Tavve zoneranger User Manual page 88

Note the following from this example:
•
The management application directs the SNMP request to the Ranger Gateway's IP address
(10.254.1.1), using the SNMP proxy port [1]. The ZoneRanger to which the request should
be forwarded (ZR-2), and the target device's actual IP address (10.4.1.2) are embedded in
the community string, along with the community string value that the target device expects
(i.e. public).
•
The SNMP Proxy service in the Ranger Gateway receives the request, parses the
community string, verifies that the request should be allowed, then forwards the request to
the specified ZoneRanger [2].
•
The ZoneRanger forwards the request to the target device [3], with the ZoneRanger and
device portions of the community string removed.
•
The target device replies back to the ZoneRanger [4], which relays the response to the
Ranger Gateway [5].
•
The Ranger Gateway forwards the response to the management application [6].
The SNMP Proxy service can be configured to use different community string formats. The
following formats are supported:
1. community@ZoneRanger@device
2. device@ZoneRanger@community
3. community@device
4. device@community
5. community
Formats 1 and 2 require management applications to specify the ZoneRanger (or ZoneRanger
group) that will relay the SNMP request to the target device. When using grouping, the
ZoneRanger field in the community string can be replaced with a group name that identifies a
group of ZoneRangers, and the SNMP Proxy service in the Ranger Gateway will automatically
select a ZoneRanger from this group to relay the request. The only difference between formats 1 and
2 is the order of the fields. The ability to configure the SNMP Proxy service to use different field
orders has been provided in order to handle situations where management applications and managed
devices are using their own community string prefix or suffix conventions.
Formats 3 and 4 do not require the management application to specify a ZoneRanger. Instead, the
SNMP Proxy service consults the Proxy Map service, in order to identify a ZoneRanger that is able
to relay traffic to the target device, and then forwards the SNMP request to the selected ZoneRanger.
The only difference between formats 3 and 4 is the order of the fields. The ability to use different
field orders has been provided in case management applications and managed devices are using
their own community string prefix or suffix conventions.
When the Proxy Map service is used, the responsibility for identifying the ZoneRanger to relay each
request is essentially moved from the management application to the Ranger Gateway. The
advantages of this approach are:
•
Associations between ZoneRangers and DMZ devices, and any required address
translations for DMZ devices (e.g. if NAT is in effect) are configured in one place, and can
be shared by multiple proxy services across multiple management applications.
•
The Proxy Map service can be configured to balance proxy requests across a set of
ZoneRanger candidates, resulting in a more even distribution of proxy traffic in situations
where DMZ devices are being managed by multiple ZoneRangers.
ZoneRanger 5.5 User's Guide 88