1. Manuals
  2. Brands
  3. Tavve Manuals
  4. Firewall
  5. zoneranger
  6. User manual

Tavve zoneranger User Manual

Hide thumbs
Table of Contents

Advertisement

Quick Links

ZoneRanger
User's Guide
Tavve Software Company
www.tavve.com

Advertisement

Table of Contents
loading

Summary of Contents for Tavve zoneranger

  • Page 1 ZoneRanger User’s Guide Tavve Software Company www.tavve.com...
  • Page 2 CiscoWorks is a registered trademark of Cisco Systems, Inc. CiscoSecure ACS is a registered trademark of Cisco Systems, Inc. ZoneRanger is a trademark of Tavve Software Company. HP NNM is a registered trademark of Hewlett-Packard Company. Tivoli NetView is a registered trademark of Tivoli Systems and IBM company.
  • Page 3 ZoneRanger 5.5 User's Guide...

  • Page 4: Preface

    Technical assistance is available when you purchase a support contract. Support covers the ZoneRanger device, the Ranger Gateway software, and the technical documentation. Please have the ZoneRanger serial number located on the back of the device ready before calling Tavve technical support.
  • Page 5 Part I, ZoneRanger and Ranger Gateway Overview, describes the architecture of the ZoneRanger and Ranger Gateway within a network environment. This section provides the reader with a framework for how the ZoneRanger and Ranger Gateway are deployed and operate within the enterprise.

  • Page 6: Table Of Contents

    Table of Contents Preface ...................................4 Part I. ZoneRanger and Ranger Gateway Overview....................8 Chapter 1: Zone Ranger and Ranger Gateway Architecture..................8 Part II. ZoneRanger Concepts.............................13 Chapter 2: Address Patterns.............................15 Chapter 3: Address Transforms..........................16 Chapter 4: Audit...............................18 Chapter 5: Backups/Profiles............................20 Chapter 6: Destination Groups..........................22 Chapter 7: Device Groups............................23...
  • Page 7 E. SSL Communications between ZoneRanger and Ranger Gateway..............370 F. Accessing ZoneRanger Though the Ranger Gateway..................372 G. ZoneRanger Technician Access........................374 H. Installation.................................375 I. Installing Ranger Gateway in Solaris 10 Zones....................377 J. RGVI Client Installation and Configuration.....................378 ZoneRanger 5.5 User's Guide...

  • Page 8: Part I. Zoneranger And Ranger Gateway Overview

    Ranger Gateway and ZoneRanger are being used. As a result, ZoneRanger and Ranger Gateway can be used with a wide variety of management applications.
  • Page 9 Windows XP, Server 2000, Server 2003, 2008 Server, 2008 Server R2 ZoneRanger Services The primary function of the ZoneRanger is to act as an application-layer proxy firewall for the protocols most typically used by management applications. ZoneRanger provides proxy services covering a variety of protocol scenarios: ZoneRanger 5.5 User's Guide...

  • Page 10: User Interfaces

    ZoneRanger’s proxy services are transparent, in that management applications are not specifically aware that the Ranger Gateway and ZoneRanger are being used, and do not need to be configured in a special way in order to incorporate the use of the proxy. This approach simplifies management application configuration, and enables ZoneRanger and Ranger Gateway to be used with a wide variety of management applications.
  • Page 11 A text-based command-line interface that can be accessed directly via Telnet on TCP port 23, or SSH on TCP port 22, or via proxy through a joined Ranger Gateway. When accessing the ZoneRanger through either the web interface or text interface, you will need to authenticate with a login ID and password.
  • Page 12 Figure 1-3. Ranger Gateway Command example Reference documentation for the Ranger Gateway command interface is provided in Chapter 36. ZoneRanger 5.5 User's Guide...

  • Page 13: Part Ii. Zoneranger Concepts

    Gateway Virtual Interface (GVI) and Remote Gateway Virtual Interface (RGVI) – Mechanisms whereby the Ranger Gateway intercepts requests generated by management applications that are destined for managed devices, so that these requests can be relayed through a ZoneRanger to the target devices.
  • Page 14 • Whitelist – ZoneRanger mechanism to define a specific list of devices from which only those devices will the ZoneRanger either receive data or send data. Each of these concepts and mechanisms are described in further detail in the following chapters.

  • Page 15: Chapter 2: Address Patterns

    IP addresses or hostnames. Address patterns are commonly used in Ranger Gateway and ZoneRanger commands and configuration tables, in order to provide a concise mechanism for specifying a set of related addresses.

  • Page 16: Chapter 3: Address Transforms

    Address transforms, in this case, are used to convert the device address as specified by the management application into the real address that the ZoneRanger will use to communicate with the managed device. For example, the following address transform indicates that the first three parts of the resulting address should be 192.168.1 , and the wild card character in the last part of the transform indicates that that...
  • Page 17 Wildcard and non-wildcard characters cannot be combined within a part of an address transform. For example, the following address transform is invalid: dmz*.company.com Examples showing how address transforms can be used when dealing with NAT scenarios, or when managing network zones with overlapping address spaces, are provided in Chapter 16. ZoneRanger 5.5 User's Guide...

  • Page 18: Chapter 4: Audit

    • The ZoneRanger web interface can be used to view the results of the most recent audit for that ZoneRanger (on the Information section of the ZoneRanger dashboard, and on the View >...
  • Page 19 In addition to the primary audit process, as described above, the ZoneRanger appliance also includes a secondary audit, which runs every thirty minutes. The goal of the secondary audit is to verify that the primary audit is doing its job. If the secondary audit determines that the primary audit is no longer functioning properly, the ZoneRanger appliance will be automatically rebooted.

  • Page 20: Chapter 5: Backups/Profiles

    Backups and profiles are similar in that in each case, a set of configuration information for a ZoneRanger is gathered and saved in a file that can be restored to the same ZoneRanger, or applied to a different ZoneRanger. The primary difference between backups and profiles is that backups contain the content of the ZoneRanger’s database of discovered devices, as well as any polling/management...
  • Page 21 It should be noted that there is a small amount of ZoneRanger configuration information that is currently not included in a backup and must always be configured manually: • IP interface configuration (i.e. which interfaces are enabled, and their associated IP addresses and network masks).

  • Page 22: Chapter 6: Destination Groups

    Ranger Gateways and final destinations together. This allows for the creation and management of fewer Forwarding Rules. For example, if a ZoneRanger was joined to three Ranger Gateways (RG1, RG2, RG3) that were used to forward syslog messages to three management applications (appl, app2, app3). If there were also five...

  • Page 23: Chapter 7: Device Groups

    Figure 7-1. Device Group configuration The managed network in the figure contains two routers (10.1.1.1, and 10.2.1.50), three servers (10.1.1.22, 10.1.1.40, and 10.2.1.18), and one ZoneRanger (10.1.1.100). In order to facilitate different configuration settings for different device types, we could define two device groups: •...
  • Page 24 As a convenience, the ZoneRanger device group also includes any IP addresses that map to a joined ZoneRanger based on the Proxy Map configuration.

  • Page 25: Chapter 8: Gvi/Rgvi

    Chapter 8: GVI/RGVI In order for the ZoneRanger to proxy management traffic to managed devices, the management traffic generated by a management application must first be routed to the Ranger Gateway. This can be accomplished in a variety of ways: 1.
  • Page 26 Proxy Map service in the Ranger Gateway in order to identify identify a ZoneRanger that is able to relay the traffic to the target device, and to translate the target address, if necessary, and then forwards the traffic to the selected ZoneRanger (4)(5), which in turn, forwards the traffic to the target DMZ device (6).
  • Page 27 If the GVI service is enabled, and a request to join to a given ZoneRanger is received by the Ranger Gateway, the GVI route manager will automatically create a host route for that IP address, where necessary to ensure that traffic destined for the ZoneRanger will bypass the virtual interface.
  • Page 28 • The RGVI client can be installed on some operating systems for which the Ranger Gateway software is not currently supported. The internal architecture and operation of the RGVI mechanism is illustrated in the following figure. ZoneRanger 5.5 User's Guide...
  • Page 29 RGVI service forwards the traffic to the selected proxy service (5). The proxy service consults the Proxy Map service in the Ranger Gateway in order to identify identify a ZoneRanger that is able to relay the traffic to the target device, and to translate the target address, if necessary, and then forwards the traffic to the selected ZoneRanger (6), which in turn, forwards the traffic to the target DMZ device (7).
  • Page 30 Ranger Gateway also authenticates each client using SSL certificates. The list of trusted RGVI subjects and corresponding certificate authorities can be configured using the trustSSL Ranger Gateway command. Note that Ranger Gateway to ZoneRanger messaging and RGVI share a common list of trusted certificate authorities, but have distinct trusted subject lists.
  • Page 31 Ranger Gateway. The RGVI service can be controlled and configured using the Ranger Gateway Viewer or the rgvi Ranger Gateway command. RGVI client installation and configuration instructions for various operating systems are provided in Appendix J. ZoneRanger 5.5 User's Guide...

  • Page 32: Chapter 9: Joining

    For security purposes, before a Ranger Gateway can relay management traffic to/from a given ZoneRanger, it must first be joined to that ZoneRanger. Joining is a simple process, initiated by the user, and can be performed using any of the following user interface mechanisms: •...
  • Page 33 If there is a firewall between a Ranger Gateway and a ZoneRanger that need to be joined, as is typically the case, a firewall rule must be configured, to allow the Ranger Gateway and ZoneRanger to communicate.

  • Page 34: Chapter 10: Licensing

    Chapter 10: Licensing ZoneRanger may be a physical appliance or a virtual appliance (VM). When in the form of a physical appliance, the ZoneRanger is manufactured with a particular license specifying the number of devices it is allowed to manage. This license is a permanent license with no expiration date. When in the form of a virtual appliance (VM), the ZoneRanger must obtain its license via a Ranger Gateway License Server or via a provided Activation Key.

  • Page 35: Chapter 11: Managed Nodes

    ZoneRanger. In order for a node to be managed, it must first be discovered. Discovery, in the context of ZoneRanger, is the process whereby a ZoneRanger analyzes its surrounding network and populates its database with the nodes, interfaces, subnets, and TCP ports that are encountered.

  • Page 36: Chapter 12: Node Groups

    Node Groups are maintained on the Configuration > Node Management page Node Groups tab of the ZoneRanger Web GUI. Node Groups may contain any number of valid address patterns as well as other Node Groups. When specifying a Node Group in a configuration rule or within another Node Group, the name of the Node Group must be prefixed with '@' to indicate that the value should be interpreted as a Node Group.

  • Page 37: Chapter 13: Pooling/Redundancy/Vip/Grouping

    ZoneRangers in the pool is equally capable of relaying management protocol traffic to a given set of devices (i.e. the devices in the network partition where the ZoneRanger pool is deployed). The Ranger Gateway can be configured to distribute management protocol proxy transactions across the pool in a load-balancing fashion, in order to achieve high capacity.
  • Page 38 ZoneRangers in sync. Whenever a redundant ZoneRanger that has been down or was otherwise unreachable is restored, and communication with its peers is reestablished, the ZoneRanger will resynchronize its configuration with its peers in order to pick up any configuration changes that may have occurred.
  • Page 39 Creating a VIP Cluster will eliminate this additional traffic, at the cost of the possibility of lost traffic during the brief period of time that it will take for a passive ZoneRanger to detect that the active ZoneRanger has failed, and to become active.
  • Page 40 SNMP Get/Set proxy, if the group name is used in place of the ZoneRanger in the community string, the Ranger Gateway will select one of the joined ZoneRangers in the group to relay the request to the managed device.

  • Page 41: Chapter 14: Proxy Access Control

    ZoneRanger should use when forwarding the request to the target device, or a translation rule that can be used to calculate the port that should be used based on the rg-port .
  • Page 42 Ranger Gateway installed within another server in a variety of ways, including SOCKS, joined ZoneRanger proxy ports (i.e. 200xx), or by enabling IP forwarding on the Ranger Gateway server, and configuring the other server to route management traffic to the Ranger Gateway server.
  • Page 43 *.*.*.* @ZoneRanger ZoneRangerDefault *.*.*.* *.*.*.* Default This configuration indicates that requests from any source directed towards a joined ZoneRanger will be governed by the ZoneRangerDefault configuration, and that all other requests will be governed by the Default configuration. The ZoneRangerDefault rule is configured first, so that requests directed towards ZoneRangers will match that rule, as opposed to the Default rule.
  • Page 44 , according to the following table: Protocol Port http https 5432 telnet Note that in some cases the port on the ZoneRanger is an internal port that can only be accessed by proxy through the Ranger Gateway. ZoneRanger 5.5 User's Guide...
  • Page 45 ZR-1 http=20005 https=20006 sql=20007 ssh=20008 telnet=20009 and if the ZoneRanger named “ ZR-1 ” has an IP address of 10.10.4.5, if a request comes in on port 20008, the ZoneRanger address and port will be: address=10.10.4.5, port=22 The Ranger Gateway will look first for a matching rule in the portMap table, using 10.10.4.5 as the...

  • Page 46: Chapter 15: Proxy Caching

    Chapter 15: Proxy Caching One of the primary advantages of ZoneRanger is that it is able to act as a proxy for management traffic on behalf of a wide variety of management applications. As a result, it is possible to have multiple management applications simultaneously proxying ICMP and SNMP traffic through a common pool of ZoneRangers to a common set of managed devices.
  • Page 47 When the ZoneRanger searches for a rule to match a requested OID value, the OID value associated with each configured rule is treated as a prefix. As such, each rule is considered to match the specified OID value, and also to match the tree of OID values that begin with the specified value.

