Table of Contents
Advertisement
This configuration includes all of the rules from the Default configuration, plus the ability to use Telnet
on TCP port 23, HTTP on TCP port 80, and SQL on port 5432. Note that these rules only govern access
to the ZoneRanger via proxy through the Ranger Gateway. Direct access to ZoneRanger ports can be
enabled and/or disabled from the Configure > System page Ports tab on the ZoneRanger web interface
or using the Ranger Gateway portControl command.
The rg-port value in a port configuration rule can indicate a specific port, as described earlier, but can
also indicate a contiguous range of ports. For example, adding the following rule would enable SSH to
be used on TCP ports in the range 300-310:
Default TCP 300-310 SSH
Port transformations can also be used with port ranges. For example, the following rule would enable
SSH to be used on TCP destination ports in the range 300-310, but would transform these ports to the
8300-8310 range before forwarding protocol messages to the target devices:
Default TCP 300-310 SSH *+8000
Similarly, the following rule would enable SSH to be used on TCP destination ports in the range 300-
310, but would transform these ports to the 250-260 range before forwarding protocol messages to the
target devices:
Default TCP 300-310 SSH *-50
There may be times when it is useful to proxy a TCP-based management protocol that is not explicitly
supported by ZoneRanger (e.g. a proprietary or vendor-specific protocol). This form of proxy can be
enabled by adding a port configuration rule, specifying TCP as the protocol. For example:
Default TCP 300-310 TCP
Note that where TCP is specified as the protocol, the ZoneRanger does not provide any application
protocol inspection/filtering. However, given that ZoneRanger provides a break in the TCP protocol (i.e.
there are two TCP connections for each proxy session: one between the management application and the
Ranger gateway, and one between the ZoneRanger and the managed device), the management
application is essentially protected from TCP/IP layer attacks.
For each joined ZoneRanger, the Ranger Gateway allocates a set of special ports that can be used to
proxy management protocol traffic to the ZoneRanger itself. The ports assigned for each joined
ZoneRanger can be listed using the listTcpPorts command on the Ranger Gateway. These special
ports are typically allocated in the 20000's range. For example, for a single joined ZoneRanger, the
listTcpPorts
ZR-Name http=20005 https=20006 sql=20007 ssh=20008 telnet=20009
Access to joined ZoneRangers via these special ports is also governed by port configuration rules. When
the Ranger Gateway receives a request on one of these special ports, the Ranger Gateway identifies the
ZoneRanger associated with the port, then maps the protocol associated with the port to the
corresponding port on the ZoneRanger
Protocol
http
https
sql
ssh
telnet
8
Note that in some cases the port on the ZoneRanger is an internal port that can only be accessed by
proxy through the Ranger Gateway.
ZoneRanger 5.5 User's Guide
command might display the following:
8
, according to the following table:
Port
80
443
5432
22
23
44
Hide quick links:
Advertisement
Table of Contents
