Scenario 3 - Web hosting

Figure 1. Webb hosting scenario


In this scenario there are two well defined networks, a secure network where the server is installed and the controllers machines are located and an unsecure network, it could be a web facing network, where servers need to be accessed for maintenance and problem resolution.

The two networks are linked by a DMZ network where two gateways, each with a specific purpose, are installed.

Additionally, HTTP proxies are not available in order to enable the targets in the unsecure network to register in the server in the secure network therefore the gateways need to establish a tunnel connection to allow this communication.

There are two possible scenarios:
Scenario A:
A gateway in the DMZ network is allowed to connect directly to the targets in the secured network (this scenario requires Gateway T1, Gateway T2, T3x and Gateway RC2)

In this scenario, we would add gateway RC1 to the TRC server.

Scenario B:
No traffic is allowed to the DMZ network and the gateway is NOT allowed to connect directly to the targets in the secured network (this scenario requires Gateway T1, Gateway T2, Gateway T3x, Gateway RC1, Gateway RC2 and Gateways RC3x)

In this scenario, we would add gateway RC1 to the TRC server.

The configuration for each scenario would be as follows:

Configuration common to both scenarios

Gateway T1:

  • Create a control connection to Gateway T2 to be used for the tunnel.
  • Create connections to the server for tunnel connections.

Gateway.3.ConnectionType = Gateway

Gateway.3.DestinationAddress = gatewayT2_ipaddress

Gateway.3.DestinationPort = 8881

# Optional:

# Gateway.3.BindTo = 0.0.0.0

# Gateway.3.SourcePort = 0

# Gateway.3.RetryDelay = 45

# Gateway.3.KeepAlive = 900

# Gateway.3.Timeout = 90

# Gateway.3.Passphrase =

Since the targets in the unsecure network cannot connect directly to the server, a tunnel connection must be created that will forward the heartbeats from the targets to the server:

Outbound.1.ConnectionType = OutboundTunnel

Outbound.1.DestinationAddress = trc_server_ip_address

Outbound.1.DestinationPort = 80

# Optional

# Outbound.1.TunnelID = TRCSERVER

# Outbound.1.BindTo = 0.0.0.0

# Outbound.1.Timeout = 90

Where the DestinationAddress and DestinationPort are the IP address and port of the TRC server.

Gateway T2:

Therefore the configuration file for Gateway T2 will contain the following entries, regardless of the type of scenario:

  • Create connections to Gateways T3x
  • Accept control connections from gateway T2.

A gateway connection must be defined for each T3 gateway, that is GatewayT3a, GatewayT3b and GatewayT3c.

Gateway.T3x.ConnectionType = Gateway

Gateway.T3x.DestinationAddress = gatewayT3x_ipaddress

Gateway.T3x.DestinationPort = 8881

# Optional:

# Gateway.T3x.BindTo = 0.0.0.0

# Gateway.T3x.SourcePort = 0

# Gateway.T3x.RetryDelay = 45

# Gateway.T3x.KeepAlive = 900

# Gateway.T3x.Timeout = 90

# Gateway.T3x.Passphrase =

Inbound.1.ConnectionType = Inbound

Inbound.1.PortToListen = 8881

# Optional:

# Inbound.1.BindTo = 0.0.0.0

# Inbound.1.RetryDelay = 45

# Inbound.1.Passphrase =

Inbound.1.AllowGateways = true

Inbound.1.AllowEndpoints = false

Gateways T3x:

The configuration file for Gateways T3x will contain the following entries, regardless of the type of scenario:

  • Accept control connections from gateway T2.
  • Accept requests from endpoints for tunnel connections to the server.

Inbound.1.ConnectionType = Inbound

Inbound.1.PortToListen = 8881

# Optional:

# Inbound.1.BindTo = 0.0.0.0

# Inbound.1.RetryDelay = 45

# Inbound.1.Passphrase =

Inbound.1.AllowGateways = true

Inbound.1.AllowEndpoints = false

InboundTunnel.1.ConnectionType = InboundTunnel

InboundTunnel.1.PortToListen = 8880

# Optional

# InboundTunnel.1.TunnelID = TRCSERVER

# InboundTunnel.1.BindTo = 0.0.0.0

# InboundTunnel.1.RetryDelay = 45

Since the targets in the unsecure network cannot connect directly to the server, a tunnel connection must be created that will forward the heartbeats from the targets to the server.

