CMG Requirements

Many configurations require cluster members to pass through a firewall in order to communicate with the primary Screen. In these configurations, any firewall being traversed must contain packet filtering rules that allow certain traffic from the primary Screen to pass through its interfaces to the secondary Screen or Screens. These rules must include the following services:

• SKIP

• Certificate Discovery Protocol

• IPsec/IKE

Although SKIP and IPsec are different protocols and cannot interoperate (SKIP can communicate with any release of SKIP, but not with IPsec.) , you can have SKIP rules and IPsec rules on both machines as long as there is no host overlap. That is, you may set the secondary Screen up to use SKIP to encrypt all traffic between A and B and IPsec to encrypt all traffic between A and C. For this type of setup, the CMG primary Screen should have as its ADMIN_CERTIFICATE a certificate group containing one SKIP and one IKE certificate. Each secondary Screen will have as its ADMIN_CERTIFICATE either a SKIP or an IKE certificate and the appropriate encryption parameters.