Table of Contents
Advertisement
Chapter 28: TCP Proxy
A Ranger Gateway and one or more joined ZoneRangers can provide a TCP proxy service, enabling
management applications to establish TCP connections to devices located in firewall-partitioned
networks, without requiring the firewall to be configured to allow TCP connections.
The following figure provides a high-level overview of a TCP proxy transaction.
Figure 28-1. ZoneRanger TCP Proxy
The TCP proxy service is intended for use only in cases where the application protocol being carried
over the TCP connection is not supported by one of the more specific TCP-based proxy services (e.g.
Telnet, SSH, HTTP, HTTPS). Given that the application protocol being used is not identified, the TCP
proxy service is unable to perform any application layer protocol screening or filtering. As such, TCP
proxy is disabled by default, and should only be enabled for those devices/ports where it is absolutely
needed.
Management applications can access the TCP Proxy service in a variety of ways, as described in the
following sections.
GVI/RGVI
When using GVI or RGVI, the management application sends TCP connection requests intended for
a managed device to the actual address of the target device, or an address that can be uniquely
mapped to the target device. The management application server is configured with static routing
rules, so that traffic destined for devices located in firewall-partitioned networks is routed to a
virtual interface, which then forwards the traffic to the Ranger Gateway.
When the Ranger Gateway receives the TCP connection request, it will check the Proxy Access
Control configuration to verify that the request should be allowed, then will consult the Proxy Map
service in order to identify a ZoneRanger that is able to relay the request to the target device. The
request is forwarded to the selected ZoneRanger, which in turn, establishes a TCP connection to the
target device. Once this TCP connection is established, the ZoneRanger will inform the Ranger
Gateway, and the Ranger Gateway will complete the establishment of the initial TCP connection
(i.e. the connection between the management application and the Ranger Gateway). From this point
on, the Ranger Gateway and selected ZoneRanger will relay data between the management
application's TCP connection to the Ranger Gateway and the ZoneRanger's TCP connection to the
target device, until one of the connections is disconnected.
ZoneRanger 5.5 User's Guide
91
Hide quick links:
Advertisement
Table of Contents
