Initial configuration of over firewall system

After you have installed the necessary components, you are ready to configure your over firewall system.

Overview

To perform initial configuration of your over firewall system, you must perform the following:

Configure the system according to TCP or TCP over proxy.

See Set up your deployment (TCP or TCP over proxy).
Modify the firewall settings to enable communication between the machines on either side of the firewall.

See Configure firewall to allow agent access.
Configure the MI Listener.

See Configure the MI Listener.

Set up your deployment (TCP or TCP over proxy)

To run Vusers or monitor servers over the firewall, configure your system according to one of the following configurations. Note that these configurations contain a firewall on each LAN. There may also be configurations where there is a firewall for the Over Firewall LAN only.

TCP configuration

The TCP configuration requires every LoadRunner Agent machine behind the customer's firewall to be allowed to open a port in the firewall for outgoing communication.
TCP over proxy configuration

In the TCP over proxy configuration, only one machine (the proxy server) is allowed to open a port in the firewall. Therefore it is necessary to tunnel all outgoing communications through the proxy server. The proxy server must support HTTP tunneling using the CONNECT method.

Configure firewall to allow agent access

You modify your firewall settings to enable communication between the machines inside the firewall and machines outside the firewall.

Configuration	Details
TCP	The LoadRunner Agent attempts to establish a connection with the MI Listener using port 443, at intervals specified in the Connection Timeout field in the Agent Configuration dialog box. To enable this connection, allow an outgoing connection on the firewall for port 443. The agent initiates the connection and the MI Listener communicates with the Load Generator through the connection.
TCP over proxy	The LoadRunner Agent attempts to establish a connection with the MI Listener, using the proxy port specified in the Proxy Port field, and at intervals specified in the Connection Timeout field in the Agent Configuration dialog box. When the connection to the proxy server is established, the proxy server connects to the MI Listener. To enable this connection, allow an outgoing connection on the firewall for port 443. The proxy server can then connect to the MI Listener, and the MI Listener can connect back to the agent through the proxy server. From this point on, the agent listens to commands from the MI Listener.
Local System account	If you intend to start the OpenText Performance Engineering Agent Service from the Local System account, you need to grant it permissions. If you do not provide permissions, the monitor graph does not display any data. To grant it permissions, add a local user on the AUT machine with the same name and password as the local user on Agent machine. Add the AUT local user to the Performance Monitor Users group and restart the Agent process.

Configuration

Details

TCP

The LoadRunner Agent attempts to establish a connection with the MI Listener using port 443, at intervals specified in the Connection Timeout field in the Agent Configuration dialog box.

To enable this connection, allow an outgoing connection on the firewall for port 443. The agent initiates the connection and the MI Listener communicates with the Load Generator through the connection.

TCP over proxy

The LoadRunner Agent attempts to establish a connection with the MI Listener, using the proxy port specified in the Proxy Port field, and at intervals specified in the Connection Timeout field in the Agent Configuration dialog box.

When the connection to the proxy server is established, the proxy server connects to the MI Listener.

To enable this connection, allow an outgoing connection on the firewall for port 443. The proxy server can then connect to the MI Listener, and the MI Listener can connect back to the agent through the proxy server. From this point on, the agent listens to commands from the MI Listener.

Local System account

If you intend to start the OpenText Performance Engineering Agent Service from the Local System account, you need to grant it permissions. If you do not provide permissions, the monitor graph does not display any data.

To grant it permissions, add a local user on the AUT machine with the same name and password as the local user on Agent machine. Add the AUT local user to the Performance Monitor Users group and restart the Agent process.

Configure the MI Listener

To enable running Vusers or monitoring over a firewall, you need to install the MI Listener on one or more machines in the same LAN as the Controller outside the firewall. For installation instructions, see Install standalone and additional components.

To configure the MI Listener:

Prerequisites and security recommendations.
- You must configure the MI Listener to work with TLS/SSL. For details, see Configure components to work with TLS/SSL.
- We recommend replacing the OpenText Performance Engineering Agent Service local system user with a different user account that has lower access levels. For example, you can use the built-in LRE_SERVICE user or create a new OpenText Performance Engineering user in the Administrators group.
- Since the PEM file stored on the MI Listener is not encrypted, we recommend limiting the file permissions of the folder in which the file is located to the same user running the OpenText Performance Engineering Agent Service from above. To do this:
  1. Go to the <Installdir>\dat directory.
  2. Right-click the cert folder and select Properties. In the Security tab, add an OpenText Performance Engineering user with full control permissions.
  3. Remove the extra users such as SYSTEM, Administrator, and all groups such as Authenticate Users, Administrators, and Users (only the OpenText Performance Engineering user should be displayed).
On the MI Listener server, open port 443 for the incoming traffic.
Select Start > Administrative Tools > Services, and stop OpenText Performance EngineeringAgent Service.
Select Start > All Programs > OpenText > OpenText Performance Engineering > Advanced Settings > MI Listener Configuration, or run
Copy code
```
<LoadRunner root folder>\launch_service\bin\MILsnConfig.exe
```

Set each option as described in the table.

Option	Description
Check Client Certificates	Select True to request that the client send a TLS/SSL certificate when connecting, and to authenticate the certificate. Default value: False
Private Key Password	The password that may be required during the TLS/SSL certificate authentication process. Default value: none

Option

Description

Check Client Certificates

Select True to request that the client send a TLS/SSL certificate when connecting, and to authenticate the certificate.

Default value: False

Private Key Password

The password that may be required during the TLS/SSL certificate authentication process.

Default value: none

Click OK to save your changes or Use Defaults to use the default values.

Select Start > Administrative Tools > Services. To restart the OpenText Performance Engineering Agent Service, select Start > All Programs > OpenText > OpenText Performance Engineering > Advanced Settings > Agent Service.
Make sure that no Web Servers are running on the MI Listener or Monitor over Firewall machine. These servers use port 443 and do not allow the access required by the listening and monitoring processes.