Tavve zoneranger User Manual page 50

•
Management Application 2
indicating 62.1.25.30 as the target DMZ device using a community string convention. The
Ranger Gateway must select a ZoneRanger ( ZR-1 ) to relay the transaction, and in this case,
because no NAT is required, will indicate to the selected ZoneRanger that the target DMZ
device address is 62.1.25.30 .
•
Management Application 3
session to address 64.2.37.3 , using the Ranger Gateway SOCKS server. In this case, the
target device address is passed to the Ranger Gateway along the SOCKS protocol. The Ranger
Gateway must select a ZoneRanger ( ZR-2 or ZR-3 ) to relay the session, and in this case, given
that NAT is in effect, must translate the target address to its corresponding address
( 192.168.1.3 ) before passing the request to the selected ZoneRanger.
The Proxy Map service in the Ranger Gateway would be responsible for selecting the ZoneRanger for
each transaction and performing any necessary address translation before relaying the transaction to the
selected ZoneRanger. The Proxy Map service makes these decisions based on configuration settings,
ZoneRanger status information, and the content of an internal configuration table referred to as the
active proxy map. Each entry in the active proxy map consists of a the following fields:
•
rg-address
The host name or IP address of the target device for a proxy transaction, as indicated to the
Ranger Gateway by the management application.
•
zoneranger
The host name or IP address of a ZoneRanger that might be selected to relay a proxy
transaction.
•
zr-address
The actual host name or IP address that the ZoneRanger should use to access the target device.
Note that if NAT is not in effect, this field can be omitted.
The active proxy map configuration table corresponding to the example above is as follows:
rg-address
62.1.25.15
62.1.25.30
64.2.37.1
64.2.37.1
64.2.37.2
64.2.37.2
64.2.37.3
64.2.37.3
If the target address for a proxy transaction is 62.1.25.15 , the Proxy Map service would look up all
entries with 62.1.25.15 in the rg-address column, and given that there is only one matching
entry, would select the corresponding ZoneRanger ( ZR-1 ). Given that the zr-address column for
this entry is blank, the original target address would be passed on to the selected ZoneRanger.
If the target address for a proxy transaction is 64.2.37.3 , the Proxy Map service would look up all
entries with 64.2.37.3 in the rg-address column. In this case, two entries are found, one for ZR-2
and one for ZR-3 . The Proxy Map service selects one of the entries based on configured criteria and
status information, then passes the zr-address value from the selected entry ( 192.168.1.3 ) to the
selected ZoneRanger.
ZoneRanger 5.5 User's Guide
could send an SNMP Get request to the Ranger Gateway,
, a SOCKS-enabled SSH client, could initiate an SSH
zoneranger zr-address
ZR-1
ZR-1
ZR-2 192.168.1.1
ZR-3 192.168.1.1
ZR-2 192.168.1.2
ZR-3 192.168.1.2
ZR-2 192.168.1.3
ZR-3 192.168.1.3
50