Tavve zoneranger User Manual page 84

•
The SOCKS shim intercepts the request, performs a SOCKS protocol handshake with the
SOCKS server in the Ranger Gateway, to establish a "UDP association" [2, 3], then
forwards the SNMP request, to the SOCKS server, along with a header indicating that the
datagram is intended for address 10.4.1.2 [4].
•
The SOCKS server in the Ranger Gateway checks the Proxy Access Control configuration
to verify that the request should be allowed and to identify the proxy service to which the
request should be forwarded (i.e. SNMP Proxy).
•
The SNMP Proxy service consults the Proxy Map service to determine the list of
ZoneRangers that manage the target device (ZR-2, and ZR-3). One of the ZoneRangers
(ZR-2) is selected, and the request is forwarded to the selected ZoneRanger [5].
•
The selected ZoneRanger forwards the request to the target device [6].
•
The target device replies back to the ZoneRanger [7], which relays the response to the
Ranger Gateway [8]. The SNMP Proxy service relays the response to the SOCKS server,
which forwards the response to the SOCKS shim along with a header indicating that the
response was received from 10.4.1.2 [9].
•
The SOCKS shim forwards the response to the management application [10].
One advantage of SOCKS over GVI/RGVI is that it is typically possible to configure the SOCKS
client to route traffic for certain ports to the Ranger Gateway, while traffic destined for other ports is
routed normally. In addition, some SOCKS clients can be configured to only intercept traffic sent
from specified applications. A disadvantage of SOCKS is that many management applications do
not provide built-in support for SOCKS and reliable SOCKS shims may not be available for the
operating system being used. In these cases, an alternative SNMP proxy access mechanism will
need to be selected.
IP Address Aliasing
Most operating systems provide a means to associate multiple IP addresses with each network
interface (i.e. a primary address, and one or more "aliases"). If IP address aliases, corresponding to
managed devices located in firewall-partitioned networks, are defined on the management
application server, all traffic generated by the management application and destined for these
devices will be routed as local traffic to the interface where the IP address aliases have been defined.
If an SNMP proxy port has been configured, the SNMP Proxy service on the Ranger Gateway will
listen on that port for requests destined for any of these IP addresses. As a result, when a
management application sends an SNMP request intended for a managed device to one of the
configured alias addresses, with the destination port set to the configured SNMP proxy port, the
Ranger Gateway will receive the request.
If the management application and the Ranger Gateway software have been installed on the same
server, the IP address aliases can usually be added to the server's loopback interface. In such cases,
it may be possible to configure the IP address aliases for managed devices to be the same as the
actual IP addresses of those devices. If the management application and the Ranger Gateway
software have been installed on different servers, the IP address aliases must be added to an
appropriate network interface on the Ranger Gateway server, and static routes will need to be
defined on the management application server to ensure that SNMP requests are routed to the
Ranger Gateway server.
ZoneRanger 5.5 User's Guide 84