| Author |
Message
|
| mq__quest |
 Posted: Sat Dec 24, 2022 7:01 am Post subject: MQIPT- firewall rules |
 |
|
Apprentice
Joined: 21 Aug 2017
Posts: 49
|
Hello,
I thought one of the benefits of placing MQIPT in DMZ between the external clients and internal qmgrs is reducing the no. of firewall rules.
Although the no. of IPs reduce, each inbound and outbound connection will still need a separate port on the MQIPT host and a separate firewall rule is needed for each of these . So it doesn't really reduce the no. of firewall rules required, correct? |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Sat Dec 24, 2022 8:13 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Not quite.
You will still need to open the firewall between MQIPT and all your outside connections, but you will only need to open the firewall between MQIPT and your MQ Server once (per port).
The biggest advantage is to have a proxy in the DMZ with no messages at rest in the DMZ.
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Sat Dec 24, 2022 8:13 am Post subject: Re: MQIPT- firewall rules |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| mq__quest wrote: |
Hello,
I thought one of the benefits of placing MQIPT in DMZ between the external clients and internal qmgrs is reducing the no. of firewall rules. |
Hmmmm. Not sure why you thought that. MQIPT is just another node in your network, and not a firewall replacement. MQIPT in a DMZ allows for filtering messages before they enter your business network.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| hughson |
| Posted: Thu Dec 29, 2022 12:33 am Post subject: Re: MQIPT- firewall rules |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| mq__quest wrote: |
| I thought one of the benefits of placing MQIPT in DMZ between the external clients and internal qmgrs is reducing the no. of firewall rules. |
If you make use of the HTTP tunnelling feature you may be able to utilise existing firewall rules for existing HTTP proxies and not need to add any new rules at all.
If you use the Channel concentrator feature than you will need fewer firewall rules.
This is a good overview page - although perhaps you have already seen it?
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| mq__quest |
| Posted: Fri Dec 30, 2022 12:11 am Post subject: Re: MQIPT- firewall rules |
|
|
Apprentice
Joined: 21 Aug 2017
Posts: 49
|
| hughson wrote: |
If you make use of the HTTP tunnelling feature you may be able to utilise existing firewall rules for existing HTTP proxies and not need to add any new rules at all.
Morag |
per the doc.https://www.ibm.com/docs/en/ibm-mq/9.2?topic=thru-configuring-http-tunneling
QM1-->MQIPT1-->MQIPT2-->QM2
MQIPT1
[route]
ListenerPort=1415
Destination=10.100.6.7
DestinationPort=8080
HTTP=true
HTTPServer=10.100.6.7
HTTPServerPort=8080
MQIPT2
[route]
ListenerPort=8080
Destination=Server1.company2.com
DestinationPort=1414
In this scenario, just 1 port (8080) is suffecient, but what if we have more than 1 sending qmgrs? we need more that one port, right?
Or can we tunnel connections from all the sender qmgrs through the single http tunnel using the port 8080? |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Fri Dec 30, 2022 8:22 am Post subject: Re: MQIPT- firewall rules |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| mq__quest wrote: |
| In this scenario, just 1 port (8080) is suffecient, but what if we have more than 1 sending qmgrs? we need more that one port, right? |
Not necessarily. A single MQIPT instance can act as a concentrator for multiple inbound connections.
| mq__quest wrote: |
| Or can we tunnel connections from all the sender qmgrs through the single http tunnel using the port 8080? |
See above. Your workload and aversion to SPOF (single point of failure) should be factors in your configuration.
Good MQIPT slide show https://www.mqtechconference.com/sessions_v2015/MQTC_v2015_MQ_IPT.pdf
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| mq__quest |
| Posted: Mon Jan 02, 2023 4:50 am Post subject: Re: MQIPT- firewall rules |
|
|
Apprentice
Joined: 21 Aug 2017
Posts: 49
|
| bruce2359 wrote: |
Not necessarily. A single MQIPT instance can act as a concentrator for multiple inbound connections.
