In order to describe the Proxy Map service in detail, it is useful to consider the network example shown
in the following figure:
Figure 16-1. Proxy Map Example
Note the following from this figure:
•
A single Ranger Gateway supports multiple management applications. In general, management
applications can be co-resident with the Ranger Gateway software, or may execute on other
servers.
•
The Ranger Gateway is joined to three ZoneRangers ( ZR-1 , ZR-2 , and ZR-3 ). ZR-1 manages
devices in DMZ 1 , while ZR-2 and ZR-3 manage devices in DMZ 3 .
•
Firewall 1
addresses to 192.168.1.* addresses.
When any of the management applications in this example initiate a proxy transaction, the initial request
is relayed to the Ranger Gateway, along with some form of information that indicates the target DMZ
device, as described in the following examples:
•
Management Application 1
request, an SNMP Get request, or an SSH session request, directly to IP address 62.1.25.15 .
The Ranger Gateway can intercept the request via GVI, and must select a ZoneRanger ( ZR-1 )
to relay the transaction. In this case, because no NAT is required, the Ranger Gateway will
indicate to the selected ZoneRanger that the target DMZ device address is 62.1.25.15 .
•
Management Application 1
request, an SNMP Get request, or an SSH session request, directly to IP address 64.2.37.1 .
The Ranger Gateway can intercept the request via GVI, and must select a ZoneRanger ( ZR-2
or ZR-3 ) to relay the transaction. In this case, because NAT is required, the Ranger Gateway
will indicate to the selected ZoneRanger that the target DMZ device address is 192.168.1.1 .
ZoneRanger 5.5 User's Guide
is not configured for NAT. Firewall 2 is configured to translate 64.2.37.*
could initiate a proxy transaction, such an ICMP echo
could initiate a proxy transaction, such an ICMP echo
49