  • Page 48: Chapter 16: Proxy Map

    In simple ZoneRanger installations, the default Proxy Map configuration settings might be sufficient for the Proxy Map service to operate. For example, if a Ranger Gateway is joined to a single ZoneRanger, and no NAT is in effect, the Proxy Map service does not need additional configuration information to select a ZoneRanger and identify the target address for a proxy transaction.
  • Page 49 SNMP Get request, or an SSH session request, directly to IP address 62.1.25.15 . The Ranger Gateway can intercept the request via GVI, and must select a ZoneRanger ( ZR-1 ) to relay the transaction. In this case, because no NAT is required, the Ranger Gateway will indicate to the selected ZoneRanger that the target DMZ device address is 62.1.25.15 .
  • Page 50 Ranger Gateway along the SOCKS protocol. The Ranger Gateway must select a ZoneRanger ( ZR-2 or ZR-3 ) to relay the session, and in this case, given that NAT is in effect, must translate the target address to its corresponding address ( 192.168.1.3 ) before passing the request to the selected ZoneRanger.
  • Page 51 If the resolve_host_names setting is enabled, the address associated with the target device at the Ranger Gateway (that is, the rg-address ) is resolved to an IP address before the active proxy map lookup is performed. ZoneRanger 5.5 User's Guide...
  • Page 52 IP address of a joined ZoneRanger. If a match is found, active rg-address proxy map lookup is bypassed, and the indicated ZoneRanger is selected as the best route to itself. The Ranger Gateway indicates 127.0.0.1 as the target address to the ZoneRanger, so that the ZoneRanger will know that the intended target of the transaction is the ZoneRanger itself.
  • Page 53 As such, routers, firewalls, and other applications would have no awareness or visibility of these addresses, resulting in simpler configuration and maintenance than alternatives such as static NAT. ZoneRanger 5.5 User's Guide...

  • Page 54: Chapter 17: Server Groups

    ZoneRanger also supports the ability to define multiple server groups, and to associate different server groups with different device addresses, so that TACACS+/RADIUS traffic for different devices can be handled by different groups of servers.
  • Page 55 TACACS+/RADIUS server, so additional pairs are configured, essentially listing all possible ways to reach all possible servers. For any given request, the ZoneRanger will perform the following steps: 1. Identify the server group associated with the requesting device, based on configured rule tables associated with the TACACS+ and RADIUS services.
  • Page 56 10.254.2.[10-20] MyOtherServerGroup *.*.*.* MyServerGroup When handling a TACACS+ or RADIUS request from a given device, the ZoneRanger will search through the proxy rules table associated with the protocol being used for the first rule that matches the requesting device’s address. As such, it is important to ensure that specific address rules are placed ahead of overlapping range or wild-card rules.

  • Page 57: Chapter 18: Whitelist

    However, new Join and Redundancy requests initiated from the ZoneRanger will be subject to the whitelist. Thus, the IP address of the new Ranger Gateway or new redundant ZoneRanger must be specified in the whitelist for the request to be successful.

  • Page 58: Part Iii. Zoneranger Services

    This chapter describes how discovery is configured and executed on a ZoneRanger. The ZoneRanger database is organized into tables based on the types of entities that can be discovered, such as nodes, interfaces, subnets, and TCP ports. The database also includes relationships between entities, for example, the interfaces and TCP ports associated with a node, the interfaces on a given subnet, and so on.
  • Page 59 The Include Networks list is populated with a single entry, generated by taking the IP address of the ZoneRanger specified during initial ZoneRanger configuration, and masking off the last three octets. For example, if the ZoneRanger's IP address is , the 10.254.1.190...
  • Page 60 7 days. If this option is declined, you can wait until the ZoneRanger starts up, modify the discovery settings as desired, and then either invoke discovery manually or configure periodic discovery.

  • Page 61: Chapter 20: Forwarding

    In the case of the SPX model, all information is forwarded regardless of originating address. Forwarding rules are used to specify the type, source, and destination of UDP information on the ZoneRanger to which to forward to a Ranger Gateway and ultimately a management application.
  • Page 62 Ranger Gateway to another application. When an SNMP trap is received by ZoneRanger, the trap is verified to be syntactically correct. Thus, if the SNMP trap does not meet the RFC definition of a correctly formatted SNMP trap, it will be discarded. If the SNMP trap is inspected to determine whether or not it is syntactically correct, it will be processed by the ZoneRanger forwarding service.
  • Page 63 SNMPv1 or SNMPv2c. If an SNMPv3 or SNMPv2c inform is received and it is to be forwarded as SNMPv1, it will be converted to a trap. In this case, the ZoneRanger will respond to the originating device with an appropriate response after forwarding the trap.
  • Page 64 Ranger Gateway to another application. When a NetFlow or sFlow packet is received by ZoneRanger, the packet is inspected to determine whether or not to be syntactically correct. For NetFlow, version 5 and version 9 packets will be verified. For sFlow, version 4 and version 5 packets will be verified.

  • Page 65: Chapter 21: Ftp Proxy

    The ZoneRanger FTP proxy service provides an effective solution for these problems, acting as an application-layer proxy firewall for FTP traffic, enabling FTP clients to exchange files with servers located within firewall-partitioned networks.
  • Page 66 The active-to-passive conversion feature is enabled on a per-ZoneRanger basis. When this feature is enabled the ZoneRanger will present all FTP proxy requests to managed devices in the form of passive requests, regardless of whether to FTP client’s request is active or passive.

  • Page 67: Chapter 22: Http/Https Proxy

    The Ranger Gateway will then consult the Proxy Map service in order to identify a ZoneRanger that is able to relay the request to the target device. The request is then forwarded to the selected ZoneRanger, which in turn, establishes a TCP connection to the target device.
  • Page 68 The Ranger Gateway will then consult the Proxy Map service in order to identify a ZoneRanger that is able to proxy traffic to the target device, and to translate the target address, if necessary, then forwards the connection request to the selected ZoneRanger, which attempts to connect to the target device.
  • Page 69 2. Click the LAN Settings button. A dialog box will open as shown in the following figure. Figure 22-3. Internet Explorer ... LAN Settings 3. Check the Use a proxy server for your LAN box, then click the Advanced… button. A dialog box will open as shown in the following figure. ZoneRanger 5.5 User's Guide...
  • Page 70 5. Click OK in the three dialog boxes to save your changes. Dedicated HTTP/HTTPS Ports When a ZoneRanger is joined to a Ranger Gateway, the Ranger Gateway allocates dedicated ports that can be used to access various services (for example, HTTP, HTTPS, SQL, Telnet, and SSH) on the newly joined ZoneRanger.
  • Page 71 Figure 22-5. Ranger Gateway ... Information tab A web browser can establish a proxy connection to a joined ZoneRanger simply by connecting to the Ranger Gateway’s address, specifying the dedicated HTTP or HTTPS port associated with that ZoneRanger as the destination port, as shown in the following figure.
  • Page 72 As a shortcut, the user can automatically launch their default browser and browse via a dedicated HTTP or HTTPS port to the web interface of the selected ZoneRanger by clicking the Browse (HTTP) or Browse (HTTPS) buttons on the Status tab of the Ranger Gateway Viewer’s main window as shown in the following figure.

  • Page 73: Chapter 23: Icmp Proxy

    4. The ICMP Proxy service in the Ranger Gateway consults with the Proxy Map service to select a ZoneRanger that is able to relay the ICMP echo request to the target device, then forwards the ICMP echo request to the selected ZoneRanger.

  • Page 74: Chapter 24: Ntp Proxy

    1. The ZoneRanger can obtain its time from a centralized NTP server (either directly or via a joined Ranger Gateway), and can act as a secondary time server, responding autonomously to NTP requests from client devices, as illustrated in the following figure.
  • Page 75 The following steps are required to configure ZoneRanger to act as an NTP proxy and can be found on the web interface on the Configuration > Inbound Proxy page NTP tab: 1. The ZoneRanger must be configured not to act as an NTP server. This can be accomplished in a variety of ways: a.
  • Page 76 The Ranger Gateway through which the ZoneRanger will access the NTP server. Note that the option for the ZoneRanger to access an NTP server directly is not supported in this case. b. The IP address or hostname of the NTP Server.

  • Page 77: Chapter 25: Polling

    ICMP latency measurement for each polled IP interface. SNMP Polling For those interfaces which do not have an IP address, ZoneRanger can be configured to use SNMP polling to monitor the status. The SNMP status of an interface is determined by the SNMP querying information ( ) of SNMP enabled nodes.
  • Page 78 TCP Polling ZoneRanger uses TCP polling of TCP ports on nodes to determine the status of processes listening on those TCP ports. By default, ZoneRanger polls TCP ports on managed devices every 5 minutes (300 seconds). Use the Configuration > Polling page TCP Settings tab to configure different polling rates for an individual TCP Port as well as modifying the default TCP port polling rate.

  • Page 79: Chapter 26: Root Cause

    SNMP trap is generated indicating the root cause of the outage. Using the Configuration > Root Cause page IP tab, ZoneRanger can be configured to send an email indicating the root cause either through a joined Ranger Gateway or directly from the ZoneRanger.

  • Page 80: Chapter 27: Snmp Proxy

    Ranger Gateway. Consider the network example in the following figure. Two DMZ’s are shown. The first DMZ has one ZoneRanger (ZR-1) and the second one has two (ZR-2, ZR-3). The IP addresses in the two DMZ’s do not overlap.
  • Page 81 Figure 27-2. ZoneRanger SNMP Proxy with GVI The messaging flow for an SNMP proxy request using GVI is illustrated in the following figure. Note the following from this example: • The management application requests that a UDP datagram containing the SNMP GetRequest message be sent to the address of the target device (10.4.1.2) [1].
  • Page 82 The selected ZoneRanger forwards the request to the target device [4]. • The target device replies back to the ZoneRanger [5], which relays the response to the Ranger Gateway [6]. The SNMP Proxy service relays the response to the GVI driver [7].
  • Page 83 The following figure shows a SOCKS shim inserted between the management application and the operating system. Figure 27-3. ZoneRanger SNMP Proxy with SOCKS The messaging flow for an SNMP proxy request using a SOCKS shim is illustrated in the following figure.
  • Page 84 The selected ZoneRanger forwards the request to the target device [6]. • The target device replies back to the ZoneRanger [7], which relays the response to the Ranger Gateway [8]. The SNMP Proxy service relays the response to the SOCKS server, which forwards the response to the SOCKS shim along with a header indicating that the response was received from 10.4.1.2 [9].
  • Page 85 Ranger Gateway have been installed on the same server. Two DMZ’s are shown. The first DMZ has one ZoneRanger (ZR-1) and the second one has two (ZR-2, ZR-3). The IP addresses in the two DMZ’s do not overlap.
  • Page 86 SNMP agent on the Ranger Gateway server that may be listening on port 161. The port that the ZoneRanger will use to present the request to the managed device can be configured on a per-device basis. This allows different managed devices in the same firewall-partitioned network to listen for SNMP requests on different ports.
  • Page 87 . Two DMZ’s are shown. The first DMZ has one ZoneRanger (ZR-1) and the second one has two (ZR-2, ZR-3). The IP addresses in the two DMZ’s do not overlap. The IP address of the Ranger Gateway Server is 10.254.1.1.
  • Page 88 ZoneRangers, and the SNMP Proxy service in the Ranger Gateway will automatically select a ZoneRanger from this group to relay the request. The only difference between formats 1 and 2 is the order of the fields. The ability to configure the SNMP Proxy service to use different field orders has been provided in order to handle situations where management applications and managed devices are using their own community string prefix or suffix conventions.
  • Page 89 SNMP agent on the Ranger Gateway server that may be listening on port 161. The port that the ZoneRanger will use to present the request to the managed device can be configured on a per-device basis. This allows different managed devices in the same firewall-partitioned network to listen for SNMP requests on different ports.
  • Page 90 SNMP proxy mechanism will need to be selected. SNMPv3 Conversion The ZoneRanger SNMP Proxy service can be used to proxy SNMPv1 and SNMPv2c requests to managed devices. In addition, ZoneRanger can be configured to translate SNMPv1 or SNMPv2c requests to SNMPv3 requests, as illustrated in the following figure.

  • Page 91: Chapter 28: Tcp Proxy

    Control configuration to verify that the request should be allowed, then will consult the Proxy Map service in order to identify a ZoneRanger that is able to relay the request to the target device. The request is forwarded to the selected ZoneRanger, which in turn, establishes a TCP connection to the target device.
  • Page 92 The SOCKS server on the Ranger Gateway checks the Proxy Access Control configuration to verify that the request should be allowed, then consults the Proxy Map service to identify a ZoneRanger that is able to proxy traffic to the target device, and to translate the target address, if necessary. The request is then forwarded to the selected ZoneRanger, which attempts to connect to the target device.

