I've done something similar to this, so I'll chime in. Perhaps you can find what I did helpful.
You'll definitely run into issues, but some may are workable if you spend the time. A while back we got an eval cluster which used it's own NAT'ed network internally, with the master host being the only host able to route to our main network. What I did was set that master server up as a secondary policy host. I had a pretty normal setup where everything in /var/cfengine/masterfiles on my main policy server is pulled to all host's /var/cfengine/inputs, but what I needed was my new secondary policy server to recieve the /var/cfengine/masterfiles from my main policy server, to it's /var/cfengine/masterfiles. I first setup my soon to be secondary policy server as a cfengine client on my main network. Then I just setup a class called DISTHOSTS (for distribution hosts) for those machine's to recieve a fresh copy of this. That way the next time my remote master runs, it can also act like a policy server to it's NAT'ed clients. Think of it as router hops. My policy files from my main policy server are pulled to secondary policy server, and the NAT'ed clients pull their policies from my secondary master since it is on their network. Anyway, I did all that INSIDE a firewalled LAN. Since it sounds like you are wanting this over a WAN, I would be very careful. Personally, if I have to open ANY internal host to the outside world I see that as putting it in the DMZ. And I stick to the philosophy that nothing in the DMZ should talk to the internal network, although the internal network can talk to the DMZ systems (via a push mechanism which cfengine isn't). I think cfengine is nice and very secure, but when it comes to the internal network, I don't trust anything. At the very least, you could probably do something like what I did using Cfengine to initiate a VPN connection to push it's policies to the secondary masters on the remote network. I haven't tried that, but it would probably work. Hope that helps. ~Adam On Sun, 27 Nov 2005, Steve Brorens wrote: > I'm looking at using cfengine to manage and monitor a number of > 'appliance' type boxes on a range of sites, but I'm concerned that I may > have probelms with NAT and DNS issues, > > Anyone used cfengine where: > > - the managed systems are behind NAT-type firewalls > - DNS may be 'odd' (they're Linux systems configured onto Windows > networks, and their DNS names might be someting like > box.internal.acme.com or box.local or box.acme.local - conventions at > different customers will differ > > Is this likely to cause problems? > > How best to avoid probs? > > - steve > > ========================================================= > > > This e-mail has been scanned for Viruses and Content and cleared by CommArc > Cube Server > _______________________________________________ Help-cfengine mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-cfengine
