Chapter 29: Telnet/Ssh Proxy - Tavve zoneranger User Manual

Chapter 29: Telnet/SSH Proxy

A Ranger Gateway and one or more joined ZoneRangers can provide an Telnet and SSH proxy service,
enabling Telnet and/or SSH client applications to have command line access to devices located in
firewall-partitioned networks, without requiring the firewall to be configured to pass Telnet or SSH
traffic.
The following figure provides a high-level overview of a Telnet/SSH proxy transaction. Note that the
Management Application Server in this figure is acting as a Telnet/SSH client, and one or more managed
devices may act as Telnet/SSH servers.
Figure 29-1. ZoneRanger Telnet/SSH Proxy
Telnet/SSH clients can range from simple command-line tools, to configuration management or security
management applications that use Telnet or SSH to communicate with managed devices. In addition to
using Telnet/SSH proxy to communicate with managed devices, the Telnet and SSH proxy services can
also be used to access the ZoneRanger text interface for joined ZoneRangers.
While the ZoneRanger is able to proxy both Telnet and SSH protocols, SSH will typically be the
preferred protocol for most applications, because the Telnet protocol, which exchanges user ID and
password information over an unencrypted TCP connection, is less secure. As a result, SSH proxy is
enabled by default and Telnet is disabled by default for managed devices.
Management applications can access Telnet and SSH Proxy services in a variety of ways, as described in
the following sections.
GVI/RGVI
When using GVI or RGVI, the management application sends Telnet or SSH requests intended for a
managed device to the actual address of the target device, or an address that can be uniquely
mapped to the target device. The management application server is configured with static routing
rules, so that traffic destined for devices located in firewall-partitioned networks is routed to a
virtual interface, which then forwards the traffic to the Ranger Gateway.
ZoneRanger 5.5 User's Guide 93