PortToListen specifies the port that the target should connect to when connecting to the server via a tunnel. For the targets to use the tunnel, the target configuration must set the ProxyURL to:

trcGateway.://<gateway address>:8880

Scenario A

Gateway RC2

Gateway RC2 will have the following configuration:

  • Accept requests from controllers in the secure network.
  • Locate endpoints in the unsecure networks.

Inbound.1.ConnectionType = Inbound

Inbound.1.PortToListen = 8881

# Optional:

# Inbound.1.BindTo = 0.0.0.0

# Inbound.1.RetryDelay = 45

# Inbound.1.Passphrase =

Inbound.1.AllowGateways = false

Inbound.1.AllowEndpoints = true

Endpoint.1.ConnectionType = Endpoint

# Optional

# Endpoint.1.SubnetAddress = 0.0.0.0

# Endpoint.1.SubnetMask = 0.0.0.0

# Endpoint.1.BindTo = 0.0.0.0

# Endpoint.1.SourcePort = 0

# Endpoint.1.Timeout = 90

Scenario B

In this scenario, no traffic other than the gateways traffic is allowed outside the secure network. So we need a new gateway RC1 that will accept the requests from the controllers and pass them to RC2. Similarly, we need a new gateway RC3x in each of the unsecure networks to locate the right target.

Gateway RC1:

Gateway RC1 will have the following configuration:

  • Accept requests from controllers in the secure network.
  • Connect to Gateway RC2 to forward the connections requests.

Inbound.1.ConnectionType = Inbound

Inbound.1.PortToListen = 8881

# Optional:

# Inbound.1.BindTo = 0.0.0.0

# Inbound.1.RetryDelay = 45

# Inbound.1.Passphrase =

Inbound.1.AllowGateways = false

Inbound.1.AllowEndpoints = true

Gateway.RC2.ConnectionType = Gateway

Gateway.RC2.DestinationAddress = gatewayRC2_ipaddress

Gateway.RC2.DestinationPort = 8881

# Optional:

# Gateway.RC2.BindTo = 0.0.0.0

# Gateway.RC2.SourcePort = 0

# Gateway.RC2.RetryDelay = 45

# Gateway.RC2.KeepAlive = 900

# Gateway.RC2.Timeout = 90

# Gateway.RC2.Passphrase =

Gateway RC2

In this scenario Gateway RC2 will have the following configuration:

  • Accept control connections from gateway RC1.
  • Connect to Gateways RC3x to forward the connections requests.

Inbound.1.ConnectionType = Inbound

Inbound.1.PortToListen = 8881

# Optional:

# Inbound.1.BindTo = 0.0.0.0

# Inbound.1.RetryDelay = 45

# Inbound.1.Passphrase =

Inbound.1.AllowGateways = true

Inbound.1.AllowEndpoints = false

A gateway connection must be defined for each RC3 gateway (RC3a, RC3b, RC3c) where x = a, b or c.

Gateway.RC3x.ConnectionType = Gateway

Gateway.RC3x.DestinationAddress = gatewayT3x_ipaddress

Gateway.RC3x.DestinationPort = 8881

# Optional:

# Gateway.RC3x.BindTo = 0.0.0.0

# Gateway.RC3x.SourcePort = 0

# Gateway.RC3x.RetryDelay = 45

# Gateway.RC3x.KeepAlive = 900

# Gateway.RC3x.Timeout = 90

# Gateway.RC3x.Passphrase =

Gateway RC3x

These gateways are now required to locate the endpoints that before were directly accessible to Gateway RC2. The configuration file for the gateways will contain the following entries:

Inbound.1.ConnectionType = Inbound

Inbound.1.PortToListen = 8881

# Optional:

# Inbound.1.BindTo = 0.0.0.0

# Inbound.1.RetryDelay = 45

# Inbound.1.Passphrase =

Inbound.1.AllowGateways = true

Inbound.1.AllowEndpoints = false

Endpoint.1.ConnectionType = Endpoint

# Optional

# Endpoint.1.SubnetAddress = 0.0.0.0

# Endpoint.1.SubnetMask = 0.0.0.0

# Endpoint.1.BindTo = 0.0.0.0

# Endpoint.1.SourcePort = 0

# Endpoint.1.Timeout = 90