Go to the Penn State Home page

Go to the CLC Home page

Go to the ITS Home page
This site uses .Net links. Please use Text Only version for screen readers.  Text Only Printable Version    Secure Server Search CLC:   
   
  CLC Home
  News
  Labs
  Classrooms
  Assistive Technology
  Printing
  Disk Space
  Authentication
  Mobile Ports
  Verify Password
  Lab Admin Support
  Contacts
  About Us
  Search

KarlBridge Authentication Server
Web Server Address Changes

These changes were completed on May 14, 2004.

Summary

The web servers that provide authentication and network access for users behind Karl Bridge firewalls will have their primary IP addresses changed Spring, 2004.  All bridges need to be configured with additional filter bypasses for the new addresses and TCP port 443.

Why

The IP addresses used by the two web servers (clc.its.psu.edu at 146.186.157.80 and clc1.its.psu.edu at 146.186.157.68) will be changed because (1) the old addresses are both on the same subnet, providing no backup in case of network problems and (2) we are migrating away from that subnet to put most of our servers on GigE switches on two new subnets.

What

The Karl Bridges are configured to allow packets through to the authentication web servers (SSL, port 443) prior to authentication.   (After successful authentication, a full "filter bypass" is set, allowing packets to and from all other addresses.)  Migration to a new web server address requires allowing traffic to both new and old addresses, otherwise the configurations for all 60+ bridges would have to be changed simultaneously, along with DNS and web server changes.  The "new" addresses will not be used for any other service prior to the change, and the "old" addresses will be backup addresses for these web servers.

In summary, on May 14, 2004, these addresses will be registered as follows:

In the event of a network outage, users won't know to go to "clcb.its.psu.edu", and if the did, they'd get an error message about the certificate name.  However, if the outage was long, we would change DNS registrations to use the backup address, and users would not see any problem.

How

Just add 128.118.155.80 TCP 443 and 128.118.155.180 TCP 443 (allow, both directions) to your filters (sorry, I don't remember exactly how to get there, and don't have a functioning KB any more).

When

The schedule is proposed as follows:

  1. June, 2003: allocate new addresses (128.118.155.80 and 128.118.155.180)
  2. August, 2003: write to all KB owners, who may begin changing filters right away
  3. September, 2003: have new addresses assigned to web servers as backup addresses
    • Did this for clc1
    • Did this for clc on March 30, 2004 -- 128.118.155.80 is now that backup for clc.its.psu.edu
  4. December 30, 2003: all Karl Bridges allow access to new addresses as well as old (port 443)
  5. January 12, 2004: switch DNS for clc1.its.psu.edu (backup web server) to new address; verify all bridges work
    • Did this March 30, 2004.
  6. May 14, 2004 (early am): switch DNS for clc.its.psu.edu to new address; everyone lives happily thereafter.

Discussion

There is no risk in opening access to IP addresses/ports that aren't in use or are in use by the same services as other addresses already allowed through the filter. 

We expect to retain the old addresses as backup network connections for both servers, as long as feasible.  Although the web servers cannot be configured to use the same certificate on two different addresses, the certificate assignment can be changed in the event of an extended outage of a primary address.  Therefore, the port 443 filter should be set for all 4 addresses indefinitely.

 

 

© 2006, The Pennsylvania State University. All rights reserved.
This site maintained by the Classroom and Lab Computing group of Information Technology Services.
Suggestions and comments about this web site: CLC Webmasters; Other contacts here.

This page was last modified: 5/14/2004 3:07:16 PM.