Gateway setup example

The following example illustrates a gateway and tunnel connection setup. There are three networks present, a secure network, a DMZ network and an unsecure network. Firewalls are installed to control traffic between the secure network and the DMZ and between the DMZ and the unsecure network. The security policy in force does not allow network connections to be initiated from the unsecure network to the DMZ or from the DMZ to the secure network. Network connections from the secure to the DMZ and from the DMZ to the unsecure network are allowed for particular ports. The BigFix® Remote Control Server component is installed on a server that is attached to the secure network and controller computers are also present on the secure network. Applications are run on servers that are attached to the unsecure network and these servers are unattended. The BigFix® Remote Control target is installed on these systems to provide remote access for maintenance and support. No connections can be initiated from the unsecure network to the DMZ or from the DMZ to the secure network, therefore a chain of proxy servers cannot be used. The proxy server on the unsecure network is unable to connect to the proxy server on the DMZ to forward incoming HTTP requests. The solution for this scenario is to install a gateway in each of the networks.

BigFix® Remote Control components present

Table 1. BigFix® Remote Control components present on network
Network name Server Controller Target
Secure network Yes Yes No
DMZ No No No
Unsecure network No No Yes

Networks

Table 2. Networks
Network name Subnet address Netmask
Secure network 10.1.0.0 255.255.255.0
DMZ 10.2.0.0 255.255.255.0
Unsecure network 10.3.0.0 255.255.255.0

Machines

Table 3. Machines
Hostname IP address Roles
SERVER 10.1.0.2 Remote control server on port 80
GATEWAYA 10.1.0.254 Remote control gateway on port 8881
GATEWAYB 10.2.0.254 Remote control gateway on port 8881
GATEWAYC 10.3.0.254 Remote control gateway on port 8881
TARGET 10.1.0.3 Remote control target on port 888

Firewall

Table 4. Firewall
Source DestinationPort Port Description
10.1.0.254/255.255.255.255 10.2.0.254/255.255.255.255 8881 Allow GATEWAYA to connect to GATEWAYB
10.2.0.254/255.255.255.255 10.3.0.254/255.255.255.255 8881 Allow GATEWAYB to connect to GATEWAYC

Gateway setup

  • Gateway support is installed on computer GATEWAYA in the secure network. An BigFix® Remote Control gateway that is named GATEWAYA is also installed because there are controllers present on the secure network. The controllers need to connect to the targets on the unsecure network.

    To install the gateway support, see the BigFix® Remote Control Installation Guide.

    To create the gateway, complete the following steps on the BigFix® Remote Control Server:

    1. Click Admin > New Remote Control Gateway.
    2. On the Add Remote Control Gateway screen, enter the required details
      • Host name - GATEWAYA
      • Description - (optional)
      • IP address - 10.1.0.254
      • Port - 8881
    3. Click Submit.
  • Gateway support is installed on computer GATEWAYB in the DMZ network.

    To install the gateway support see BigFix® Remote Control Installation Guide.

  • Gateway support is installed on computer GATEWAYC in the unsecure network.

    To install the gateway support, see the BigFix® Remote Control Installation Guide.

  • GATEWAYA is configured with a gateway control connection to GATEWAYB.
  • GATEWAYB is configured with a gateway control connection to GATEWAYC.
  • Gateway A is configured with an outbound tunnel connection to the BigFix® Remote Control server.
  • Gateway C is configured with an inbound tunnel connection on port 8880.
  • The targets in the unsecure network are configured to connect through the inbound tunnel connection on GATEWAYC.

Gateway configuration

GATEWAYA configuration file

Inbound.1.ConnectionType= Inbound

Inbound.1.PortToListen = 8881

Gateway.A.ConnectionType=Gateway

Gateway.A.DestinationAddress = 10.2.0.254 - GATEWAYA connects to GATEWAYB

Gateway.A.DestinationPort = 8881

Gateway.A.RetryDelay = 15

Gateway.A.KeepAlive = 900

OutboundTunnel.1.ConnectionType=OutboundTunnel

OutboundTunnel.1.DestinationAddress = 10.1.0.2 - connection to the BigFix® Remote Control server

OutboundTunnel.1.DestinationPort = 80

GATEWAYB configuration file

Inbound.1.ConnectionType= Inbound

Inbound.1.PortToListen = 8881

Gateway.B.ConnectionType=Gateway

Gateway.B.DestinationAddress = 10.3.0.254 - GATEWAYB connects to GATEWAYC

Gateway.B.DestinationPort = 80

Gateway.B.RetryDelay = 15

Gateway.B.KeepAlive = 900

GATEWAYC configuration file

Inbound.1.ConnectionType= Inbound

Inbound.1.PortToListen = 8881

InboundTunnel.1.ConnectionType=InboundTunnel

InboundTunnel.1.PortToListen = 8880. The port that the target must use to connect to the tunnel connection

Endpoint.1.ConnectionType=Endpoint

Endpoint.1.SubnetAddress= 10.3.0.0 - the network address of the unsecure network that the target is connected to.

Endpoint.1.SubnetMask= 255.255.255.0

When a target requires an HTTP or HTTPS connection with the BigFix® Remote Control Server, it first connects to port 8880 on GATEWAYC. GATEWAYC accepts this connection and immediately creates a tunnel to GATEWAYA, through GATEWAYB. GATEWAYA then connects to the BigFix® Remote Control Server and acknowledges the connection to GATEWAYC through GATEWAYB. When the tunnel is established, gateways C and A start to read any data from their respective connections. They forward it to each other through the tunnel and write any traffic that is received from the tunnel to this connection. The result is that the target and the server can communicate and are unaware that the traffic is being tunneled. When either party shuts down their end of the connection, the tunnel is torn down and the other connection is also shut down.