destination <NW_Server_NAT_IP>:53 -A OUTPUT -d <NW_Server_Real_IP>/32 -p udp -m udp --dport 123 -j DNAT --to-destination <NW_Server_NAT_IP>:123 -A OUTPUT -d <LogDecoder_Real_IP>/32 -p tcp -m tcp --dport 5671 -j DNAT --to-destination <LogDecoder_NAT_IP>:5671 COMMIT
- Start iptables.
# service iptables start
- On LogDecoder where the VLC is sending logs to:
Perform the above steps from 1) to 4). - Add VLC entry with NAT IP in /etc/hosts.
# vi /etc/hosts <VLC_NAT_IP> vlchostname
- Add the following rules in gray under nat in green in iptables.
# cd /etc/sysconfig # vi iptables
*nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A OUTPUT -d <VLC_Real_IP>/32 -p tcp -m tcp --dport 5671 -j DNAT --to-destination <VLC_NAT_IP>:5671
- Start iptables
# service iptables start
- Check the custom rules using the command:
# iptables -L -nv -t nat - Test connection. For example,
On VLC: # curl -v <NW_Server_Real_IP>:443 On NW Admin Server: # curl -v <VLC_Real_IP>:443
|
Notes | Reference: Deployment Guide: Network Architecture and Ports https://community.rsa.com/docs/DOC-83050 |