Table of Contents
Advertisement
Chapter 9: Joining
In the ZoneRanger architecture, the ability to proxy traffic between a management application and the
devices in a firewall-partitioned network requires two components:
•
One or more ZoneRanger appliances, located in the same network partition as the managed
devices.
•
An installed instance of the Ranger Gateway software component, which is typically installed
on the same server as one or more management applications
The role of the Ranger Gateway is to act as an interface between the ZoneRangers and management
applications, relaying proxy traffic to/from ZoneRangers that are able to communicate directly with the
managed devices.
For security purposes, before a Ranger Gateway can relay management traffic to/from a given
ZoneRanger, it must first be joined to that ZoneRanger. Joining is a simple process, initiated by the user,
and can be performed using any of the following user interface mechanisms:
•
Ranger Gateway Viewer
•
Ranger Gateway command
•
ZoneRanger web interface
Joining essentially establishes a persistent relationship between a Ranger Gateway and a ZoneRanger, so
that the joined entities can cooperate in the provision of proxy services. Security for the joining process
is implemented in two layers:
1. The Ranger Gateway and ZoneRanger must authenticate each other using SSL certificates.
2. The Ranger Gateway and ZoneRanger must be configured with matching passcodes
SSL authentication, when properly configured, can provide a high level of security. In order for a Ranger
Gateway and a ZoneRanger to establish an SSL connection, the following conditions must be satisfied:
1. The Ranger Gateway must present an SSL certificate that has been signed by a certificate
authority recognized by the ZoneRanger, and must have a distinguished name that matches one
of the entries in the ZoneRanger's configured list of trusted subjects.
2. The ZoneRanger must present an SSL certificate that has been signed by a certificate authority
recognized by the Ranger Gateway, and must have a distinguished name that matches one of the
entries in the Ranger Gateway's configured list of trusted subjects.
By comparison, passcode authentication offers a more casual level of security, and is intended more to
prevent unintentional joining between a Ranger Gateway and a ZoneRanger.
3
The Ranger Gateway software can also be installed on a separate server, located in the same subnet as
the management application server.
4
When joining to a ZoneRanger from the Ranger Gateway, it is also possible to specify the passcode of
the ZoneRanger as part of the request, even if that passcode does not match the Ranger Gateway's
configured default value.
ZoneRanger 5.5 User's Guide
3
.
4
.
32
Hide quick links:
Advertisement
Table of Contents