  • Page 93: Chapter 29: Telnet/Ssh Proxy

    ZoneRanger text interface for joined ZoneRangers. While the ZoneRanger is able to proxy both Telnet and SSH protocols, SSH will typically be the preferred protocol for most applications, because the Telnet protocol, which exchanges user ID and password information over an unencrypted TCP connection, is less secure.
  • Page 94 Proxy Access Control configuration to verify that the request should be allowed, then will consult the Proxy Map service in order to identify a ZoneRanger that is able to relay the request to the target device. The request is then forwarded to the selected ZoneRanger, which in turn, establishes a TCP connection to the target device.
  • Page 95 Proxy Map service to identify a ZoneRanger that is able to proxy traffic to the target device, and to translate the target address, if necessary. The request is then forwarded to the selected ZoneRanger, which attempts to connect to the target device.
  • Page 96 You may need to modify this value if the target device uses a non-standard port for SSH or Telnet. 4. Click Proxy in the Category pane on the left hand side of the window. The following page is displayed. ZoneRanger 5.5 User's Guide...
  • Page 97 A disadvantage of SOCKS is that many management applications do not provide built-in support for SOCKS and reliable SOCKS shims may not be available for the operating system being used. In these cases, an alternative Telnet/SSH proxy access mechanism will need to be selected. ZoneRanger 5.5 User's Guide...
  • Page 98 Proxy Map service to identify the target device, and to select a ZoneRanger that is able to proxy traffic to the target device. The connection request is then forwarded to the selected ZoneRanger, which attempts to connect to the target device.
  • Page 99 IP address aliases that can be defined. As a result, this technique may not be able to support the required number of managed devices for some applications. ZoneRanger 5.5 User's Guide...
  • Page 100 Dedicated Telnet/SSH Ports When a ZoneRanger is joined to a Ranger Gateway, the Ranger Gateway allocates dedicated ports that can be used to access various services,HTTP, HTTPS, SQL, Telnet, and SSH, on the newly joined ZoneRanger. You can use the...
  • Page 101 Note that dedicated ports can be used only to access to a ZoneRanger text interface. Dedicated ports cannot be used to access other managed devices. A significant disadvantage with SSH proxy using dedicated Ranger Gateway ports is that the same destination address (the Ranger Gateway’s host name or IP address) can be used to establish SSH sessions with different ZoneRangers,which typically confuses SSH clients that are configured to verify host keys.

  • Page 102: Chapter 30: Tacacs+/Radius Proxy

    Configuring TACACS+/RADIUS Proxy on a ZoneRanger In order for the ZoneRanger to be able to proxy TACACS+ and/or RADIUS traffic, it must be joined to one or more Ranger Gateways, and one or more server groups must be defined. A server...
  • Page 103 TACACS+ and RADIUS at the same time is not allowed. If the ZoneRanger is configured to use RADIUS, you will need to specify the server group to be used for ZoneRanger authentication and authorization requests. If the ZoneRanger is configured to...
  • Page 104 In order to configure the ZoneRanger to authenticate with Windows IAS, a specific Resource Policy must be added in IAS. The Resource Policy must have a Policy condition where Service-Type matches “Authenticate Only”. An Attribute needs to be added to the Profile that matches the...
  • Page 105 In order to illustrate the configuration required for TACACS+/RADIUS proxy, consider the following sample network: Figure 30-2. ZoneRanger TACACS+/RADIUS Proxy Configuration Note that there are four TACACS+/RADIUS servers shown in this diagram: acs1, acs2, acs3, and acs4. In the case of acs1 and acs2, the Ranger Gateway software is installed on the same server as the TACACS+/RADIUS server application.
  • Page 106 In addition, a number of advanced configuration settings are provided for each protocol. For TACACS+ the available settings are: • Client timeout – the amount of time, in seconds, that the ZoneRanger will maintain information about an inactive TACACS+ authentication or authorization session. •...
  • Page 107 ZoneRanger will decrypt and validate all TACACS+ messages. Note that in order to use this option for a given server group, all devices managed by a given ZoneRanger that are mapped to that server group will need to be configured to use the same encryption key.

  • Page 108: Chapter 31: Tftp Proxy

    ZoneRanger can be configured to proxy TFTP requests to the Ranger Gateway or through the Ranger Gateway to another TFTP server in the secure environment. Thus, ZoneRanger provides a secure mechanism for the TFTP protocol to manage the configuration files of ZoneRanger managed devices.
  • Page 109 This capability can be enabled by checking the Enable Single-Use SNMP triggered rules checkbox. In this case, ZoneRanger generates a single use TCP proxy rule based on the SNMP set proxied via the Ranger Gateway. Note, this feature is triggered by sets using the CISCO-CONFIG-COPY-MIB (Cisco IOS software release 12.0) and the OLD-CISCO-SYSTEM-MIB/OLD-CISCO-FLASH-MIB (Cisco IOS...

  • Page 110: Chapter 32: Traffic Monitoring

    Traffic Type will be measured. The amount of traffic will also be logged if Traffic logging is enabled to Short. On the ZoneRanger, the amount of traffic for each Traffic Type for each IP address will also be measured. The amount of traffic will also be logged if Traffic logging is enabled to Full.

  • Page 111: Chapter 33: Whitelisting

    Inbound information (SNMP Traps, Syslogs, etc) provides a security measure for the ZoneRanger to only process information from a known set of IP addresses. When whitelisting is enabled, only Inbound information which has a source address specified in the whitelist will be processed by the ZoneRanger.

  • Page 112: Part Iv. Zoneranger And Ranger Gateway Interfaces

    Part IV. ZoneRanger and Ranger Gateway Interfaces ZoneRanger has four user interfaces which may be used to interaction with the system and are described in detail in the following chapters: • ZoneRanger Web Interface Chapter 33 • Ranger Gateway Viewer Chapter 34 •...

  • Page 113: Chapter 34: Zoneranger Web Interface

    The Activity Section consists of a set of activity indicators which give a indication when a particular ZoneRanger service is in use. When an activity indicator flashes, ZoneRanger is performing tasks associated with the indicated service. If a indicator is dark, the associated activity is idle. Activity indicators provide a general indication of service activity, but are controlled to increase visibility and minimize performance impact.
  • Page 114 The Inventory Section consists of the root cause status indicator and the inventory bars. The root cause indicator displays the current root cause information for the ZoneRanger managed nodes. The inventory bars display the status of the ZoneRanger managed nodes.
  • Page 115 For example, if ZoneRanger is managing 20 routers and a quarter of the Routers inventory bar is yellow, five of the routers are marginal (the following section describes colors that can appear in the inventory bars).
  • Page 116 • Ranger Gateways If the Audit status is green with a check mark, the ZoneRanger has not detected any irregularities from its self-check. If the Audit status is read with an exclamation point, it provides a link to the View > System Audit page which will describe the condition.
  • Page 117 When a backup is restored, the ZoneRanger software is automatically restarted. Discovery In order for nodes to be managed by ZoneRanger, the nodes must be discovered. The Administration > Discovery page can be used to manually start the Discovery process.
  • Page 118 View Last Discovery Log on the Administration > Discovery page to display log entries from the most recent discovery run. While viewing the log, you can filter messages by message text and limit the number of returned log entries. ZoneRanger 5.5 User's Guide...
  • Page 119 ZoneRanger database. When the Start Scan button is pressed, the ZoneRanger will scan each entered IP address or hostname using SNMP and TCP and store the resulting information in the ZoneRanger database. If an existing IP address or hostname is scanned, the ZoneRanger database information for that device will be updated.
  • Page 120 When a profile is loaded on a ZoneRanger, the ZoneRanger software is automatically restarted. License Activation The Administration > License Activation page may be used to activate a ZoneRanger VM so that it may process management traffic. A ZoneRanger VM may obtain a license by either retrieving a license from a Ranger Gateway License Server or by using an Activation Key.
  • Page 121 Figure 34-7. Administration > License Activation page Use License Server A ZoneRanger VM may obtain its license from a Ranger Gateway License Server. When the Use a Ranger Gateway License Server button is initially selected, the list of licenses from each joined Ranger Gateway is presented under the Choose A License section. The table...
  • Page 122 If there is a current license allocated to this ZoneRanger VM and a new license is selected, the current license will be released if the new license is acquired. If the selected license is no longer available, the current license will be maintained. If there is a current license allocated to this ZoneRanger and a a license with fewer managed nodes is selected and acquired, all of the managed nodes under the old licenses will be unmanaged.
  • Page 123 The route is temporarily added to the ZoneRanger but will be removed if the route is not committed within 60 seconds. This step is needed for routes which are added that cause the ZoneRanger to no longer be reachable. In...
  • Page 124 Figure 34-11. Administration > Service Dump page When you perform a service dump, the ZoneRanger builds a service dump file and transfers the file to a joined Ranger Gateway. After a service dump file is transferred to a Ranger Gateway, you will be given detailed instructions for sending the service dump file to Tavve Support.
  • Page 125 ZoneRanger has determined to have the same SNMPv3 Engine ID. Each SNMP Agent t hat supports v3 has a unique Enigne ID associated with that agent. When a ZoneRanger issues an SNMP v3 proxy request or receives an SNMPv3 notification, the SNMP Engine ID is cached by IP address.
  • Page 126 If some devices are updated and some devices are not, the ZoneRanger will no longer be able to access devices that were not updated until their SNMPv3 passwords are manually reconfigured.

