Which Side of the Tunnel Should Be the Tunnel Client? The Tunnel server in CA UIM?

Document ID : KB000034668
Last Modified Date : 24/08/2018
Show Technical Document Details
Introduction:

Deciding which side to be used as tunnel server or as tunnel client is an important step when implementing tunnels between UIM hubs regarding to manageability and performance concerns.

Instructions:
Question: 
Which side of the tunnel should be the tunnel client/tunnel server?

Answer:
Scalability concerns 

This is somewhat counter-intuitive. The tunnel server uses a fair amount of computing power. So, in a scenario where you have a central hub and several remote hubs attaching to the central hub it is better for the remote hubs to be the tunnel servers. This means that each incremental remote hub only adds a tiny amount of overhead to the central hub.

Security concerns

This consideration is all about which side initiates the connection (regardless of information flow once connected). The more trusted side should be configured as the client. The best example of this would be a hub in the core of a business connecting with a hub in the DMZ. The firewall between the core and the DMZ would generally be configured to block ALL connection requests from the DMZ into the core. (After all, that's the whole point of a DMZ.) The firewall is told to allow a one-way conversation between the two hubs initiated by the core into the DMZ. (The core is more trustworthy than the DMZ.) In this case, the core hub is configured as the tunnel client which will initiate the connection to the hub in the DMZ (which is configured as the tunnel server.)