Mobile network interface
A mobile network interface supports the number of SafeLinx Clients and devices able to connect to the SafeLinx Server at the same time.
Mobile network interfaces (MNIs) are resources that are assigned to mobile access services and define an IP subnet, which is a contiguous range of IP addresses or groups of IP addresses, to support the number of SafeLinx Clients and mobile devices that can concurrently connect to the SafeLinx Server. Every SafeLinx Client or mobile device is assigned an IP address within the subnet of an MNI. These devices connect to your organization's wired LAN through the MNI.
- AIX® and Solaris
- You assign an IP address and subnet mask to use a subnetwork through which traffic is routed publicly.
- Linux™ and Windows™
- How that IP address is assigned and how traffic isrouted through and publicly outside the MNI
are determined by configuration options:
- Use a subnetwork through which traffic is routed publicly
All SafeLinx Clients are assigned an address from the range of addresses that are defined by a configurable IP address and subnet mask. This option requires that machines on your organization's wired LAN must be able to route traffic to this subnetwork using the SafeLinx Server's IP address on the wired LAN. See IP subnetwork addressing for more information.Note: This option is the one available on AIX and Solaris operating systems.
- Use a DHCP server that is externally located
- All SafeLinx Client addresses for the MNI are assigned by a dynamic host configuration protocol (DHCP) server. The DHCP server also routes all public traffic for packets that are destined outside the MNI subnetwork. This option requires that a specific network interface adapter is bound to the MNI. It is targeted for use in smaller installations because it requires ARP table and route table entries for each assigned address, which can affect performance.
- Use an external DHCP server with NAT
All SafeLinx Clients are assigned an address from the range of addresses that are defined by a configurable IP address and subnet mask. Typically, this range of addresses is private and not globally unique (that is, not unique IP addresses on the Internet). The SafeLinx Server obtains a range of unique IP source addresses used for network address translation (NAT) based on the configurable number of NAT addresses requested, then randomly assigns an originating packet to a port number. The NAT maintains the mapping of the packet to one of these addresses and the port number in a translation table during a TCP session or until a timeout occurs for an idle TCP session or idle UDP connection. The NAT addresses are obtained from a DHCP server.
This option requires that a specific network interface adapter is bound to the MNI. It is targeted for use in installations where large numbers of routable addresses are not available to be assigned to the MNI and reduces the number of requests that are made to the DHCP server to one.
To configure an MNI, right-click the mobile access services to which you want to add the MNI, then click.
- How IP traffic is routed. On Linux, you configure this option. On AIX or Solaris, you assign an IP address and subnet mask to use a subnetwork through which traffic is routed publicly.
- Whether the MNI is activated when the SafeLinx Server is started or whether it is defined.
- Filters and packet mapping definitions that control data flow and redirect data traffic through the MNI .
- Whether the SafeLinx Server sends domain name system (DNS) or Windows Internet Name Service (WINS) configuration information to the SafeLinx Clients.
- Whether SafeLinx Clients receiving addresses assigned by the MNI are sent routing table entries to be set locally during session startup.
Account logging is stored on the SafeLinx Server that owns the MNI.
IP subnetwork addressing
When you configure an MNI, you define the IP subnetwork that addresses SafeLinx Clients. Each MNI has an IP address and a subnet mask to define its subnetwork. A subnetwork is an extension to the basic IP addressing scheme, and consists of a contiguous range of IP addresses where a portion of the host address is interpreted as the local network address. The mask is a 32-bit mask that is used to identify the subnetwork address bits in the host portion of an IP address. Every bit that is not 0 is an exact match.
To define a subnetwork, supply the host IP address for the network and the subnet mask that extends the network. For example, if the host IP address is 126.96.36.199 and it is extended by 256 IP addresses, then the mask for that IP address is 255.255.255.0
If the host IP address is 188.8.131.52 and it is extended by 64 IP addresses, the mark for that IP address is 255.255.255.192
MNIs support dynamic IP addressing, in which case the MNIs restrict dynamic addresses to a particular range or to one or two groups of addresses.
Depending on the number of addresses that are needed and the number of addresses that are defined in the MNI, you can define one MNI for all networks, or define more than one MNI. If you must logically separate users within one SafeLinx Server, define more than one MNI.
If the subnetwork mask that is applied to the MNI is too restrictive and you want the SafeLinx Clients that attach through that MNI to have a wider subnet range, you can apply an alternate subnet mask to the client attached to that MNI. To enable the alternate subnet, click Use alternate subnet mask on client on the MNI's Interface tab. Enter the new mask to assign the alternate subnet mask to override the MNI's subnet mask.
For more information about IP addressing, see the Admin Users Guide.
Filters and packet mapping
You can protect user data through filters or packet mappings, both of which are resources that are assigned to an MNI.
You can set up filters to prevent or allow communication between IP addresses within an MNI. Users of different networks within an MNI remain secure because a filter blocks or passes data to or from one or more IP addresses.
You can also redirect data to or from addresses in an MNI by using packet mapping, which modifies an IP header packet to redirect data.