  • Page 127: Ssl Certificates

    2. Configuring a ZoneRanger or Ranger Gateway with the identities or “trusted subjects” with which it is authorized to communicate. By default, all ZoneRangers and Ranger Gateways are configured with certificates issued by Tavve’s internal certificate authority.
  • Page 128 Figure 34-15. Administration > SSL Certificate page A new SSL public key certificate and private key may be installed on the ZoneRanger in the following formats: 1. PKCS #12 2. X.509 Certificate and Private Key 3. JKS Keystore For PKCS #12, you will need the following: 1.
  • Page 129 The currently configured trap definitions may be viewed on the Configuration > Forwarding page in the Trap Filters tab. When a new trap definition file is uploaded to the ZoneRanger, it is validated, and if valid, is installed on the ZoneRanger.
  • Page 130 Configuration Access Control Any user interaction with ZoneRanger requires logging in with a user name and password. The method of authentication and the determination of the valid set of user names and passwords is configured on the Configure > Access Control page. The Configure > Access Control page is also used to configure ZoneRanger to proxy TACACS+ and RADIUS requests for managed devices.
  • Page 131 ZoneRanger itself. At least one Server Group (see Chapter 17) must be created before TACACS+ proxy configuration can be accomplished. TACACS+ authentication of the ZoneRanger itself may be proxied through a Ranger Gateway, which requires at least one Server Group, or may be configured to communicate directly to a TACACS+ server.
  • Page 132 TACACS+ server. The Source Address field must be IP address or may be an address pattern or Node Group (see Chapter 2). TACACS+ requests received by a ZoneRanger, and TACACS+ responses sent by a ZoneRanger can be written to a log file, called /l .
  • Page 133 TACACS+ server. The ZoneRanger uses an authorization request to retrieve the privilege level of the user from the TACACS+ server. This request contains a number of authorization arguments one of which must be the primary service.
  • Page 134 TACACS+ servers. ZoneRanger will choose from the listed TACACS+ servers with which it has most recently authenticated successfully. If the current authentication fails, the ZoneRanger will use additional servers if a timeout has not yet occurred. The privilege levels corresponding to the operator and administrator privileges must be set to those configured on the TACACS+ server.
  • Page 135 The Configuration > Access Control page RADIUS tab allows for the configuration of ZoneRanger RADIUS proxy for authentication of managed nodes as well as RADIUS authentication on the ZoneRanger itself. At least one Server Group (see Chapter 16) must be created before RADIUS proxy configuration can be accomplished. RADIUS authentication of the ZoneRanger itself may be proxied through a Ranger Gateway, which requires at least one Server Group, or may be configured to communicate directly to a RADIUS server.
  • Page 136 Configuring RADIUS for ZoneRanger via proxy The Use RADIUS for ZoneRanger access control checkbox enables ZoneRanger to authenticate and authorize web, Telnet, and SSH users using RADIUS. ZoneRanger may be configured to authenticate directly to a RADIUS server or through a Ranger Gateway using RADIUS proxy.
  • Page 137 Figure 34-23. Configuring ZoneRanger to authenticate via RADIUS directly When authenticating the ZoneRanger itself directly to a RADIUS server at least one RADIUS server must be specified. Use the Add RADIUS Server button to add additional RADIUS servers. ZoneRanger will choose from the listed TACACS+ servers with which it has most recently authenticated successfully.
  • Page 138 TACACS+ Shared Key defines the optional key used to decrypt TACACS+ messages. If a shared default key was specified and Insert IP Address is checked, ZoneRanger inserts the source IP address into the...
  • Page 139 Figure 34-26. Configuration > Discovery page Options tab Configuring Discovery Options The Periodic discovery interval checkbox enables ZoneRanger to run discovery on a periodic basis. The value in the Periodic discovery interval field specifies the periodic discovery interval in days, hours, and minutes. The default interval is 7 days. If you change the interval, discovery runs again after the interval you specified passes.
  • Page 140 The Configuration > Discovery page Networks tab, is used to limit additional nodes that ZoneRanger can potentially discover. This helps control the number and address ranges of devices that will be added to the ZoneRanger managed node list, and helps limit the time spent in discovery.
  • Page 141 The Configuration > Discovery page Ping Ranges tab is used to specify a list of IP addresses to ping as a part of discovery. During discovery, ZoneRanger pings (sends one or more ICMP echo requests) all addresses in any specified ping ranges that pass the include/exclude network filtering criteria.
  • Page 142 Configuring TCP Ports The Configuration > Discovery page TCP Ports tab defines the different TCP services that the ZoneRanger will discover and monitor. The TCP port list on this tab is initially populated with common TCP services. Figure 34-30. Configuration > Discovery page TCP Ports tab The TCP Port Scan Timeout field specifies how long to wait for a response from the TCP port before timing out.
  • Page 143 When a TCP service is deleted, all instances of this service are deleted from the ZoneRanger database, and any TCP polling of the deleted service is stopped.
  • Page 144 The pulldown list contains the list of trap filters defined on the ZoneRanger. ZoneRanger provides a base set of trap filters which cannot be deleted. You can use this list to select the trap filter to be applied for the rule you are defining.
  • Page 145 SNMPv2c traps. In cases where an SNMPv2c or SNMPv3 inform is converted to a trap, the ZoneRanger will automatically respond to the device that sent the inform with the appropriate response. In the case of SNMPv3 traps and informs, the user defined in the incoming notification must be configured under the SNMPv3 Users in order to completely process the notification.
  • Page 146 Configuring trap filters The Configuration > Forwarding page Trap Filters tab provides the ability to create trap filters, which are a named set of conditions for matching traps. ZoneRanger uses trap filters as the filtering criteria for forwarding traps in forwarding rules.
  • Page 147 Figure 34-34. Configuration > Forwarding page Trap Filters tab ZoneRanger provides a set of pre-defined trap filters. Using the Add Custom Trap Filter button, additional trap filters may be created. Trap filters are configured with a set of conditions which either all conditions must be true or at least one condition must be true. Trap filters may...
  • Page 148 Figure 34-36. Configuration > Inbound Proxy page TFTP tab The TFTP rules determine whether a file is transferred from the ZoneRanger managed device to the ZoneRanger itself, through the ZoneRanger to a joined Ranger Gateway, or through the ZoneRanger and joined Ranger Gateway to a specified TFTP server.
  • Page 149 IP address pattern, Node Group, the IP address of an interface, or the fully qualified hostname of a TFTP client which is a ZoneRanger managed device. The pattern, address, or hostname identifies the interface, set of interfaces, or node to which settings in the group are applied.
  • Page 150 ZoneRanger the destination for the transfer. When the target device uses the ZoneRanger for the TFTP transfer, the ZoneRanger finds the single use rule and proxies the transfer to the actual destination originally specified in the SNMP set.
  • Page 151 This is useful to eliminate spurious NTP requests from unsecure devices. The Keys section is used to create the list of specific NTP keys ZoneRanger can use to authenticate the incoming NTP request.
  • Page 152 The Configuration > Node Management page Managed Nodes tab enables the ability to set which nodes are managed within ZoneRanger. When a node is moved from the Managed list to the Unmanaged list and the Save button is clicked, ZoneRanger management services become unavailable for that node.
  • Page 153 “server,” its device type might change back to the actual type when discovery is performed again. Outbound Proxy ZoneRanger is capable of proxying many protocols. The Configuration > Outbound Proxy page is used to customize the configuration of various proxy services. Configuring TCP Proxy The Configuration >...
  • Page 154 The TCP Proxy logging level applies for all TCP proxied connections between the Ranger Gateway and the ZoneRanger which include HTTP, HTTPS, Telnet, SSH, and FTP. This TCP Proxy log can be downloaded by the downloadFile command on a Ranger Gateway. The log file is called /log/tcpProxy.log .
  • Page 155 Gateway. The log file is called /log/icmpProxy.log . The log file may also be viewed on the View > Service Logs page. ZoneRanger can be configured to cache (store) previous ICMP responses to be used for subsequent ICMP requests within a particular time period. The ICMP Proxy Cache Enabled checkbox enables this capability.
  • Page 156 Figure 34-42. Configuration > Peers page Group tab Configuring the ZoneRanger group On the Configuration > Peers page Group tab, the Group Name is used to filter duplicate information from multiple ZoneRangers reporting to the same Ranger Gateway. Redundant ZoneRangers always have the same group name.
  • Page 157 IP address of the redundant ZoneRangers. Figure 34-44. Configuration > Peers page Virtual IP tab The virtual IP address may be created on either eth0 or eth1 on the ZoneRanger but that must be consistent on all redundant ZoneRangers.
  • Page 158 IP address. It must be greater that 1 second. The Heartbeat Interval must be consistent on all redundant ZoneRangers. The Heartbeat Timeout is the amount of time the ZoneRanger will wait for a positive response indicating the availability of the virtual IP address. If this timeout is reached, another redundant ZoneRanger will assume control of the virtual IP address.
  • Page 159 The Configuration > Polling page Interface Settings tab displays a table of interface polling settings groups. Settings groups may be assigned to a specific interface, node, or group of interfaces whose IP addresses match a specified pattern. Settings groups specify the following information: ZoneRanger 5.5 User's Guide...
  • Page 160 The arrows may be used to change the order of the settings groups. The Polling Interval applies to both ICMP and SNMP polling. SNMP timeouts and retries may be configured on the Configuration > SNMP page Managers tab. Configuring TCP Polling Settings ZoneRanger 5.5 User's Guide...
  • Page 161 Figure 34-48. Configuration > Polling page TCP Settings tab The Configuration > Polling page TCP Settings tab configures general TCP port polling behavior on the ZoneRanger. You can configure the following aspects of TCP port polling: • The default polling interval for all TCP services and all nodes. If no polling interval is set for a specific service, the default polling interval is used.
  • Page 162 Ranger Gateway passcode for the request to succeed. If the join succeeds, the ZoneRanger passcode can be changed to a different value (for example, to join with another Ranger Gateway having a different passcode) without affecting the join status of Ranger Gateways that were joined previously.
  • Page 163 ZoneRanger will not be allowed to initiate a connection to the Ranger Gateway. The typical application of restricted addresses is the case where a ZoneRanger is located in a DMZ, the Ranger Gateway is located on the other side of a firewall, and security policy dictates that all connections through the firewall be initiated from outside the DMZ.
  • Page 164 CN=ZoneRanger,OU=Engineering,O=Tavve,L=Morrisville,ST=North Carolina,C=US Similarly, each Ranger Gateway is configured with a certificate with the following subject: CN = Ranger Gateway, OU = Engineering, O = Tavve, L = Morrisville, ST = North Carolina, C = US ZoneRangers are configured, by default, to permit communication with both subjects, in order to support communication with joined Ranger Gateways, and with redundant peers.
  • Page 165 ZoneRanger is automatically configured to determine the root cause of an IP outage and generate the associated SNMP Trap. ZoneRanger can also be configured to send an email after determining the root cause of an outage. You can configure the following settings with respect to root cause outages: ZoneRanger 5.5 User's Guide...
  • Page 166 Email button can be used to verify that the configuration parameters are correct The Show Advanced Options button can be used to specify the actions that ZoneRanger takes to verify the status of a device or interface. After verification, ZoneRanger generates a trap and sends notification emails.
  • Page 167 Email button can be used to verify that the configuration parameters are correct. The Show Advanced Options button can be used to specify the actions that ZoneRanger takes to verify the status of a TCP port. After verification, ZoneRanger generates a trap and sends notification emails.
  • Page 168 SNMPv3 requests. If checked, when the ZoneRanger receives a SNMPv3 proxy request, a valid SNMPv3 user must be configured in order for the ZoneRanger to proxy the request. If no valid SNMPv3 user is found, the proxy request is discarded.
  • Page 169 The ZoneRanger is only able to process an incoming SNMPv3 Inform if there is a configured SNMPv3 user or the Inform is using noAuthNoPriv Security Level. When the ZoneRanger is able to process an incoming SNMPv3 Inform, the ZoneRanger will convert the Inform to an SNMPv3 Trap, forward the trap based on any configured forwarding rules, and respond to the client that the Inform was received.
  • Page 170 The Target Rules section lists the SNMP parameters used when making SNMP requests to ZoneRanger managed devices. The order of target rules is important. ZoneRanger selects the first matching rule in the list, starting at the top. Use the arrow buttons to change the order of the rules.
  • Page 171 Configuring SNMPv3 Users Figure 34-56. Configuration > SNMP page Users tab In order to validate communications with SNMPv3 agents, ZoneRanger must be configured with a set of SNMPv3 Users. The Configuration > SNMP page Users tab is used to manage SNMPv3 users.
  • Page 172 Some devices having multiple IP interfaces might be configured so that only one IP interface responds to SNMP requests. You can use the Configuration > SNMP page Preferred Address tab to configure the IP address that the ZoneRanger uses when sending SNMP requests on behalf of services such as SNMP polling and SNMP proxy.
  • Page 173 Configuring the SNMP disallowed list There may be managed devices to which ZoneRanger should not make any SNMP requests. The Configuration > SNMP page Disallowed tab can be used to list the devices which ZoneRanger should not query via SNMP. This list takes precedence over the rules on the Manager tab.
  • Page 174 The Community String defines the community string to respond to when using SNMPv1 or SNMPv2c. The Users list defines which users the ZoneRanger agent will respond to when using SNMPv3. The users are defined on the Configuration > SNMP page Users tab. To disable the SNMP agent on the ZoneRanger, uncheck all three versions next to Agent Responds To.
  • Page 175 Figure 34-61. Configuration > SNMP page Proxy Cache tab ZoneRanger can be configured to cache (store) previous SNMP responses to be used for subsequent SNMP requests within a particular time period. The SNMP Proxy Cache Enabled checkbox enables this capability.
  • Page 176 However, if necessary, the interface speed and duplex type may be specified on the IP tab. If the ZoneRanger is connected to a 802.1q VLAN trunk, the Connect to VLAN trunk check box should be selected. Primary VLAN ID defines the VLAN id the ZoneRanger should use for its communications.
  • Page 177 Figure 34-63. System > Configuration page DNS tab Modifying DNS settings ZoneRanger may be configured to use DNS servers for name resolution as well as to act as a Secondary DNS server for managed devices. The DNS Servers section lists the set of DNS servers ZoneRanger should use for name resolution.
  • Page 178 NTP server listed in the NTP Servers table. When multiple NTP servers are listed in the NTP Servers table, ZoneRanger will use the best time provided by those set of NTP Servers. The NTP Servers table has the following settings:...
  • Page 179 Configuring ZoneRanger ports The Configuration > System page Ports tab is used to enable and disable various ZoneRanger ports. Changing values determines how ports for the corresponding service respond. Figure 34-65. System > Configuration page Ports tab Each ZoneRanger port has multiple service options depending on the type of port. Below are...
  • Page 180 Configuring ZoneRanger properties Properties are used to configure or display some aspect of ZoneRanger operation. Configuration > System page Properties tab list the current set of ZoneRanger properties. In general, properties are used for advanced tuning and analysis. ZoneRanger 5.5 User's Guide...
  • Page 181 ZoneRanger. Traffic ZoneRanger can receive and proxy many different types on network traffic. It is often difficult to determine how much traffic the ZoneRanger is receiving and proxying. The ZoneRanger automatically tracks how much data is received and proxied. The ZoneRanger can also be configured to monitor thresholds by Traffic Type and to send an SNMP trap if a threshold is exceeded.
  • Page 182 The log file is called /log/traffic.log . The log file may also be viewed on the View > Service Logs page. The Traffic measurement interval defines how frequently the ZoneRanger will check if any thresholds are exceeded.. The traffic rate is evaluated within this interval. Traffic will be counted and logged (if logging is enabled) even if thresholds are not configured to be checked.
  • Page 183 If threshold monitoring is enabled and a threshold is exceeded, a ZoneRanger audit message will be displayed as well as a message will be logged in the ZoneRanger System log. If the Send a trap when a threshold is exceeded checkbox is checked, the ZoneRanger will also generate an SNMP trap containing information about the exceeded threshold.
  • Page 184 If threshold monitoring is enabled and a threshold is exceeded, a ZoneRanger audit message will be displayed as well as a message will be logged in the ZoneRanger System log. If the Send a trap when a threshold is exceeded checkbox is checked, the ZoneRanger will also generate an SNMP trap containing information about the exceeded threshold.
  • Page 185 This includes new Join requests from Ranger Gateways and new Redundancy requests from other ZoneRangers. The Enforce Whitelist For Outbound Requests checkbox configures the ZoneRanger to apply the whitelist to all outbound ZoneRanger requests.
  • Page 186 “reverse resolve” IP addresses to hostnames. The hostname does not have to be managed by the ZoneRanger. FindRoute ZoneRanger provides a diagnostic tool to display the route information from a source host to a destination host via the Diagnostics > FindRoute page. Figure 34-72. Diagnostics > FindRoute The FindRoute tool displays the route information from a source host to a destination host.
  • Page 187 Syslog message was forwarded to a Ranger Gateway. Ping/Scan ZoneRanger provides a diagnostic tool to ping IP addresses and scan TCP ports and SNMP interfaces via the Diagnostics > Ping/Scan page. Figure 34-74. Diagnostics > Ping/Scan page ICMP Ping tab The ICMP Ping diagnostic enables you to ping an address and view the results.
  • Page 188 The valid Port values are 0 – 65535. The Address does not need to be a ZoneRanger managed device. After unchecking the Scan Well Known Ports checkbox, a single TCP port or a TCP port range may be specified.
  • Page 189 Using the SNMP Engine IDs diagnostic The SNMP Engine IDs diagnostic discovers the SNMP v3 Engine ID for the specified node and determines whether or node this Engine ID has previously been discovered on another device. ZoneRanger 5.5 User's Guide...
  • Page 190 SNMP proxy requests for this device will be discarded. ZoneRanger maintains a cache of SNMPv3 Engine IDs that it has previously discovered. It uses this cache to verify SNMPv3 agents. When using this diagnostic, any other IP addresses using the SNMP Engine ID of the specified device will also be reported.
  • Page 191 If not selected, no authorization request is performed. If use the ZoneRanger's configured values is selected, the values for Service, Protocol, and Command already configured on the ZoneRanger will be used in the authorization request. If not selected, specified values for Service, Protocol, and Command will be used for the authorization request.
  • Page 192 The Traceroute diagnostic performs the function of the popular traceroute command. No results are displayed until the traceroute finishes. The hostname does not need to be a ZoneRanger managed device. If the Do not map IP addresses to host names checkbox is checked, the command will not attempt to resolve any of the returned IP addresses.
  • Page 193 During discovery, ZoneRanger uses a variety of techniques to discover IP addresses. ZoneRanger then attempts to resolve each IP address to a hostname. Hostnames could be resolved for the IP addresses listed in the Resolved IP Addresses list, but not for the IP addresses listed in the Unresolved IP Addresses list.
  • Page 194 The Test button can be used to update the Resolved IP Addresses report based on the current DNS configuration. The update process can take a few minutes as ZoneRanger attempts to resolve hostnames for IP addresses in the database. When the test finishes, the Resolved IP Addresses and Unresolved IP Addresses lists are refreshed.
  • Page 195 To update the report based on current device status and configuration, click Test. The update process can take a few minutes as ZoneRanger performs an SNMP Get request of for each node. When the test finishes, the SNMP Accessible Nodes and SNMP sysObjectID Inaccessible Nodes lists are refreshed.
  • Page 196 Figure 34-84. View > Node Reports page The View > Node Reports page displays all ZoneRanger managed devices and by their current status. Within each tab, the devices of a particular type may be viewed by using the dropdown. Each reports displays information based on the last time discovery has run. The wrench icon provides a link to the Diagnostics >...
  • Page 197 Figure 34-85. View > Preferences page The View > Preferences page allows the user to completely control their view of the ZoneRanger dashboard. By unchecking an item, that item will be removed from the dashboard. Each section may also be moved or removed.
  • Page 198 From check box, the start time is unbounded; in other words, the start of the period is the time of the oldest log entry. ZoneRanger will store up to 7 days of log entries. Log files can be downloaded by the command on a Ranger Gateway. The log file names are service-specific.
  • Page 199 Selected button. Statistics may be reset (set to 0) by using the Reset Selected button. Syslog ZoneRanger logs all Syslog messages. The View > Syslog page displays logged messages that meet the filtering criteria. Figure 34-89. View > Syslog page...
  • Page 200 ZoneRanger will store up to 7 days of received syslog messages. Syslog log files can be downloaded by the downloadFile command on a Ranger Gateway. The log file is called /log/syslog.log...

