ApplicGate
(v12.0.9111.30500 started 2024-12-11 16:09:49 on VM2)

Possible combinations of functions with autologon and incoming

+==========+=============+===============+============================================+
|          |             |   Supported   |                                            |
| GatewayIP| GatewayIP2  |   Keywords    | Use Case                                   |
|          |             | SSL |SSLTARGET|                                            |
+==========+=============+=====+=========+============================================+
| autologon| forward     | n/a |   yes   | autologon link via reverse autologon link  |
+----------+-------------+-----+---------+--------------------------------------------+
| autologon| * or IP     | n/a |   yes   | normal autologon link                      |
+----------+-------------+-----+---------+--------------------------------------------+
| incoming | reverselogon| yes |   n/a   | autologon link received via reverslogon    |
+----------+-------------+-----+---------+--------------------------------------------+
| incoming | forward     | no  |   n/a   | cascaded autologon links                   |
+----------+-------------+-----+---------+--------------------------------------------+
| incoming | ---"---     | no  |   yes   | for rules that are addressed via local:rule|
+----------+-------------+-----+---------+--------------------------------------------+
| incoming | status      | yes |   n/a   | local status link                          |
+----------+-------------+-----+---------+--------------------------------------------+
| incoming | manage      | yes |   n/a   | local manage link                          |
+----------+-------------+-----+---------+--------------------------------------------+
| incoming | web         | yes |   n/a   | local web                                  |
+----------+-------------+-----+---------+--------------------------------------------+
| incoming | echo        | no  |   n/a   | local echo                                 |
+----------+-------------+-----+---------+--------------------------------------------+
| incoming | * or IP     | no  |   yes   | normal outgoing connection                 |
+==========+=============+=====+=========+============================================+
All other configurations with GatewayIP autologon or incoming are not supported, these are:
- autologon with GatewayIP2 other than forward, * or IP
- incoming with GatewayIP2 logon

Example of cascaded autologon configuration:

SRV2 can be managed from SRV0 (10.10.1.2:87) via two autologon links and from SRV1 (10.20.1.2:87) via one autologon link.

Example for Routing Table at SRV0
SourceIP ;GatewayIP ;GatewayPort;GatewayIP2  ;DestinationIP   ;DestinationPort;Expiration;Type                                                         ;UID              ;Comment      ;eMail
*        ;10.10.1.1 ;443        ;reverselogon;R1|R2           ;*              ;*         ;SSL:srv0.test.com.cer,CCR:*@test.com,CHKCC,ISS:TestCA        ;S100.1           ;reverselogon ;alice@test.com
RSPtest  ;10.10.1.2 ;87         ;forward     ;srv1@test.com:R1;*              ;*         ;UIDN:"Test cascading!RSPtest"                                ;T100.1~http://*/ ;Mgmt Srv2    ;alice@test.com
RSPtest  ;10.10.1.2 ;443        ;forward     ;srv1@test.com:R2;*              ;*         ;                                                             ;T100.S~https://*/;Mgmt Srv2 SSL;alice@test.com
Example for Routing Table at SRV1
SourceIP ;GatewayIP ;GatewayPort;GatewayIP2  ;DestinationIP   ;DestinationPort;Expiration;Type                                                         ;UID              ;Comment      ;eMail
autologon;R1|R2     ;           ;            ;10.10.1.1       ;443            ;          ;TTL:6,SSLTARGET:srv0.test.com,SSLCC:srv1@test.com.cer,RETRY:2;AUT0             ;Cascading    ;bob@test.com
incoming ;R1        ;           ;forward     ;srv2@test.com:S1;*              ;*         ;UIDN:"Test cascading!RSPtest"                                ;T100.1i          ;Mgmt Srv2    ;bob@test.com
incoming ;R2        ;           ;forward     ;srv2@test.com:S2;*              ;*         ;                                                             ;T100.Si          ;Mgmt Srv2 SSL;bob@test.com
*        ;10.20.1.2 ;87         ;forward     ;srv2@test.com:S1;*              ;*         ;                                                             ;T100.1~http://*/ ;Mgmt Srv2    ;bob@test.com
*        ;10.20.1.2 ;443        ;forward     ;srv2@test.com:S2;*              ;*         ;                                                             ;T100.S~https://*/;Mgmt Srv2 SSL;bob@test.com
*        ;10.20.1.1 ;443        ;reverselogon;S1|S2           ;*              ;*         ;SSL:srv1.test.com.cer,CCR:*@test.com,CHKCC,ISS:TestCA        ;S200.1           ;reverselogon ;bob@test.com
Example for Routing Table at SRV2
SourceIP ;GatewayIP ;GatewayPort;GatewayIP2  ;DestinationIP   ;DestinationPort;Expiration;Type                                                         ;UID             ;Comment      ;eMail
autologon;S1|S2     ;           ;            ;10.20.1.1       ;443            ;*         ;TTL:6,SSLTARGET:srv1.test.com,SSLCC:srv2@test.com.cer,RETRY:2;AUT1            ;autologon    ;
incoming ;S1        ;           ;manage      ;                ;*              ;*         ;                                                             ;T100.1          ;Mgmt Srv2    ;bob@test.com
incoming ;S2        ;           ;manage      ;                ;*              ;*         ;SSL:srv2.test.com.cer                                        ;T100.S          ;Mgmt Srv2 SSL;bob@test.com

