Table of Contents
Advertisement
IP Address Aliasing
Most operating systems provide a means to associate multiple IP addresses with each network
interface (i.e. a primary address, and one or more "aliases"). If IP address aliases, corresponding to
managed devices located in firewall-partitioned networks, are defined on the management
application server, all traffic generated by the management application and destined for these
devices will be routed as local traffic to the interface where the IP address aliases have been defined.
If an SSH proxy port has been configured, the SSH Proxy service on the Ranger Gateway will listen
on that port for requests destined for any of these IP addresses. As a result, when a management
application sends a SSH request intended for a managed device to one of the configured alias
addresses, with the destination port set to the configured SSH proxy port, the Ranger Gateway will
receive the request.
If the management application and the Ranger Gateway software have been installed on the same
server, the IP address aliases can usually be added to the server's loopback interface. In such cases,
it may be possible to configure the IP address aliases for managed devices to be the same as the
actual IP addresses of those devices. If the management application and the Ranger Gateway
software have been installed on different servers, the IP address aliases must be added to an
appropriate network interface on the Ranger Gateway server, and static routes will need to be
defined on the management application server to ensure that traffic related to SSH session requests
is routed to the Ranger Gateway server.
The SSH proxy port can be configured using the
command or the Ranger
configGateway
Gateway Viewer > Gateway Settings window. Note that by default, this feature is disabled and
the SSH proxy port is undefined. In addition, an SSH proxy destination port must be defined to
indicate the port on managed devices that the ZoneRanger should use to establish SSH proxy
sessions. The SSH proxy destination port can be defined using the
command or the
configGateway
Ranger Gateway Viewer > Gateway Settings window. The default value is
. Note that the IP
22
address aliasing mechanism does not support Telnet proxy.
To access a managed device using SSH proxy, an SSH client application would establish a TCP
connection to the IP address on the Ranger Gateway that is associated with the target device,
specifying the configured SSH proxy port as the destination port. After this connection is
established, the Ranger Gateway will check the Proxy Access Control configuration to verify that
the request should be allowed, then will consult the Proxy Map service to identify the target device,
and to select a ZoneRanger that is able to proxy traffic to the target device. The connection request
is then forwarded to the selected ZoneRanger, which attempts to connect to the target device.
If this connection is successfully established, the ZoneRanger notifies the Ranger Gateway. From
this point, the Ranger Gateway and selected ZoneRanger simply relay data between the client
application's TCP connection to the Ranger Gateway and the ZoneRanger's TCP connection to the
target device, enabling the SSH client and target device to establish an SSH session. The Ranger
Gateway and ZoneRanger continue to relay data until one of the connections is disconnected.
ZoneRanger 5.5 User's Guide
98
Hide quick links:
Advertisement
Table of Contents
