Tavve zoneranger User Manual page 30

Figure 8-5. Sharing a Ranger Gateway among multiple Management Application Servers
The RGVI service in the Ranger Gateway is configured with a list of permitted clients, and each client
can be configured with its own list of host and/or subnet addresses to be intercepted, or can inherit the
list of host and/or subnet addresses configured for the GVI service. When a client connects to the RGVI
service within the Ranger Gateway, the service checks its configuration to verify that the client is
permitted to use the RGVI service, and if so, pushes the corresponding set of host and/or subnet
addresses to the client, which then configures the corresponding routes on the management application
server. Permitted clients can also be specified using address patterns or device groups, allowing multiple
client addresses to share the same list of host and/or subnets to be intercepted. Note that if the list of
hosts and/or subnets to be intercepted for RGVI client entry is modified while one or more of the set
of the matching clients is running and connected to the Ranger Gateway, these clients will need to be
restarted in order for the modifications to take effect.
In addition to checking the client's IP address to ensure that a client is permitted to access the RGVI
service, the Ranger Gateway also authenticates each client using SSL certificates. The list of trusted
RGVI subjects and corresponding certificate authorities can be configured using the trustSSL Ranger
Gateway command. Note that Ranger Gateway to ZoneRanger messaging and RGVI share a common
list of trusted certificate authorities, but have distinct trusted subject lists.
Although SSL-based authentication is always provided for RGVI client-to-server connections, the RGVI
service can optionally be configured to provide encryption and integrity checking for any data being
transferred between the client and the Ranger Gateway. The option to provide encryption and integrity
checking for data traffic can be enabled or disabled using the Ranger Gateway Viewer or the rgvi
Ranger Gateway command. Note that if the Ranger Gateway is configured to provide encryption and
integrity checking, all RGVI clients that can connect to that Ranger Gateway must also be configured to
provide encryption and integrity checking. Similarly, if encryption and integrity checking is disabled on
the Ranger Gateway, it must also be disabled on all RGVI clients.
By default, the RGVI client communicates with the Ranger Gateway using a custom UDP-based
protocol. The port on which the Ranger Gateway listens for incoming connections from RGVI clients is
configurable (default is 1194). Note that if the RGVI port on the Ranger Gateway is modified, it will
also be necessary to modify the configuration for each RGVI client to use the same port.
ZoneRanger 5.5 User's Guide 30