Tavve zoneranger User Manual page 86

•
The management application requests that a UDP datagram containing the SNMP Get
request message be sent to the address of the target device (10.4.1.2), using the destination
SNMP proxy port [1]. Assuming that the specified destination IP address has been defined
as an IP address alias on the management application server, the request will be delivered
to the SNMP Proxy service within the Ranger Gateway.
•
The SNMP Proxy service in the Ranger Gateway will check the Proxy Access Control
configuration to verify that the request should be allowed, then will consult the Proxy Map
service to determine the list of ZoneRangers that manage the target device (ZR-2, and ZR-
3). One of the ZoneRangers (ZR-2) is selected, and the request is forwarded to the selected
ZoneRanger [2].
•
The selected ZoneRanger forwards the request to the target device [3].
•
The target device replies back to the ZoneRanger [4], which relays the response to the
Ranger Gateway [5].
•
The Ranger Gateway forwards the response to the management application [6].
In some cases it may be necessary to configure the SNMP proxy service to use a non-standard port
value in order to avoid conflict with an SNMP agent on the Ranger Gateway server that may be
listening on port 161. The port that the ZoneRanger will use to present the request to the managed
device can be configured on a per-device basis. This allows different managed devices in the same
firewall-partitioned network to listen for SNMP requests on different ports. By default, the
ZoneRanger will forward SNMP requests to destination port 161.
IP address aliasing can be used on all operating systems where the Ranger Gateway software is
supported. The main disadvantage of the IP address aliasing technique is the administrative effort
required to add and maintain IP address aliases for all managed devices on the Ranger Gateway
server. Another concern is that operating systems may limit the number of IP address aliases that
can be defined. As a result, this technique may not be able to support the required number of
managed devices for some applications.
Community String Conventions
In all of the previously described mechanisms, the Ranger Gateway determines the address of the
target device for each SNMP request based on the address to which the management application
sent the request. An alternative is to configure the management application to send the SNMP
request to an arbitrary IP address on the Ranger Gateway server, and for the SNMP Proxy service
within the Ranger Gateway to determine the target device address based on additional information
embedded into the SNMP request's community string, according to specified conventions. For
example, the following community string format can be used:
community@ZoneRanger@device
where community is the actual community string that the target device is expecting (e.g. public),
ZoneRanger
is the name or IP address of the target device. In this case, the Ranger Gateway would
device
extract the ZoneRanger and device values from the community string, and would forward the
request to the specified ZoneRanger. The ZoneRanger would then send the request to the target
device. Note that the ZoneRanger and device values are removed before the request is
forwarded to the target device, so the target device only sees the community value that it is
expecting.
ZoneRanger 5.5 User's Guide
is the name or IP address of a ZoneRanger that is managing the target device, and
86