Table of Contents
Advertisement
Chapter 14: Proxy Access Control
Proxy Access Control on the Ranger Gateway governs the handling of management traffic originated by
management applications and destined for managed devices (e.g. ICMP request, SNMP Get/Set request,
HTTPS, SSH, FTP), enabling users to configure what clients are allowed to use what protocols for given
managed devices. Traffic originated by managed devices is typically governed by configuration rules
within the ZoneRanger (e.g. forwarding rules, TACACS+/RADIUS server groups), and is outside of the
scope of Proxy Access Control.
Whenever a proxy request is received from a management application, the Ranger Gateway uses Proxy
Access Control configuration rules to determine:
•
Whether the proxy request should be allowed or discarded.
•
If the request is allowed, the protocol being used (e.g. for validation, or special processing).
•
If the request is allowed, the port translation rule, if any, that should be applied before
presenting the request to a managed device.
Proxy Access Control is organized into two stages, based on two configuration tables, the portMap table
and the portConfig table:
•
The portMap table consists of an ordered set of rules of the following form:
(src-address, dest-address, port-config-name)
where src-address is the IP address associated with the requesting client, dest-address
is the IP address associated with the target managed device, and port-config-name is the
name of the port configuration to be used in the second stage.
In the first stage, the Ranger Gateway takes the src-address and dest-address for a
given request, and searches the portMap table for the first matching rule. If no matching rule is
found, the request is discarded.
•
The portConfig table consists of a set of rules of the following form:
(port-config-name, transport, rg-port, protocol, zr-port)
where port-config-name is the name of a port configuration (as identified in the previous
stage), transport indicates whether the request is using ICMP, UDP, or TCP, rg-port is
the destination port associated with the request as received by the Ranger Gateway, protocol
identifies the management protocol to be used for the request, and zr-port either specifies
the destination port that the ZoneRanger should use when forwarding the request to the target
device, or a translation rule that can be used to calculate the port that should be used based on
the rg-port .
In the second stage, the Ranger Gateway takes the port-config-name that was identified in
the first stage, the transport associated with the request, and, where applicable, the
destination port associated with the request (a.k.a. rg-port ) and searches the portConfig table
for the first matching rule. If no matching rule is found, the request is discarded. Note that if the
transport is ICMP, the rg-port , protocol , and zr-port fields are not used.
To illustrate this process, consider the network and configuration tables in the following figure:
ZoneRanger 5.5 User's Guide
41
Hide quick links:
Advertisement
Table of Contents