[/url] |
Yes, a single instance can be used for multiple inbound connections. But, I'm talking about the no. of routes/listeners using the HTTP tunneling feature.
When there are multiple sender IPs and multiple receiver/destination IPs, can a single route/listener be used for directing the connections from these senders to their receivers? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon Jan 02, 2023 7:15 am Post subject: Re: MQIPT- firewall rules |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| mq__quest wrote: |
| bruce2359 wrote: |
Not necessarily. A single MQIPT instance can act as a concentrator for multiple inbound connections.
[/url] |
Yes, a single instance can be used for multiple inbound connections. But, I'm talking about the no. of routes/listeners using the HTTP tunneling feature.
When there are multiple sender IPs and multiple receiver/destination IPs, can a single route/listener be used for directing the connections from these senders to their receivers? |
Your are talking about an m to n connection model. The HTTP Proxy however, as I understand it, is an m to 1 model.
Hope this helps 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Mon Jan 02, 2023 4:36 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
Quoting from https://www.ibm.com/docs/en/ibm-mq/9.0?topic=ms81-how-mqipt-works
| Quote: |
Multiple queue managers
MQIPT can be used to allow access to more than one destination queue manager. For this to work, there must be a mechanism to tell MQIPT which queue manager to connect to, so MQIPT uses the incoming TCP/IP port number to determine which queue manager to connect to.
You can therefore configure MQIPT to listen on multiple TCP/IP ports. Each listening port is mapped to a destination queue manager through an MQIPT route. You can define up to 100 such routes, which associate a listening TCP/IP port with the host name and port of the destination queue manager. This means that the host name (IP address) of the destination queue manager is never visible to the originating channel. Each route can handle multiple connections between its listening port and destination, each connection acting independently. |
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Jan 04, 2023 12:12 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| bruce2359 wrote: |
Quoting from https://www.ibm.com/docs/en/ibm-mq/9.0?topic=ms81-how-mqipt-works
| Quote: |
Multiple queue managers
MQIPT can be used to allow access to more than one destination queue manager. For this to work, there must be a mechanism to tell MQIPT which queue manager to connect to, so MQIPT uses the incoming TCP/IP port number to determine which queue manager to connect to.
You can therefore configure MQIPT to listen on multiple TCP/IP ports. Each listening port is mapped to a destination queue manager through an MQIPT route. You can define up to 100 such routes, which associate a listening TCP/IP port with the host name and port of the destination queue manager. This means that the host name (IP address) of the destination queue manager is never visible to the originating channel. Each route can handle multiple connections between its listening port and destination, each connection acting independently. |
|
Did you ever try using HTTP tunneling with more than 1 destination qmgr on the tunnel? MQIPT 9.3.0.2 doesn't care which port you put, it still uses 8080.
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| mq__quest |
| Posted: Thu Jan 05, 2023 4:38 am Post subject: |
|
|
Apprentice
Joined: 21 Aug 2017
Posts: 49
|
| fjb_saper wrote: |
Did you ever try using HTTP tunneling with more than 1 destination qmgr on the tunnel? MQIPT 9.3.0.2 doesn't care which port you put, it still uses 8080.
|
Hmm.
so you mean we just need to open 1 firewall rule and tunnel all the incoming/outgoing MQ traffic through the same port??
Like
QMA-->MQIPT1(on DMZ)--> || MQIPT2/8080(internal network)-->QM_GTWY
QMB-->MQIPT1(on DMZ)--> || MQIPT2/8080(internal network)-->QM_GTWY
QMC-->MQIPT1(on DMZ)--> || MQIPT2/8080(internal network)-->QM_GTWY
...
...
( || is firewall) |
|
| Back to top |
|
|
| mq__quest |
| Posted: Wed Jan 11, 2023 10:21 am Post subject: |
|
|
Apprentice
Joined: 21 Aug 2017
Posts: 49
|
|
| Back to top |
|
|
|
|