  • Page 201: System Information

    Ranger Gateways, and the patch history. Figure 34-92. View > System Information page System Log The View > System Log page displays significant ZoneRanger events that have been logged in the ZoneRanger system log. ZoneRanger 5.5 User's Guide...
  • Page 202 The From and To check boxes enable you to specify the time period for which you want to view the system log. If you uncheck the From check box, the start time is unbounded; in other words, the start of the period is the time of the oldest log entry. ZoneRanger 5.5 User's Guide...

  • Page 203: Traffic Information

    Stop Updating button is clicked or the web browser is exited. Traffic Information ZoneRanger monitors the amount of received and proxied traffic it has processed in the last two traffic measurement intervals as well as the peak traffic by traffic type within the measurement interval.
  • Page 204 IP addresses that have data greater than 0. Up to 500 IP addresses will be displayed. Note that if there are no Forwarding Rules configured NetFlow, sFlow, or Generic, then no data will be received by ZoneRanger since ZoneRanger only listens for those protocols if there is a Forwarding Rule configured.
  • Page 205 Stop Updating button is clicked or the web browser is exited. Traps ZoneRanger logs all received traps. The View > Traps page displays logged traps that meet the filtering criteria. ZoneRanger 5.5 User's Guide...
  • Page 206 ZoneRanger will store up to 7 days of traps. Trap log files can be downloaded by the command on a Ranger Gateway. The log file is called /log/trapd.log .
  • Page 207 User's Guide The ZoneRanger User's Guide will be displayed in a separate window or tab. ZoneRanger 5.5 User's Guide...

  • Page 208: Chapter 35: Ranger Gateway Viewer

    Left-hand pane, consisting of a toolbar, and a list box showing all joined ZoneRangers. • Right-hand pane, which contains Status and Information tabs associated with whatever joined ZoneRanger is selected in the list box in the left-hand pane. ZoneRanger 5.5 User's Guide...
  • Page 209 All ZoneRangers that are currently joined to the Ranger Gateway are listed on the Ranger Gateway Viewer. When a ZoneRanger in this list is selected, the Status and Information tabs associated with that ZoneRanger are displayed. This information is updated based on the refresh interval specified on the Configure >...
  • Page 210 Viewer Settings… window. The message “Loading..” will appear when the Ranger Gateway is requesting information from the selected ZoneRanger. This message normally appears for only a few seconds. If it appears for a significant amount of time, then the Ranger Gateway is no longer able to communicate with the selected ZoneRanger.
  • Page 211 Gateway Status window indicating the nature of the issue. One such condition is the loss of communication between the ZoneRanger and the Ranger Gateway. In this case, the audit would indicate the last time the Ranger Gateway was able to communicate with the ZoneRanger.
  • Page 212 The settings pane content for each of the listed categories is described in the following sections. Gateway Settings…General The Gateway Settings…General window provides basic configuration information for the Ranger Gateway. Figure 35-4. Gateway Settings Window The configuration settings are the following: ZoneRanger 5.5 User's Guide...
  • Page 213 Passcode Default passcode used when joining to ZoneRangers if none is specified during the join request, or if the join was requested from the ZoneRanger web interface Mail Server Address Hostname or IP address of the mail server the Ranger Gateway should use (e.g.
  • Page 214 The Access Control window can be used to configure whether or not TACACS+ and RADIUS client requests from ZoneRanger managed devices, will be presented to the TACACS+/RADIUS server with the source address of the Ranger Gateway or the source address of the ZoneRanger managed device.
  • Page 215 The Device Groups Cache Size is used to set the maximum number of entries in the cache. The default is 100 entries with a valid range of 0 – 10000. Gateway Settings…Forwarding The Gateway Settings…Forwarding window provides the configuration information for the Ranger Gateway handling of forwarding requests. ZoneRanger 5.5 User's Guide...
  • Page 216 The Forwarding window allows users to configure whether or not forwarded SNMP Traps, Syslog messages, and other UDP traffic, will be sent from the Ranger Gateway to the receiving application with the source address of the Ranger Gateway or the source address of the ZoneRanger managed device.
  • Page 217 10.2.5.6). To add a new address, select the empty entry at the end of list and enter the address Delete information. To delete entries, select the appropriate entries and click the button. Gateway Settings…ICMP Proxy The Gateway Settings…ICMP Proxy window provides the configuration information for the Ranger Gateway ICMP Proxy service. ZoneRanger 5.5 User's Guide...
  • Page 218 Management applications can use the ICMP proxy service to send ICMP requests through the Ranger Gateway to ZoneRanger managed devices. The Timeout value is the number of seconds to wait for a response from the ZoneRanger for each ICMP request.
  • Page 219 When the Inbound TCP Proxy Spoof Enabled checkbox is enabled, the source address in TCP proxy requests from ZoneRanger sent from the Ranger Gateway to an application will be the source address of the original sending device managed by the ZoneRanger. If the checkbox is disabled, the source address in these requests will be the address of the Ranger Gateway.
  • Page 220 Proxy Map proxyMap.log RADIUS Proxy radiusProxy.log RGVI rgvi.log sFlow Forwarding sflow.log SNMP Proxy snmpProxy.log Syslog Forwarding syslog.log TACACS+ Proxy tacacsProxy.log TCP Inbound Proxy inboundTcpProxy.log TCP Proxy tcpProxy.log TFTP Proxy tftpProxy.log Traffic traffic.log Trap Forwarding trap.log ZoneRanger 5.5 User's Guide...
  • Page 221 The NTP Proxy window can be used to configure whether or not NTP client requests from ZoneRanger managed devices, will be presented to the NTP server with the source address of the Ranger Gateway or the source address of the ZoneRanger managed device.
  • Page 222 ZoneRangers across those ZoneRangers over time. If disabled, proxy requests will be sent to the ZoneRanger that most recently responded to this Ranger Gateway (i.e. the ZoneRanger from which the Ranger Gateway has most recently observed evidence of healthy activity).
  • Page 223 The Weight field indicates the relative cost of each proxy map route. If there are more than one proxy map routes which match an incoming request, the lowest cost proxy map entry will be chosen if that ZoneRanger is responsive. The default weight, if not specified, is zero, which is the least cost.
  • Page 224 The ZR Port field is the destination port that the ZoneRanger should use when forwarding the request to the target device, or a translation rule that can be used to calculate the port that should be used based on the rg-port. When the Transport field is ICMP, all of the other fields are ignored.
  • Page 225 @Local consists of all addresses that are local to the Ranger Gateway server. The Destination field may be a Device Group, IP address pattern, or special Device Group @ZoneRanger. The Device Group @ZoneRanger consists of the IP addresses of all joined ZoneRangers. The Port Config field is the name of the Port Config rule in the Port Config tab.
  • Page 226 Subnet/Host table, and enter the subnet or host address to be intercepted. To modify a host or subnet address, select the corresponding entry in the table and edits its value. To delete a host or subnet address, select the corresponding entry and click the Delete button. ZoneRanger 5.5 User's Guide...
  • Page 227 In order to configure this port, and any associated settings, the Community String SNMP Proxy Enabled checkbox must be checked. The following settings can be configured when this checkbox is enabled: ZoneRanger 5.5 User's Guide...
  • Page 228 The Ranger Gateway provides a built-in SOCKS server which can be used to access ZoneRanger proxy services for TCP and UDP-based management protocols such as Telnet, SSH, HTTP. HTTPS, and SNMP. A SOCKS-aware application can direct proxy requests to the SOCKS server in the Ranger Gateway, which will relay these requests to managed devices via the ZoneRanger.
  • Page 229 The SSH Proxy Port field specifies the port on which Ranger Gateway will listen for SSH Proxy requests. The default is 4822. The SSH Proxy Destination Port field specifies the destination port which the ZoneRanger should use when sending SSH proxy traffic to managed devices. The default is 22.
  • Page 230 Gateway Settings…TFTP Ports The Gateway Settings…TFTP Proxy window provides the mechanism to configure TFTP Proxy destinations on the Ranger Gateway. The TFTP proxy service is described in detail in Chapter 30. ZoneRanger 5.5 User's Guide...
  • Page 231 Figure 35-22. Gateway Settings .. TFTP Proxy Window The Ranger Gateway has the ability to use TFTP proxy to transfer files to and from ZoneRanger managed devices. The Read Directory field specifies the directory where TFTP files should be read when proxying files to ZoneRanger managed devices.
  • Page 232 The Ranger Gateway monitors traffic in two categories. The Overall category is all of the traffic of a particular type either received from or proxied to all joined ZoneRangers. The Per ZoneRanger category is all of the traffic of a particular type either received from or proxied to an individual ZoneRanger.
  • Page 233 Enable monitoring the Per ZoneRanger thresholds is checked, if a threshold is exceeded, an entry will be logged in the Ranger Gateway Log. If the Send notifications checkbox is checked for Overall or Per ZoneRanger thresholds, then an SNMP Trap will be generated if a threshold is exceeded.
  • Page 234 Ranger Gateway Log. If the Send notifications checkbox is checked for Overall or Per ZoneRanger thresholds, then an SNMP Trap will be generated if a threshold is exceeded.
  • Page 235 The Tools > TFTP Manager… window is used to upload files from the Ranger Gateway to the TFTP server on the selected ZoneRanger, download files from the TFTP server on the selected ZoneRanger to the Ranger Gateway, and to delete files on the TFTP server on the selected ZoneRanger.
  • Page 236 Where install_dir is the directory where the Ranger Gateway software is installed. To transfer a file from the Ranger Gateway to the selected ZoneRanger, select the file in the Upload Directory list. Then, click Upload File. The selected file is copied to the selected ZoneRanger.
  • Page 237 Uploaded Patches list contains all patch files which have been uploaded to the ZoneRanger but have yet to be applied on the selected ZoneRanger. The Applied Patches list contains all of the patches which have been installed on the selected ZoneRanger.
  • Page 238 Figure 35-30. Tools .. Shutdown ZoneRanger Window The Tools > Shutdown ZoneRanger window provides the ability to restart, reboot, or shutdown a ZoneRanger. Select the appropriate radio button and click OK, or click Cancel to close the Shutdown window. Help Help Contents Figure 35-31: Help ..
  • Page 239 Figure 35-32. Help .. About Ranger Gateway Window ZoneRanger 5.5 User's Guide...

  • Page 240: Chapter 36: Zoneranger Text Interface

    Chapter 36: ZoneRanger Text Interface Using the ZoneRanger Text Interface The ZoneRanger text interface provides the ability to view and configure a ZoneRanger providing a mechanism for configuration automation. This interface is accessible when using Telnet or SSH to access the ZoneRanger. Only users with admin security level are allowed to access this interface.
  • Page 241 Trap filters whitelist Whitelist settings access control To manage the users and passwords on ZoneRanger to access the web and text interfaces, as well as the ZoneRanger database and setup menu. access-control [ database-password db_password | setup-password setup_password | users ]...
  • Page 242 To add a group of access control servers to be used for TACACS+ and RADIUS authentication to ZoneRanger managed devices or the ZoneRanger itself. To remove a group, use the no form of this command access-control-server-group group_name no access-control-server-group group_name...
  • Page 243 [ insert-ip | key tacacs_key ] no tacacs [ insert-ip | key tacacs_key ] tacacs Adds TACACS+ specific information to this server group insert-ip Insert source address in rem_addr field of TACACS+ message Specifies the TACACS+ key. ZoneRanger 5.5 User's Guide...
  • Page 244 This example shows how to issue arp: zr# arp discovery To configure the discovery settings on a ZoneRanger. To remove a discovery setting, use the no form of this command discovery [ auto-manage | auto-poll | exclude-network | ignored-address | include-network | pe-...
  • Page 245 Address of subnet to exclude netmask Netmask of subnet to exclude Deletes an exclude address discovery ignored-address ip_address no discovery ignored-address ip_address ignored-address Addresses ignored in discovery ip_address Address to ignore Deletes an ignored address discovery include-network ip_address netmask ZoneRanger 5.5 User's Guide...
  • Page 246 Search ARP caches broadcast-ping Send broadcast pings Deletes a search criteria discovery seed-node ip_address no discovery seed-node ip_address seed-node Seed nodes to be used by discovery ip_address Seed node IP address Deletes a seed node discovery start ZoneRanger 5.5 User's Guide...
  • Page 247 24 zr# discovery search ip-route arp-cache broadcast-ping zr# discovery start findroute Perform a diagnostic findroute using SNMP information between two devices. findroute hostname1 hostname2 Syntax Description hostname1 Hostname or IP address of starting device ZoneRanger 5.5 User's Guide...
  • Page 248 To add a forwarding rule to forward UDP data from the ZoneRanger to the indicated Ranger Gateway. To remove a forwarding rule, use the no form of this command Forward [ dest-group | log-level | netflow | generic | sflow | syslog | | syslog-options | trap ] op-...
  • Page 249 ] destination_host_port [ source_addresses | enable | disable ] local_port ZoneRanger port to receive NetFlow packets. ranger_gateway Hostname or IP address of a joined Ranger Gateway. destination_host Hostname or IP address to which ZoneRanger should forward NetFlow packets dest-group Forward to destination group ZoneRanger 5.5 User's Guide...
  • Page 250 Destination group to which to forward NetFlow packets data-diode Forward to Data Diode destination_host_port Port on hostname or IP address to which ZoneRanger should forward NetFlow packets source_addresses Source addresses of NetFlow packets to forward. IP ad- dress pattern or comma separated list.
  • Page 251 Destination group to which to forward sFlow packets data-diode Forward to Data Diode destination_host_port Port on hostname or IP address to which ZoneRanger should forward sFlow packets source_addresses Source addresses of sFlow packets to forward. IP ad- dress pattern or comma separated list.
  • Page 252 Forward only syslogs with a given text message_text Message text to search for. May be regular expression regex Treat message_text as a regular expression Deletes the message filter program program_name no program program_name ZoneRanger 5.5 User's Guide...
  • Page 253 ZoneRanger port to receive SNMP traps. ranger_gateway Hostname or IP address of a joined Ranger Gateway. destination_host Hostname or IP address to which ZoneRanger should for- ward SNMP Traps dest-group Forward to destination group group-name Destination group to which to forward SNMP Traps...
  • Page 254 9996 rg1 collector 999 10.1.2.* This example shows how to create a syslog forwarding rule for ZoneRanger port 512 through Ranger Gateway rg1 to hostname syslog at port 512 for all sources matching the IP address ranger 10.1.2.*.
  • Page 255 This example shows how to set the number of commands to recall: zr# history 50 icmp To manage the ICMP proxy settings for this ZoneRanger. To remove a ICMP proxy setting, use the no form of this command. icmp [ cache | log-level ]...
  • Page 256 Enable ICMP proxy caching for this ZoneRanger Disable ICMP proxy caching for this ZoneRanger icmp cache log-level [ none | short | full ] no icmp cache log-level [ none | short | full ]...
  • Page 257 This example shows how to set the passcode: zr# join passcode passcode1 message-system To configure the access restrictions and SSL configuration of the ZoneRanger messaging system. To remove a access restrictions and SSL configuration, use the no form of this command message-system [ restricted-address | ssl ]...
  • Page 258 This example shows how to specify a new trusted subject for ZoneRanger to allow for com- munications. zr# message-system ssl trusted-subject “CN=Ranger Gateway,OU=Engineering,O=Tavve,L=Morrisville,ST=North Carolina,C=US” node To manage Node Groups for this ZoneRanger. To remove a group, use the no form of this com- mand ZoneRanger 5.5 User's Guide...
  • Page 259 @anotherNodeGroup zr(node-group)# exit To configure the NTP proxy settings for this ZoneRanger and its managed devices. To remove a NTP proxy setting, use the no form of this command ntp [ client-timeout | key | log-level | proxy-server | server-timeout |...
  • Page 260 Amount of time a ZoneRanger waits for a message from an NTP client before closing connection timeout NTP client timeout in seconds...
  • Page 261 Index position of NTP proxy rule starting at 1 Delete NTP proxy server rule ntp server-timeout timeout no ntp server-timeout timeout server-timeout Amount of time a ZoneRanger waits for a message from an NTP server timeout NTP server timeout in seconds Delete server timeout rule...
  • Page 262 Polling interval in seconds timeout Polling timeout in seconds retries Number of retries after unsuccessful poll position Position to place polling rule (optional) index Index position of polling rule starting at 1 Delete polling rule ZoneRanger 5.5 User's Guide...
  • Page 263 22 enabled propagate-status interval 300 radius To configure the RADIUS access control settings on the ZoneRanger. To remove a RADIUS access control setting, use the no form of this command radius [ access-control | client-timeout | log-level | proxy-rule | server-timeout ]...
  • Page 264 Configure ZoneRanger access control using RADIUS server-group Specify the server group ZoneRanger will use for RADIUS authenti- cation. group_name Access control server group name Delete ZoneRanger access control using RADIUS...
  • Page 265 20 zr# radius proxy-rule 10.*.*.* rgroup1 zr# radius proxy-rule 10.1.3.* rgroup2 1 resolve Perform a diagnostic name resolution of a hostname or IP address from the ZoneRanger. resolve address Syntax Description address Hostname or IP address to resolve Usage Guidelines Command to perform a diagnostic name resolution of a hostname or IP address.
  • Page 266 Time in seconds email Email configuration to send root cause notification from Send email directly from the ZoneRanger email_addr Email addresses separated by commas ranger-gateway Send email through specified Ranger Gateway Joined Ranger Gateway through which to send email...
  • Page 267 Each of the route commands will take effect immediately when executed. The add clause will temporarily add the specified route to the ZoneRanger for a period of 60 seconds. Within that 60 seconds, a corresponding commit clause must be executed to permanently add the route to the ZoneRanger routing table.
  • Page 268 View the current ZoneRanger routing table Example This example shows how to add and remove a route from the ZoneRanger: zr# route add 10.1.2.3 255.255.255.255 10.1.2.1 zr# route commit 10.1.2.3 255.255.255.255 10.1.2.1 zr# route view zr# route delete 10.1.2.3 255.255.255.255 10.1.2.1 scan Perform a diagnostic TCP or scan from the ZoneRanger to an device.
  • Page 269 This example shows how to modify command shell options: zr# shell output-lines 15 zr# shell prompt “zr shell >” zr# shell debug 5 show Display current configuration values or ZoneRanger information. show command Syntax Description access-control Display user configuration access-control-server-group...
  • Page 270 To modify the SNMP configuration of the ZoneRanger. To remove a polling setting, use the no form of this command snmp [ agent | cache | disallowed | disallowed-oid | log-level | manager-rule | user | v3-require ]...
  • Page 271 Configure the ZoneRanger SNMP sysLocation loc_string ZoneRanger SNMP sysLocation user SNMP v3 users allowed access to ZoneRanger SNMP agent user_name Name of SNMP v3 user allowed access to SNMP agent Enable ZoneRanger SNMP v1 agent support Enable ZoneRanger SNMP v2 agent support...
  • Page 272 Configure the list of IP addresses disallowed SNMP access ip_address_pattern IP address pattern to disallow ZoneRanger SNMP access Delete ZoneRanger SNMP disallowed configuration snmp disallowed-oid ip_address_pattern object_id get_disallowed set_disallowed index no snmp disallowed-oid ip_address_pattern object_id get_disallowed set_disallowed index...
  • Page 273 [ v1 | v2c | v3 user] timeout timeout re- tries retries port port position index manager-rules Configure SNMP device management rules ip_address_pattern IP address pattern to disallow ZoneRanger SNMP access comm_string ZoneRanger SNMP community string Use SNMP v1 for this rule...
  • Page 274 Require that SNMPv3 users be configured in order to proxy any SNMPv3 requests Do not require SNMPv3 users. Examples This example shows how to set the ZoneRanger SNMP agent settings: zr# snmp agent community new_community ZoneRanger 5.5 User's Guide...
  • Page 275 “New York City” zr# snmp agent user john zr# snmp agent v3 This example shows how to add IP addresses to which the ZoneRanger will not make SNMP requests: zr# snmp disallowed 10.1.2.* This example shows how to add some SNMP management rules: zr# snmp manager-rule 10.1.10.10 1 Community1 timeout 1 retries 1 port 161...
  • Page 276 This example shows how to SNMP walk the system table: zr# snmpwalk router1 v1 public 1.3.6.1.2.1.1 system Change the system configuration on the ZoneRanger. system [ dns | host | port | property | reboot | restart | shutdown ] Syntax Description...
  • Page 277 Position to place domain name (optional) index Index position secondary-dns Enable ZoneRanger as a secondary DNS server server Specify a DNS server for ZoneRanger to use for name resolution dns_server DNS server name position Position to place DNS server (optional) index...
  • Page 278 Property name to change/set property_value Property value to name/set tacacs To configure the TACACS+ access control settings on the ZoneRanger. To remove a TACACS+ access control setting, use the no form of this command tacacs [access-control|client-timeout|log-level|max-size|proxy-rule|server-timeout] no tacacs [access-control|client-timeout|log-level|max-size|proxy-rule|server-timeout] Syntax Description...
  • Page 279 Level (1-15) associated with operator users protocol Protocol to which this ZoneRanger login is associated protocol Protocol to which this ZoneRanger login is associated server-group Specify the server group ZoneRanger will use for TACACS+ au- thentication. ZoneRanger 5.5 User's Guide...
  • Page 280 Access control server group name service Service to which this ZoneRanger login is associated service Service to which this ZoneRanger login is associated Delete ZoneRanger access control using TACACS+ tacacs client-timeout timeout no tacacs client-timeout timeout client-timeout Configure TACACS+ client timeout timeout TACACS+ client timeout in seconds.
  • Page 281 10.*.*.* rgroup1 zr# tacacs proxy-rule 10.1.3.* rgroup2 1 To modify the TCP proxy configuration of the ZoneRanger. To remove a TCP proxy setting, use the no form of this command. tcp log-level [none | short | full] | ftp-active-to-passive...
  • Page 282 Allow TFTP proxy write access create Allow TFTP proxy create access ip_address_pattern IP address pattern to disallow ZoneRanger SNMP access Specify Ranger Gateway to TFTP proxy directly to or through ranger_gateway Ranger Gateway to TFTP proxy to or through remote_host...
  • Page 283 10.1.1.1 read write to gateway1 tftpserver 69 time To configure the time setting on the ZoneRanger itself. To remove a time setting, use the no form of this command time [ gateway | ntp | time-protocol ]...
  • Page 284 Synchronize ZoneRanger time using NTP proxy-server Retrieve ZoneRanger time through Ranger Gateway. ranger_gateway Retrieve ZoneRanger time from a NTP server through this joined Ranger Gateway ntp_server NTP server name from which to retrieve time key_index Authentication key index which must already be defined...
  • Page 285 Syntax Description address Hostname or IP address to ping Usage Guidelines Command to perform a network traceroute from the ZoneRanger to the specified device. Example This example shows how to traceroute device node1: zr# traceroute node1 traffic To configure the traffic configuration settings on the ZoneRanger.
  • Page 286 [ all | per ] [ <cr> | notify [ <cr> [ [ icmp | ntp | radius | snmp | tacacs ] threshold ] ] ] no traffic proxied … forwarded Configure proxied threshold information for ZoneRanger All traffic Per IP address traffic <cr>...
  • Page 287 IP address pattern to match against trap agent Deletes this condition condition community string no condition community string condition Adds a filtering condition. community Specify community string condition string String to match against trap community string ZoneRanger 5.5 User's Guide...
  • Page 288 Adds a filtering condition. Specify OID condition OID to match against trap OID Deletes this condition condition specific type no condition specific type condition Adds a filtering condition. ZoneRanger 5.5 User's Guide...
  • Page 289 Specific SNMP v3 to match against trap Deletes this condition Example This example shows how to create a trap filter which will only allow traps with agent address- es matching 10.1.10.*. zr# trap-filter agentfilter zr(trap-filter)# condition agent 10.1.10.* zr(trap-filter)# exit ZoneRanger 5.5 User's Guide...
  • Page 290 To change the whitelist configuration on the ZoneRanger. To disable whitelisting, use the no form of this command whitelist no whitelist Usage Guidelines Whitelist changes are made within the whitelist configuration submode. Once you are in the whitelist configuration submode, the following configuration commands are available: •...

  • Page 291: Chapter 37: Ranger Gateway Command Interface

    The commands are installed in the following directories, depending on the platform: Operating System Directory Linux install_dir/bin Solaris install_dir/bin Windows install_dir\bin\ where <install_dir> is the directory where the Ranger Gateway software was installed (by default: C:\Program Files\Tavve\Ranger Gateway). ommand Summary Command Description ZoneRanger 5.5 User's Guide...
  • Page 292 Used to download log files, such as trapd.log and syslog.log, from a ZoneRanger downloadTftpFile Copies a file from a ZoneRanger TFTP directory to the Ranger Gateway download directory echoTest Verifies communication with a ZoneRanger GatewayStart...
  • Page 293 Lists the Ranger Gateway ports that proxy to the HTTP, HTTPS, Telnet, SSH, and SQL services on each joined ZoneRanger listTftpFiles Lists the files in a ZoneRanger TFTP directory localMacs Lists the current set of Mac Addresses on this Ranger Gateway...
  • Page 294 ZoneRanger routing table, then removes it addRoute after 60 seconds. This enables route testing before making permanent routing table updates. To make a route permanent, use the command before 60 seconds has elapsed.
  • Page 295 IP address of the route to be added network_addr specifies the network mask of the route network_mask specifies the gateway IP address for this route gateway_addr permanently adds an entry to the ZoneRanger routing table. The route must first be commitRoute added using the command. addRoute configGateway...
  • Page 296 Whether or not the source address in the NTP client requests is the source address of the original sending device managed by the ZoneRanger or the address of the Ranger Gateway. radius_proxy_log Level of logging for RADIUS proxy - values: none, short,...
  • Page 297 Whether or not the source address in the TACACS+ client requests is the source address of the original sending device managed by the ZoneRanger or the address of the Ranger Gateway. tcp_proxy_log Level of logging for TCP proxy - values: none, short, full...
  • Page 298 ZoneRanger VM licenses on this configLicenses Ranger Gateway. When loading a new set of licenses from the specified file, all of the current licenses will be removed prior to loading the new licenses.
  • Page 299 This option reverts the presently used SSL certificate back to the Tavve original SSL certificate. After a certificate is installed on the Ranger Gateway, you must use the ZoneRanger web interface to configure joined ZoneRangers to accept connections using the new certificate. If not already present, the Trusted Subject which is associated with the new SSL Certificate must be added on the Configuration >...
  • Page 300 TACACS+ client spoof requests is the source address of the original sending device managed by the ZoneRanger or the address of the Ranger Gateway. • spoofing is enabled •...
  • Page 301 Overall traffic counts short specifies logging of Overall and Per ZoneRanger traffic counts full createSecurityKey createSecurityKey security-admin|admin|operator [-p] [-d dir ] | [-t] prompts for a passphrase when creating the security key specifies destination directory to write the security key.
  • Page 302 Tavve Support personnel. If a zoneranger is not specified, the debugging filter will be applied to the Ranger Gateway.
  • Page 303 Ranger Gateway when required modifications have been completed. As a convenience, a device group called ZoneRanger is available which includes any IP addresses that map to a joined ZoneRanger based on the proxyMap configuration.
  • Page 304 If the output file is specified, the resulting configuration is written to the specified file and the ac- tive device group table is unchanged. deviceGroup merge [–in input_file ] [-out output_file ] merge_file ZoneRanger 5.5 User's Guide...
  • Page 305 OuterDeviceGroup 10.254.1.100 then, at a minimum, the following members will be listed: • 10.254.1.100 • 10.254.1.* • 10.254.1.[90-110] If the InnerDeviceGroup also matches 10.254.1.100, that entry will be listed as well. ZoneRanger 5.5 User's Guide...
  • Page 306 (i.e. Local, ZoneRanger). In addition, the list subcommand can list entries from offline files, but the test subcommand only lists entries from the Ranger Gateway’s active de- vice group table.
  • Page 307 ZoneRanger start displays the status of the discovery service on the specified ZoneRanger status starts the discovery service on the specified ZoneRanger, or gives the status of a discovery currently running discovery service. downloadFile...
  • Page 308 ZoneRanger TFTP directory to the Ranger Gateway downloadTftpFile download directory. echoTest echoTest [ zoneranger ] specifies the name of the ZoneRanger zoneranger verifies communication with a ZoneRanger. If executed without any parameters, echoTest verifies communication with the Ranger Gateway software. Use Ctrl-C to stop running...
  • Page 309 Ranger Gateway will stop handling management traffic received on the virtual interface, will delete the virtual interface routes and ZoneRanger host routes, and will remove the virtual interface. gvi status subcommand displays the current status of the GVI service. The gvi status...
  • Page 310 Note that if NAT is in effect between the Ranger Gateway and the ZoneRanger, querying the databases of joined ZoneRangers will not produce useful results, because the listed subnets or addresses will reflect the ZoneRangers’ perspective, as opposed to the Ranger Gateway’s perspective.
  • Page 311 IP addresses and subnets in the GVI route list. gvi list-routes If the GVI service is enabled, the listed routes will also include any ZoneRanger host routes that have been created by the route manager. If the -...
  • Page 312 Telnet services on each joined ZoneRanger. When a Ranger Gateway and ZoneRanger are joined, a set of TCP ports on the Ranger Gateway are allocated to communicate with the HTTP, HTTPS, SQL, SSH, and Telnet services on the ZoneRanger. Thus, applications which understand those protocols, may communicate to the assigned port on the Ranger Gateway and that communications will be proxied directed to the same service on the ZoneRanger.
  • Page 313 Ranger Gateway is running before installation. - noserver is used, under the directionm of Tavve Support personnel, to remove a patch from the patchuninstall Ranger Gateway. This is for Linux and Solaris Ranger Gateways only.
  • Page 314 ZoneRanger within the specified timeout. If no response is received within the timeout period, the upload will fail. patchZR zoneranger apply [-timeout seconds ] patch_number specifies the number of seconds to wait for the patch to be applied.
  • Page 315 ZoneRanger. If the patch has not been completely removed within the specified timeout period, the command will exit but the patch will still be removed. patchZR zoneranger infoApplied [-timeout seconds ] patch_number...
  • Page 316 -out specifies the name of the port config ruleset port-config-name specifies the protocol of ICMP, UDP or TCP transport ZoneRanger 5.5 User's Guide...
  • Page 317 ZoneRanger should use when forwarding the zrport request to the target device, or a translation rule that can be used to calculate the port that should...
  • Page 318 , rg-port subcommand can read input from the active portConfig table, or from a portConfig list specified text file. If no input file is specified, the active portConfig table is used. portConfig clear [-f] ZoneRanger 5.5 User's Guide...
  • Page 319 XML format. An example of this format, corresponding to the default Ranger Gateway configuration is as follows: <port-config-list> <port-config name="Default"> <rule transport="TCP" rg-port="22" protocol="SSH"/> <rule transport="TCP" rg-port="443" protocol="HTTPS"/> <rule transport="UDP" rg-port="161" protocol="SNMP"/> <rule transport="ICMP"/> </port-config> <port-config name="ZoneRangerDefault"> ZoneRanger 5.5 User's Guide...
  • Page 320 (port 161) may not be disabled since it is needed for snmpAgent ZoneRanger discovery. However, to disable external access, use the Configuration > SNMP page Agent tab on the ZoneRanger web interface and uncheck all three SNMP versions next to Agent Responds To. ZoneRanger 5.5 User's Guide...
  • Page 321 -out indicates the source IP address of the incoming request. src-address indicates the destination IP address of the managed device dest-address name of the Port Config rule port-config-name ZoneRanger 5.5 User's Guide...
  • Page 322 • To add new portMap table rules. • To modify existing portMap table rules. ZoneRanger 5.5 User's Guide...
  • Page 323 < src-address > < dest-address > < transport > < rg-port > indicates the source IP address of the incoming request. src-address indicates the destination IP address of the managed device dest-address specifies the protocol of TCP, UDP or ICMP transport ZoneRanger 5.5 User's Guide...
  • Page 324 [ zoneranger ] specifies the name of the ZoneRanger zoneranger retrieves the current set of properties from the ZoneRanger or Ranger Gate propertyList way. propertyUnset propertyUnset [ zoneranger ] property_name ZoneRanger 5.5 User's Guide...
  • Page 325 [–out output_file ] • copy [–in input_file ] [-out output_file ] • add [–in input_file ] [-out output_file ] rg-address zoneranger [ zr- address ] [-weight weight ] • remove [–in input_file ] [-out output_file ] rg-address [ zoneranger ] •...
  • Page 326 ZoneRanger to which to send the request zoneranger specifies the IP address to use on the ZoneRanger in the case of address zr-address translation for this request specifies the weight of this ZoneRanger. This must be a positive integer.
  • Page 327 Otherwise, the resulting configuration is written to the specified file and the active proxy map is unchanged. option must be a positive integer which indicates the weight of each ZoneRanger weight relative to other ZoneRangers when choosing proxy map entries.
  • Page 328 The default value is true. allow_unconfigured_routes Specifies whether the proxy map service should simply select the best available ZoneRanger to relay requests in the absence of a matching entry in the active proxy map. The default value is true.
  • Page 329 ZoneRanger status and history. ProxyMap File formats The various subcommands that generate configurations (...
  • Page 330 ZoneRanger 5.5 User's Guide...
  • Page 331 RangerGateway RangerGateway starts the Ranger Gateway Viewer GUI. RangerGateway removeTftpFile removeTftpFile zoneranger filename specifies the name of the zoneranger to remove the file zoneranger filename specifies the file to remove. removes a file from the ZoneRanger TFTP directory. removeTftpFile rgBackup...
  • Page 332 < client-address> <subnet> [< subnet> …] indicates the set of OpenVPN client addresses to which to add <client-address> routes. indicates the subnet or individual IP address to add to the OpenVPN client subnet address ZoneRanger 5.5 User's Guide...
  • Page 333 OpenVPN client rgvi clear-routes address. rgvi config [ item [ value ]] can be used display or modify configuration items associated with the RGVI ser- rgvi config vice. The configuration items associated with the RGVI service are: ZoneRanger 5.5 User's Guide...
  • Page 334 –rg creates a Ranger Gateway service dump servicedump zoneranger [-i[nfo] | -s[top] –t[arget] location name from to ] specifies the name of the zoneranger to perform the service dump zoneranger reports the status of the service dump. -i[nfo] stops the service dump.
  • Page 335 SQL database tables on the specified ZoneRanger. The command sqlQuery sqlQuery can be used to retrieve database information stored in the specified ZoneRanger which includes node, interface, and general network connectivity of managed devices. You can query the following database tables: cloud...
  • Page 336 ZoneRanger can load trapXmlValidator the trap definitions file. troubleshootNetwork troubleshootNetwork zoneranger [-timeout seconds ] command [ arguments ] specifies the name of the ZoneRanger...
  • Page 337 Option 1: List trusted messaging subjects trustedSSL -listMessagingSubjects This option is used to display the current list of trusted messaging subjects on the Ranger Gateway. This is used for ZoneRanger communications. Option 2: Add trusted messaging subject trustedSSL -addMessagingSubject [-subject value ] specifies the trusted messaging subject to add to the Ranger Gateway list.
  • Page 338 Windows. This must be installed upon completion of Ranger Gateway installation before running the gvi command. (Windows only) unjoinAll unjoinAll unjoins from all joined ZoneRangers. unjoinAll unjoinRequest unjoinRequest zoneranger specifies the name of the ZoneRanger <zoneranger> unjoins from a ZoneRanger. unjoinRequest ZoneRanger 5.5 User's Guide...
  • Page 339 ICMP latency for the addresses polled by the specified ZoneRanger. viewIcmpLatency ZoneRanger keeps the latency in memory from the last ICMP poll for all devices it is polling. can be used to retrieve the ICMP latency for the specified addresses. If no viewIcmpLatency addresses are specified, the ICMP latency for all polled devices will be returned.

  • Page 340: Part V. Zoneranger Applications

    ZoneRanger. Separately licensed features are distributed by Tavve as ZoneRanger patches. Each Tavve license patch is specific to the ZoneRanger upon which it can be installed and may not be installed on another ZoneRanger. ZoneRanger 5.5 User's Guide...

  • Page 341: Chapter 38: Hp Om

    Figure 38-1. HP OM Proxy Requests In order for the ZoneRanger and Ranger Gateway to proxy requests between the HP OM agents and HP OM server, the HP OM agents need to be configured to send requests to a ZoneRanger configured port.
  • Page 342 SSL Certificate, Private Key, and Trusted CA Certificates to be used by ZoneRanger when communicating with HP OM agents and HP OM servers. The Certificate and Private Key section define the information necessary to authenticate communications between HP OM agents and HP OM servers and the ZoneRanger.
  • Page 343 HP OM server itself or on another system. The set of Ranger Gateways needed to reach each HP OM server must be defined on the ZoneRanger. The path to each HP OM server is used when defining Inbound Proxy rules on the Configuration > Inbound Proxy page HP OM tab..
  • Page 344 Once ZoneRanger determines a successful management application server destination, it will continue to use that destination until a proxy request fails. HP OM requests received by a ZoneRanger, and HP OM responses sent by a ZoneRanger can be written to a log file, called /l .
  • Page 345 “RG:” or a path to a Management Application Server as configured on the Configuration > Ranger Gateway page Mgmt App Servers tab. The Port is the TCP port to which HP OM requests will be sent. ZoneRanger 5.5 User's Guide...
  • Page 346 HP OM agents and HP OM servers. In the Statistics section on the ZoneRanger dashboard, there is a chart which is specific to HP OM proxy requests. As with other charts, this chart shows the last 4 hours of HP OM proxy traffic based on the statistics recorded by the ZoneRanger.

  • Page 347: Chapter 39: Web File

    Web File agents communicate with the Web server using either HTTP or HTTPS protocols. In the case of a HTTP Get File or HTTP Put File request, the ZoneRanger will validate the name of the file in the request based on a configuration setting. In the case of a HTTPS request, since HTTPS connections are encrypted, the ZoneRanger will proxy the request through to the Ranger Gateway directly.
  • Page 348 It is valid to allow both HTTP and HTTPS communications in the same Web File Options configuration. It is also valid to specify neither HTTP or HTTPS communications (both unchecked) in the same Web File Options configuration. In the later case, no connections will be proxied. ZoneRanger 5.5 User's Guide...
  • Page 349 Web server itself or on another system. The set of Ranger Gateways needed to reach each Web server must be defined on the ZoneRanger. The path to each Web server is used when defining Web File Proxy rules on the Configuration > Inbound Proxy page Web File tab.
  • Page 350 Once ZoneRanger determines a successful management application server destination, it will continue to use that destination until a proxy request fails. Web File requests received by a ZoneRanger, and Web File responses sent by a ZoneRanger can be written to a log file, called /l .
  • Page 351 “RG:” or a path to a Management Application Server as configured on the Configuration > Ranger Gateway page Mgmt App Servers tab. The Port is the TCP port to which Web server requests will be sent. Indicators and Statistics ZoneRanger 5.5 User's Guide...
  • Page 352 Web File agents and Web servers. In the Statistics section on the ZoneRanger dashboard, there is a chart which is specific to Web File proxy requests. As with other charts, this chart shows the last 4 hours of Web File proxy traffic based on the statistics recorded by the ZoneRanger.

  • Page 353: Appendices

    Appendices A. SNMP Agent ZoneRanger provides specific system and traffic information via its SNMP agent. The MIB can be found in the ZRCustom directory on the Ranger Gateway installation as the file ZONERANGER- AGENT.mib. -- This is the MIB for Tavve Software Co.'s ZoneRanger agent.
  • Page 354 SP level if set." ::= { tscZRInformation 1 } tscZRModel OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-only STATUS current DESCRIPTION "A textual description of the ZoneRanger model. For example, ZR-200, ZR-SPX, etc." ::= { tscZRInformation 2 } tscZRManagedNodes OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of managed nodes."...
  • Page 355 ::= { tscZRInformation 6 } tscZRLastStartTime OBJECT-TYPE SYNTAX DateAndTime MAX-ACCESS read-only STATUS current DESCRIPTION "The last time that the ZoneRanger software started." ::= { tscZRInformation 7 } tscZRAppServerFreeMemory OBJECT-TYPE SYNTAX KBytes UNITS "KB" MAX-ACCESS read-only STATUS...
  • Page 356 "The name of a particular Ranger Gateway." ::= { tscZRRangerGatewayEntry 2 } tscZRRangerGatewayConnectionStatus OBJECT-TYPE SYNTAX INTEGER { up(1), down(2), unknown(3) MAX-ACCESS read-only STATUS current DESCRIPTION "The connection status of a particular Ranger Gateway." ::= { tscZRRangerGatewayEntry 4 } tscZRMessagesExternalSent OBJECT-TYPE SYNTAX Counter32 ZoneRanger 5.5 User's Guide...
  • Page 357 DisplayString, tscZRForwardStatsCount Counter32 tscZRForwardStatsProtocol OBJECT-TYPE SYNTAX INTEGER { generic(1), trap(2), syslog(3), sflow(4), netflow(5) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The protocol filter type." ::= { tscZRForwardStatsEntry 1 } tscZRForwardStatsName OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-only STATUS current DESCRIPTION ZoneRanger 5.5 User's Guide...
  • Page 358 ::= { tscZRIcmpProxyStats 2 } tscZRIcmpProxyDiscards OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The count of ICMP proxy requests discarded. One possible reason is requests to unmanaged devices." ::= { tscZRIcmpProxyStats 3 } -- Conformance ZoneRanger 5.5 User's Guide...
  • Page 359 OBJECT IDENTIFIER ::= { tscZRConformance 1 } tscZRGroups OBJECT IDENTIFIER ::= { tscZRConformance 2 } tscZRCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION "The compliance statement for the ZoneRanger Agent MIB." MODULE -- this module MANDATORY-GROUPS { tscZRInformationGroup, tscZRMessagingGroup, tscZRForwardingGroup, tscZRSnmpProxyGroup, tscZRIcmpProxyGroup ::= { tscZRCompliances 1 }...

  • Page 360: Zoneranger And Ranger Gateway Traps

    B. ZoneRanger and Ranger Gateway Traps ZoneRanger and Ranger Gateway generate SNMP traps to indicate changes to managed devices as well as the ZoneRanger and Ranger Gateway itself. Traps are defined in the file which is located in the ZRCustom directory on the Ranger tavve.mib...
  • Page 361 Polling status traps Trap Description tcsZRTcpRefused The TCP service refused a connection attempt. tscRedZRIfDown Sent after ZoneRanger determines that a redundant interface is no longer reachable. tscRedZRIfUnknown Sent after ZoneRanger determines that a redundant interface is no longer known tscRedZRIfUp Sent after ZoneRanger determines that a redundant interface is reachable.
  • Page 362 Configuration change traps Trap Description tscZRHostnameChanged Sent by ZoneRanger to report that it changed the reported hostname tscZRInterfaceAdded Sent by ZoneRanger to report that it added the reported interface tscZRInterfaceDeleted Sent by ZoneRanger to report that it deleted the reported interface...
  • Page 363 Ranger Gateway, or the Ranger Gateway version does not match reporting ZoneRanger. tscJoinFailed The ZoneRanger and Ranger Gateway failed to join. tscMessageQueueIsFull A queue on the ZoneRanger or Ranger Gateway is full tscMessagesDiscarded The ZoneRanger or Ranger Gateway discarded messages ZoneRanger 5.5 User's Guide...
  • Page 364 The ZoneRanger or Ranger Gateway detected a security violation tscNotJoined The ZoneRanger behaves as if it is not joined to the reporting Ranger Gateway, or the Ranger Gateway behaves as if it is not joined to the reporting ZoneRanger...

  • Page 365: Socks

    4. If the request is allowed, the SOCKS server on the Ranger Gateway consults the Proxy Map service to identify a ZoneRanger that is able to proxy traffic to the target device, and to translate the target address to the address that the ZoneRanger must use to access the target device if NAT is in effect, then forwards the connection request to the selected ZoneRanger.
  • Page 366 ZoneRanger that is able to proxy traffic to the target device, and to translate the target address to the address that the ZoneRanger must use to access the target device if NAT is in effect, removes the prepended header, then forwards the request to the selected ZoneRanger.

  • Page 367: Ip Address Aliasing

    SNMP requests are routed to the Ranger Gateway server. For example consider the network shown in the following figure: ZoneRanger 5.5 User's Guide...
  • Page 368 IP address and the primary address associated with the Ranger Gateway are both in the 10.1.1.0/24 subnet, if sufficient unused addresses in this subnet could be found, these addresses could be used as the alias addresses. ZoneRanger 5.5 User's Guide...
  • Page 369 IP address aliases that can be defined. As a result, this technique may not be able to support the required number of managed devices for some applications. Lastly, the number of proxy protocols that are supported by this technique is fairly limited (i.e. SNMP and SSH). ZoneRanger 5.5 User's Guide...

  • Page 370: Ssl Communications Between Zoneranger And Ranger Gateway

    At the beginning of each SSL session both parties involved in the session authenticate each other by exchanging SSL certificates. In order for the session to be established, each party (i.e. a ZoneRanger or a Ranger Gateway) must validate the other party's SSL certificate based on the following criteria: •...
  • Page 371 Second, add the Certificate Authority which authorized the SSL certificate which was installed on the ZoneRanger if it is not already listed under the List trusted certificate authorities option. The Certificate Authority may be added from a file in X509 or JKS Keystore format using the Add trusted certificate authorities option.

  • Page 372: Accessing Zoneranger Though The Ranger Gateway

    Some ZoneRanger ports and services may be accessed securely by proxy through the Ranger Gateway. The Ranger Gateway assigns a set of TCP ports for each joined ZoneRanger for a particular set of services (HTTP, HTTPS, SQL, SSH, and Telnet). The...
  • Page 373 Using Ranger Gateway to remotely access the ZoneRanger Text Interface By default, the ZoneRanger can be accessed using SSH on port 22, or using Telnet on port 23. However, if those ports cannot be accessed because of security considerations, you can access the ZoneRanger through a Ranger Gateway.

  • Page 374: Zoneranger Technician Access

    . You should change this password as soon as initial configuration is finished. setup Note: The MAC address of the ZoneRanger that is displayed at the top of the Main Menu screen. Users must communicate this MAC address to Tavve Support personnel so that a time- limited, secure passcode can be generated.

  • Page 375: Installation

    To use the console version of the installation software, follow these steps: 1. Insert the Ranger Gateway CD-ROM into the CD drive and mount the drive. 2. Change your working directory to the mounted CD. ZoneRanger 5.5 User's Guide...
  • Page 376 To completely remove the Ranger Gateway software, you can remove the install_dir directory after running Uninstall_Tavve_Ranger_Gateway Uninstalling Ranger Gateway on Windows To uninstall the Ranger Gateway software on Windows systems, use the Windows Add/Remove Programs control panel. ZoneRanger 5.5 User's Guide...

  • Page 377: Installing Ranger Gateway In Solaris 10 Zones

    If one or more zones are running management applications, it is possible to install the Ranger Gateway with those management applications in order for those applications to manage ZoneRanger managed devices. However, due to the inability for non-global zones to manage network routes, the Ranger Gateway GVI will not install in non-global zones.

  • Page 378: Rgvi Client Installation And Configuration

    10.254.12.2 , the placeholder should be replaced with the following lines: 10.254.12.1 # Replace the following address with Ranger Gateway's address remote 10.254.12.1 remote 10.254.12.2 OpenVPN is a freely-available open source SSL VPN solution (see http://www.openvpn.net) ZoneRanger 5.5 User's Guide...
  • Page 379 Additional information for a number of supported operating systems is provided in the following sections. If no information has been provided for the operating system you are using, please contact Tavve technical support. Solaris A pre-built Solaris OpenVPN package can be downloaded from http://www.blastwave.org, an open source Solaris software site.
  • Page 380 2. Edit the newly-created /etc/init.d/rgviClient file to indicate that the sample RGVI configuration should be used. To do this, replace the line that reads: OPENVPN_CONF=/etc/csw/openvpn/openvpn.conf with: OPENVPN_CONF=/etc/csw/openvpn/rgviClient.conf 3. Create symbolic link directory /etc/rc3.d file, by executing the following command: /etc/init.d/rgviClient ZoneRanger 5.5 User's Guide...
  • Page 381 OpenVPN client manually or intend to configure the OpenVPN client to start automatically when the operating system is restarted (i.e. via an init.d script), as described in the following sections. ZoneRanger 5.5 User's Guide...
  • Page 382 3. Comment out the “ key rgviClientWithPassword.key ” line. 4. Uncomment the “ # key rgviClientNoPassword.key ” line. Note that the “ # ” character denotes a comment line. The resulting two lines should be as follows: # key rgviClientWithPassword.key key rgviClientNoPassword.key ZoneRanger 5.5 User's Guide...
  • Page 383 C:\Program Files\OpenVPN\config directory. The specific files to be copied, and the associated configuration instructions depend on whether you prefer to start the OpenVPN client manually or intend to run the OpenVPN client as a Windows service, as described in the following sections. ZoneRanger 5.5 User's Guide...
  • Page 384 1. Open the pre-configured certificate management console, by executing the following commands: cd C:\Program Files\OpenVPN\config mmc LocalComputerAccountPersonalCertificatesConsole.msc 2. The Local Computer Account Personal Certificates console window will open, as shown in the following figure. ZoneRanger 5.5 User's Guide...
  • Page 385 4. The welcome page for the Certificate Import Wizard will be displayed. Read the information on the welcome page, then click the Next button. The File to Import page will be displayed as shown in the following figure. ZoneRanger 5.5 User's Guide...
  • Page 386 6. Click the Open button. The File to Import page will be re-displayed. Click the Next button. The Password page will be displayed, as shown in the following figure. ZoneRanger 5.5 User's Guide...
  • Page 387 Click the OK button. The Local Computer Account Personal Certificates console will be re-displayed. Click on the Certificates item in the left hand panel, to display the personal certificates that have been configured for the local computer account, as shown in the following figure. ZoneRanger 5.5 User's Guide...
  • Page 388 The properties page for the OpenVPN Service will be displayed as shown in the following figure. Select Automatic in the Startup type drop-down, click the Start button to start the service, then click the OK button to save your settings and close the window. ZoneRanger 5.5 User's Guide...
  • Page 389 You can inspect the status of the OpenVPN service by looking in the log file at the following location: C:\Program Files\OpenVPN\log\rgviClientWindowsService.log If OpenVPN started and connected to the Ranger Gateway successfully, the following message should be displayed in the log file: Initialization Sequence Completed ZoneRanger 5.5 User's Guide...

Table of Contents