Connection Request initiation from: UI and NBI

I would like to confirm the behavior we are seeing on our Genie ACS installation.

We are running the DB , UI , FS , CWPM , NBI on separate servers each on the own subnet, behind firewalls . all is working 100 %

When doing a Connection request to the CPE for the UI or NBI . The outgoing connection request is generated by the respected server, and not by the CSWP server.

Is this correct? and is there any way to get the CWPM server to initiate this request?

the security team would prefer this dew to the security zoning of the individual Application.

What is the purpose of running each service on their own server in their own subnet? Isolation?

For what your security team to happen, it would mean that the CWMP would need to allow inbound connections from every service in order for the cwmp process to initiate the connection request.

Put all the services on the same server, on the same IP, setup the appropriate port forwards and firewall everything out. If feels like your security team is taking isolation to the extreme, at the expense of usability/workability.

1 Our internal security policies require this separation , where possible .

2 we currently have 10000 devises ( small ) and need to scale this up to around 100K in the next 6months and migrate around 500K with in the next 3years .

The idea is horizontally scale out with multiple CWPM , FS and NBI servers , and a MongoDB Cluster . all Spanning 2 Data centers .

The UI , is not so important as we have an existing Operation Orchestration System that we will be ingratiating to

from my testing is seems like :
CWMP , FS , NBI , and UI only require connectivity to the DB to start .

devises need connectivity to CWMP
UI and NBI need connectivity to devises for Connection Request to work .

would be nice if there was some communication matrix documented , for the different services .

@JohanM2 bottleneck is mostly cwmp (and MongoDB)
However Clustering (w/o sharding) will not improve MongoDB performance…
I’m also currently looking at performance tweaking. All depends on the complexity of the provisions and the periodic informs… (and devices of course)

IMHO I would also prefer that only cwmp “talks” to the CPE’s, but that is up to @zaidka :wink:

I remember our discussion :slight_smile: IIRC it boils down to the fact that there can be STUN or XMPP-based connection requests and those don’t originate from Genie anyway, so why single out HTTP based connection requests to have to originate from genieacs-cwmp…

@JohanM2 I recently implemented support for configuring connection requests to be sent out through an HTTP proxy. This was implemented in a private fork but it might be a good idea to include it upstream. Perhaps it can help you with your issue? Keep in mind that you’ll need to install an HTTP proxy on your cwmp servers so that’s some added complexity to your setup.