Socks - Tavve zoneranger User Manual

C. SOCKS
SOCKS is an Internet standards-track protocol for generic TCP and UDP proxy services, defined in RFC
1928. SOCKS can be used to redirect management traffic from the management application to a SOCKS
server integrated within the Ranger Gateway. In order to use SOCKS, either the management application
must include built-in support for SOCKS
management application server. The shim software inserts itself between the management application
and the server's TCP/IP stack, and redirects traffic for specified IP addresses and ports to a SOCKS
server, based on configuration information.
The two most prevalent versions of the SOCKS protocol are Version 4 and Version 5. SOCKS v4 and
SOCKS v5 both support the ability for a SOCKS client to request a TCP connection to a target device.
The SOCKS v5 protocol also defines two additional features:
•
The ability for a SOCKS client to send UDP datagrams and receive associated responses.
•
The ability for a SOCKS client to bind a port and receive incoming TCP connections.
The SOCKS server in the Ranger Gateway supports only the ability for a SOCKS client to originate TCP
connections to managed devices or joined ZoneRangers and the ability to send or receive UDP
datagrams, but does not support the ability for a SOCKS client to receive incoming TCP connections.
A significant advantage of SOCKS is that it provides a mechanism for applications running on one
server to use the services of a Ranger Gateway installed on a different server. The SOCKS server on the
Ranger Gateway currently does not support client authentication, but Proxy Access Control can be used
to limit the set of servers that are allowed to use the proxy services provided by a Ranger Gateway and
its joined ZoneRangers. While SOCKS can be very useful for certain applications, such as SSH proxy,
its overall usefulness tends to be somewhat limited given the number of prevalent management
applications that do not provide built-in support. SOCKS shims can be used as an alternative in such
cases, especially when the management application is installed on a Windows operating system, but it
can be difficult to find a reliable, fully-featured SOCKS shim for certain other operating systems.
Establishing a TCP connection using SOCKS proxy
The process to establish a connection to a managed device using SOCKS proxy is as follows:
1. A SOCKS-aware client application (or SOCKS shim) establishes a TCP connection to the
SOCKS port on the Ranger Gateway (the default is
2. After the connection is established, the client application sends a SOCKS connect request
to the Ranger Gateway, indicating the target device and port.
3. The SOCKS server on the Ranger Gateway identifies the source address, destination
address, transport (i.e. TCP, in this case) and destination port associated with the
connection request, and uses the Proxy Access Control tables to determine whether the
request should be allowed, and if so, what protocol is expected (e.g. for validation, or
special processing), and what port translation rule, if any, should be applied before
presenting the request to the target device.
4. If the request is allowed, the SOCKS server on the Ranger Gateway consults the Proxy
Map service to identify a ZoneRanger that is able to proxy traffic to the target device, and
to translate the target address to the address that the ZoneRanger must use to access the
target device if NAT is in effect, then forwards the connection request to the selected
ZoneRanger.
5. The selected ZoneRanger attempts to establish a TCP connection to the target device. If
successful, the ZoneRanger informs the SOCKS server on the Ranger Gateway.
13 Most Telnet/SSH client applications and web browsers do provide built-in support for SOCKS. Most
of the more specialized management applications do not.
ZoneRanger 5.5 User's Guide
13
, or generic SOCKS "shim" software must be installed on the
4855
).
365