Tavve zoneranger User Manual page 89

The following figure shows a message flow example, based on the previous sample network, using
the community@device convention.
Note the following from this example:
•
The management application directs the SNMP request to the Ranger Gateway's IP address
(10.254.1.1), using the SNMP proxy port [1]. The target device's actual IP address
(10.4.1.2) is embedded in the community string, along with the community string value
that the target device expects (e.g. public).
•
The SNMP Proxy service verifies that the request should be allowed, then consults the
Proxy Map service in the Ranger Gateway to determine the list of ZoneRangers that
manage the target device (ZR-2, and ZR-3). One of the ZoneRangers (ZR-2) is selected,
and the request is forwarded to the selected ZoneRanger [2].
•
The selected ZoneRanger uses the actual IP address of the target device (10.4.1.2) to
forward the request to the target device [3], with the device portion of the community
string removed.
•
The target device replies back to the ZoneRanger [4], which relays the response to the
Ranger Gateway [5].
•
The Ranger Gateway forwards the response to the management application [6].
Format 5 implies that no special information is embedded in the community string, and is used in
conjunction with the IP address aliasing mechanism.
In some cases it may be necessary to configure the SNMP proxy service to use a non-standard port
value in order to avoid conflict with an SNMP agent on the Ranger Gateway server that may be
listening on port 161. The port that the ZoneRanger will use to present the request to the managed
device can be configured on a per-device basis. This allows different managed devices in the same
firewall-partitioned network to listen for SNMP requests on different ports. By default, the
ZoneRanger will forward SNMP requests to destination port 161. When community string
conventions are being used, the management application can optionally override the configured port
for a given device, by adding ":port" to the device part of the community string, where port
is the desired port number.
When community string conventions are used, a simplified form of Proxy Access Control is used to
determine whether or not requests should be allowed. Instead of using the portMap and portConfig
tables, as described in Chapter 14, the SNMP Proxy service simply verifies that the source address
associated with the request matches the configured SNMP proxy client address. The SNMP proxy
client address can be configured using the Ranger Gateway Viewer or by using the
configGateway
ZoneRanger 5.5 User's Guide
command.
89