Tavve zoneranger User Manual page 52

•
When multiple ZoneRangers are available to relay a transaction for a given device, the selection
is based on the balance_zoneranger_selection setting. If this setting is enabled, the
Proxy Map service attempts to spread transaction load evenly across the available
ZoneRangers, by tracking recent history of selection decisions, and preferring ZoneRangers that
have been selected less frequently.
If this setting is disabled, the proxy map service tends to prefer the ZoneRangers from which
the Ranger Gateway has received the most recent communication. Disabling this setting
provides the highest reliability, because the best ZoneRanger is selected for each transaction,
and ZoneRangers that may be out of service tend to be bypassed. The disadvantage of this
approach is that proxy traffic might be concentrated on a single ZoneRanger, while other
available ZoneRangers may be bypassed.
•
If no entries in the active proxy map match the given rg-address , and the
allow_unconfigured_routes
the best available ZoneRanger, using the same criteria as described above, making the
assumption that any joined ZoneRanger should be able to reach the target device, and that no
NAT is in effect.
If this setting is disabled, and there are no matching entries in the active proxy map, the Proxy
Map service indicates that there is no route to the target device. The intent of the
allow_unconfigured_routes
Ranger Gateway joined to two ZoneRangers that both manage the same DMZ, with no NAT) to
operate without requiring the active proxy map to be configured. Where NAT is in effect, or
where a Ranger Gateway is joined to ZoneRangers that manage disjoint networks, this setting
must be disabled.
Proxy Map configuration settings can be modified using the Ranger Gateway Viewer or the proxyMap
command.
In some cases, the target of a proxy transaction might be the ZoneRanger itself (e.g. querying
ZoneRanger MIB values via SNMP proxy, or accessing the ZoneRanger text interface using SSH
proxy). To handle these cases, the Proxy Map service algorithm performs an initial check to see if the
matches the host name or IP address of a joined ZoneRanger. If a match is found, active
rg-address
proxy map lookup is bypassed, and the indicated ZoneRanger is selected as the best route to itself. The
Ranger Gateway indicates 127.0.0.1 as the target address to the ZoneRanger, so that the ZoneRanger
will know that the intended target of the transaction is the ZoneRanger itself.
The Proxy Map service automatically collects entries with identical rg-address values into groups
and arranges these groups in an ordered list, according to the following rules:
•
Groups of entries where the rg-address is specified as a specific value, as opposed to an
address pattern, are placed at the head of the list, so that they can be given preference.
•
Groups of entries where the rg-address value is specified as an address pattern are placed at
the end of the list, in the order in which the groups were originally added to the active proxy
map.
When looking up entries for a given rg-address value, the Proxy Map service searches through this
ordered list, locates the first matching group, and selects a ZoneRanger from the entries in the first
matching group, based on ZoneRanger status information, the balance_zoneranger_selection
setting, and, where applicable, recent selection history, as described above.
The Proxy Map service can be especially helpful in situations where an organization needs to manage a
network where IP address ranges are reused across multiple network zones. For example, this situation
can arise whenever companies that have been using private Internet addresses are merged. In the
absence of NAT, the recommended solution is to define unique virtual addresses that are mapped to real
device addresses by the Proxy Map service.
ZoneRanger 5.5 User's Guide
setting is enabled, the Proxy Map service simply selects
setting is to allow simple configurations (for example, one
52