There are some reasons why you would interconnect the SE's with your company network. In our environment, each SE has 2 lan adapters. One going to private network, one going to company network.
1) If you use BCPII in System Automation, there has to be IP connectivity between the LPAR's and the SE's 2) If you are in a multi-cec environment across separate data centers, and you want to define all CEC's to all HMC's for redundancy, then you have to attach your SE's to your company network. 3) If you use an appliance to provide NTP time to your mainframes, the SE's need connectivity to the company network to reach that appliance. _________________________________________________________________ Dave Jousma Manager Mainframe Engineering, Assistant Vice President david.jou...@53.com 1830 East Paris, Grand Rapids, MIĀ 49546 MD RSCB2H p 616.653.8429 f 616.653.2717 -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Tony Thigpen Sent: Tuesday, August 08, 2017 6:19 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: z13s IOCP with FTP issue CAUTION EXTERNAL EMAIL We don't let *anybody* into the network between the HMC and the SE. Too many SEs have default passwords on some of the 'special' IDs that can not be easily changed. We bought a small two-nic nas box and placed it on both the SE network and the company network. IOCPs and ICCs go to it as an interim location. I.E., copy the IOCP to the nas. Then, access the nas via the company network. You could just add another nic card to your FTP server, but make sure that the server has all routing turned off. Also, we set the default route on the SE to 0.0.0.0. An additional protection against anybody getting into that network segment. Tony Thigpen Eric Chevalier wrote on 08/08/2017 04:42 PM: > On 8/3/17 10:13 AM, Tony Thigpen wrote: > >> 1) The ip address has to be available from SE laptop in the cpu. If >> you have the connections between the HMC and the SE on a isolated >> network, then the ftp box has to also be on that same isolated network. > > We have our HMC on an internal company network so it can be accessed > from anywhere, even remotely via VPN. Is there any good technical > reason why the SE can't also be on that network for better access to > FTP servers in our organization? I realize that having the SE on a > separate private network might be better security, but that caused > some grief recently. We needed to import an IOCDS into our z13, but > that file was in our headquarters office. Because port forwarding > isn't enabled on the HMC, so we couldn't get access to the FTP server hosting > the IOCDS. > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN **DO NOT open attachments or click on links from unknown senders or unexpected emails** This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN