Tavve zoneranger User Manual page 26

When the GVI service is enabled, the Ranger Gateway creates a virtual point-to-point interface on the
management application server, and adds one or more static routes to the management application server
so that traffic destined for devices located in firewall-partitioned networks is routed to this virtual
interface (1). The GVI service in the Ranger Gateway, as the creator/owner of the virtual interface,
receives all traffic that is routed to the virtual interface (2). The GVI service consults with the Proxy
Access Control service in the Ranger Gateway to determine if the traffic should be allowed, and to
identify the protocol-specific proxy service (e.g. SNMP proxy, TCP proxy) that should handle the traffic.
If the request is allowed, the GVI service forwards the traffic to the selected proxy service (3). The
proxy service consults the Proxy Map service in the Ranger Gateway in order to identify identify a
ZoneRanger that is able to relay the traffic to the target device, and to translate the target address, if
necessary, and then forwards the traffic to the selected ZoneRanger (4)(5), which in turn, forwards the
traffic to the target DMZ device (6). Where applicable, proxy services may also perform validation and
filtering of the management traffic, as appropriate for the service being used.
The GVI service also includes a route manager that simplifies creation and management of the static
routes that are needed so that management traffic is routed to the virtual interface. The route manager
can be configured with a set of subnets or individual IP addresses that should be routed to the virtual
interface, and will automatically create the associated static routes when the GVI service is enabled, and
will delete these routes when the GVI service is disabled. If the GVI service is enabled and the Ranger
Gateway software is stopped, the route manager will automatically remove any static routes associated
with the virtual interface, and will reconfigure these routes when the Ranger Gateway software is
restarted. As a result, there should be no need to redefine static routes if the management application
server is rebooted, because the virtual interface static routes will be reconfigured when the Ranger
Gateway software is started.
The virtual interface created by the GVI service emulates a point-to-point interface. As such, a local IP
address and a remote IP address must be associated with this interface. By default, the GVI service
configures the virtual interface with the following addresses:
•
Local: 192.168.48.1
•
Remote: 192.168.48.2
Alternative addresses can be configured if these addresses create a conflict. Please contact Tavve
Support for more information if you need to change these addresses.
In order to route a subnet corresponding to a set of managed devices to the virtual interface, the route
manager creates a static gateway route to the virtual interface's remote address. For example, in order to
route the 10.1.10.0/255.255.255.0 subnet to the virtual interface, the following route would be
defined:
10.1.10.0 255.255.255.0 192.168.48.2
Before creating a static route for a given subnet, the route manager checks to see if any of the IP
addresses being used to communicate with joined ZoneRangers lie within the subnet being added. In
order to ensure that communication with joined ZoneRangers can continue, the route manager
automatically creates host routes for any such addresses. These host routes override the subnet routes in
the system routing table for the given IP addresses, and effectively ensure that traffic destined for joined
ZoneRangers is routed to the gateway that would have been used in the absence of any virtual interface
routes.
ZoneRanger 5.5 User's Guide 26