This short note is about a little problem. Users are on one network own and administer VMs via Oracle VM Manager, but Oracle VM Manager's server is on a different network, as are the (in this case) SPARC servers hosting their VMs. The users cannot even ping the server running Oracle VM Manager or the SPARC hosts. This is the rule for security and isolation. How can they log into Oracle VM Manager and access their guest VM consoles?
First I asked: is there any server that is both on the user's network and the datacenter network hosting Oracle VM Manager? If not, then Game Over. Yes, there was. Okay, we can do this.
My first thought was SSH port forwarding, as described in MOS note "Private network access using SSH console hopping, port forwarding and SOCKS proxies (Doc ID 2100732.1)". With that method, the end user on the client networks issues ssh (or Putty or its equivalent on Windows) to a bastion host, and securely tunnels to the target network.
The user would do something like: "ssh -L2002:targethost:7002 myuserid@bastionhost", where targethost is the server running Oracle VM Manager, and bastion host is the (you guessed it) the host on both client and datacenter networks. Then open a browser window to https://localhost:2002/ovm/console and you're done. Note that you use the local port (here, 2002) which gets you to the target system's port 7002.
That worked (for some value of "worked") but they wanted something less cumbersome, and I wanted a solution that didn't require a userid on the bastion host, or any end-user command line. Can we install software on the bastion host? Sure. Okay, let's use tinyproxy.
Very simple then: I installed tinyproxy ("yum install tinyproxy"), on the bastion host, and then edited /etc/tinyproxy/tinyproxy.conf to include an "Allow" line for the client access network, and a "ConnectPort 7002" line for the port used to log into Oracle VM Manager. Simple.
Now, all the user has to do is point their browser (in Firefox: about:preferences -> Advanced -> Network Settings -> proxy) to the bastion host port 8888 (the port could be different) and then connect to Oracle VM Manager as usual. Virtual Machine (domain) consoles on both x86 and SPARC work fine.
This simple (I should say "tiny") trick shows how you can have an isolated, secure datacenter network, and provide a secure method of getting to Oracle VM Manager and the resources it controls from a separate network