Gateway setup example
The following example illustrates a gateway and tunnel connection setup. There are three networks present, a secure network, a DMZ network and an unsecure network. Firewalls are installed to control traffic between the secure network and the DMZ and between the DMZ and the unsecure network. The security policy in force does not allow network connections to be initiated from the unsecure network to the DMZ or from the DMZ to the secure network. Network connections from the secure to the DMZ and from the DMZ to the unsecure network are allowed for particular ports. The BigFix® Remote Control Server component is installed on a server that is attached to the secure network and controller computers are also present on the secure network. Applications are run on servers that are attached to the unsecure network and these servers are unattended. The Remote Control target is installed on these systems to provide remote access for maintenance and support. No connections can be initiated from the unsecure network to the DMZ or from the DMZ to the secure network, therefore a chain of proxy servers cannot be used. The proxy server on the unsecure network is unable to connect to the proxy server on the DMZ to forward incoming HTTP requests. The solution for this scenario is to install a gateway in each of the networks.
Remote Control components present
| Network name | Server | Controller | Target |
|---|---|---|---|
| Secure network | Yes | Yes | No |
| DMZ | No | No | No |
| Unsecure network | No | No | Yes |
Networks
| Network name | Subnet address | Netmask |
|---|---|---|
| Secure network | 10.1.0.0 | 255.255.255.0 |
| DMZ | 10.2.0.0 | 255.255.255.0 |
| Unsecure network | 10.3.0.0 | 255.255.255.0 |
Machines
| Hostname | IP address | Roles |
|---|---|---|
| SERVER | 10.1.0.2 | Remote control server on port 80 |
| GATEWAYA | 10.1.0.254 | Remote control gateway on port 8881 |
| GATEWAYB | 10.2.0.254 | Remote control gateway on port 8881 |
| GATEWAYC | 10.3.0.254 | Remote control gateway on port 8881 |
| TARGET | 10.1.0.3 | Remote control target on port 888 |
Firewall
| Source | DestinationPort | Port | Description |
|---|---|---|---|
| 10.1.0.254/255.255.255.255 | 10.2.0.254/255.255.255.255 | 8881 | Allow GATEWAYA to connect to GATEWAYB |
| 10.2.0.254/255.255.255.255 | 10.3.0.254/255.255.255.255 | 8881 | Allow GATEWAYB to connect to GATEWAYC |
Gateway setup
- Gateway support is installed on computer GATEWAYA in the secure network. An Remote Control gateway that is
named GATEWAYA is also installed because there are controllers present on the secure network. The
controllers need to connect to the targets on the unsecure network.
To install the gateway support, see the BigFix® Remote Control Installation Guide.
To create the gateway, complete the following steps on the BigFix® Remote Control Server:
- Click .
- On the Add Remote Control Gateway screen, enter the required details
- Host name - GATEWAYA
- Description - (optional)
- IP address - 10.1.0.254
- Port - 8881
- Click Submit.
- Gateway support is installed on computer GATEWAYB in the DMZ network.
To install the gateway support see BigFix® Remote Control Installation Guide.
- Gateway support is installed on computer GATEWAYC in the unsecure network.
To install the gateway support, see the BigFix® Remote Control Installation Guide.
- GATEWAYA is configured with a gateway control connection to GATEWAYB.
- GATEWAYB is configured with a gateway control connection to GATEWAYC.
- Gateway A is configured with an outbound tunnel connection to the Remote Control server.
- Gateway C is configured with an inbound tunnel connection on port 8880.
- The targets in the unsecure network are configured to connect through the inbound tunnel connection on GATEWAYC.
Gateway configuration
GATEWAYA configuration file
Inbound.1.ConnectionType= Inbound
Inbound.1.PortToListen = 8881
Gateway.A.ConnectionType=Gateway
Gateway.A.DestinationAddress = 10.2.0.254 - GATEWAYA connects to GATEWAYB
Gateway.A.DestinationPort = 8881
Gateway.A.RetryDelay = 15
Gateway.A.KeepAlive = 900
OutboundTunnel.1.ConnectionType=OutboundTunnel
OutboundTunnel.1.DestinationAddress = 10.1.0.2 - connection to the Remote Control server
OutboundTunnel.1.DestinationPort = 80
GATEWAYB configuration file
Inbound.1.ConnectionType= Inbound
Inbound.1.PortToListen = 8881
Gateway.B.ConnectionType=Gateway
Gateway.B.DestinationAddress = 10.3.0.254 - GATEWAYB connects to GATEWAYC
Gateway.B.DestinationPort = 80
Gateway.B.RetryDelay = 15
Gateway.B.KeepAlive = 900
GATEWAYC configuration file
Inbound.1.ConnectionType= Inbound
Inbound.1.PortToListen = 8881
InboundTunnel.1.ConnectionType=InboundTunnel
InboundTunnel.1.PortToListen = 8880. The port that the target must use to connect to the tunnel connection
Endpoint.1.ConnectionType=Endpoint
Endpoint.1.SubnetAddress= 10.3.0.0 - the network address of the unsecure network that the target is connected to.
Endpoint.1.SubnetMask= 255.255.255.0
When a target requires an HTTP or HTTPS connection with the BigFix® Remote Control Server, it first connects to port 8880 on GATEWAYC. GATEWAYC accepts this connection and immediately creates a tunnel to GATEWAYA, through GATEWAYB. GATEWAYA then connects to the BigFix® Remote Control Server and acknowledges the connection to GATEWAYC through GATEWAYB. When the tunnel is established, gateways C and A start to read any data from their respective connections. They forward it to each other through the tunnel and write any traffic that is received from the tunnel to this connection. The result is that the target and the server can communicate and are unaware that the traffic is being tunneled. When either party shuts down their end of the connection, the tunnel is torn down and the other connection is also shut down.