Example of autologon and autologon via reverselogon:

(This is a complex configuration and it is shown just for completeness!)
SRV0 can manage SRV1 (10.10.1.2:87) via reverselogon.
SRV1 can see the status of SRV0 (10.20.1.2:777) via reverselogon that is transported via autologon at SRV1.

Example for Routing Table at SRV0
SourceIP ;GatewayIP ;GatewayPort;GatewayIP2  ;DestinationIP   ;DestinationPort;Expiration;Type                                                         ;UID             ;Comment      ;eMail
*        ;10.10.1.1 ;443        ;reverselogon;R1|X1           ;*              ;*         ;SSL:srv0.test.com.cer,CCR:*@test.com,CHKCC,ISS:TestCA        ;S100.1          ;reverselogon ;alice@test.com
*        ;10.10.1.2 ;87         ;forward     ;srv1@test.com:R1;*              ;*         ;                                                             ;T100.1~http://*/;Mgmt Srv1    ;alice@test.com
autologon;Y1        ;*          ;forward     ;srv1@test.com:X1;*              ;*         ;TTL:6,SSLTARGET:srv1.test.com,SSLCC:srv0@test.com.cer,RETRY:2;Z100.1a         ;autologon via forward;
incoming ;Y1        ;*          ;status      ;                ;*              ;*         ;LGD                                                          ;Z101            ;Status       ;
Example for Routing Table at SRV1
SourceIP ;GatewayIP ;GatewayPort;GatewayIP2  ;DestinationIP   ;DestinationPort;Expiration;Type                                                         ;UID              ;Comment      ;eMail
autologon;R1|X1     ;           ;            ;10.10.1.1       ;443            ;          ;TTL:6,SSLTARGET:srv0.test.com,SSLCC:srv1@test.com.cer,RETRY:2;AUT0             ;autologon    ;bob@test.com
incoming ;R1        ;           ;manage      ;                ;*              ;*         ;UIDN:"Test!RSPtest"                                          ;T100.1           ;Mgmt         ;bob@test.com
incoming ;X1        ;           ;reverselogon;Y1              ;*              ;*         ;SSL:srv1.test.com.cer,CCR:*@test.com,CHKCC,ISS:TestCA        ;RV1             ;              ;
*        ;10.20.1.2 ;777        ;forward     ;srv0@test.com:Y1;*              ;*         ;UIDN:SRV0!*                                                  ;Z101~http://*/  ;Status SRV0   ;charly@test.com
Here are sample log files with
- autologon
- autologon via reverselogon
An alternate solution to for the status link from SRV1 to SRV0 could be e.g. a proxy rule at SRV0.
The selection of to rules at SRV0 could be done via different ports or different client certificates.
ApplicGate Logo  reinhold.leitner@applicgate.com (C) December 2024
www.applicgate.com