ApplicGate
(v12.0.8835.37320 started 2024-03-13 03:27:29 on VM2)

Possible combinations of functions with autologon and incoming

+==========+=============+===============+============================================+
|          |             |   Supported   |                                            |
| GatewayIP| GatewayIP2  |   Keywords    | Use Case                                   |
|          |             | SSL |SSLTARGET|                                            |
+==========+=============+=====+=========+============================================+
| autologon| forward     | n/a |   yes   | autologon link via reverse autologon link  |
+----------+-------------+-----+---------+--------------------------------------------+
| autologon| * or IP     | n/a |   yes   | normal autologon link                      |
+----------+-------------+-----+---------+--------------------------------------------+
| incoming | reverselogon| yes |   n/a   | autologon link received via reverslogon    |
+----------+-------------+-----+---------+--------------------------------------------+
| incoming | forward     | no  |   n/a   | cascaded autologon links                   |
+----------+-------------+-----+---------+--------------------------------------------+
| incoming | ---"---     | no  |   yes   | for rules that are addressed via local:rule|
+----------+-------------+-----+---------+--------------------------------------------+
| incoming | status      | yes |   n/a   | local status link                          |
+----------+-------------+-----+---------+--------------------------------------------+
| incoming | manage      | yes |   n/a   | local manage link                          |
+----------+-------------+-----+---------+--------------------------------------------+
| incoming | web         | yes |   n/a   | local web                                  |
+----------+-------------+-----+---------+--------------------------------------------+
| incoming | echo        | no  |   n/a   | local echo                                 |
+----------+-------------+-----+---------+--------------------------------------------+
| incoming | * or IP     | no  |   yes   | normal outgoing connection                 |
+==========+=============+=====+=========+============================================+ 
All other configurations with GatewayIP autologon or incoming are not supported, these are:
- autologon with GatewayIP2 other than forward, * or IP
- incoming with GatewayIP2 logon

Example of cascaded autologon configuration:

SRV2 can be managed from SRV0 (10.10.1.2:87) via two autologon links and from SRV1 (10.20.1.2:87) via one autologon link.

Example for Routing Table at SRV0
SourceIP ;GatewayIP ;GatewayPort;GatewayIP2  ;DestinationIP   ;DestinationPort;Expiration;Type                                                         ;UID              ;Comment      ;eMail
* ;10.10.1.1 ;443 ;reverselogon;R1|R2 ;* ;* ;SSL:srv0.test.com.cer,CCR:*@test.com,CHKCC,ISS:TestCA ;S100.1 ;reverselogon ;alice@test.com
RSPtest ;10.10.1.2 ;87 ;forward ;srv1@test.com:R1;* ;* ;UIDN:"Test cascading!RSPtest" ;T100.1~http://*/ ;Mgmt Srv2 ;alice@test.com
RSPtest ;10.10.1.2 ;443 ;forward ;srv1@test.com:R2;* ;* ; ;T100.S~https://*/;Mgmt Srv2 SSL;alice@test.com
Example for Routing Table at SRV1
SourceIP ;GatewayIP ;GatewayPort;GatewayIP2  ;DestinationIP   ;DestinationPort;Expiration;Type                                                         ;UID              ;Comment      ;eMail
autologon;R1|R2 ; ; ;10.10.1.1 ;443 ; ;TTL:6,SSLTARGET:srv0.test.com,SSLCC:srv1@test.com.cer,RETRY:2;AUT0 ;Cascading ;bob@test.com
incoming ;R1 ; ;forward ;srv2@test.com:S1;* ;* ;UIDN:"Test cascading!RSPtest" ;T100.1i ;Mgmt Srv2 ;bob@test.com
incoming ;R2 ; ;forward ;srv2@test.com:S2;* ;* ; ;T100.Si ;Mgmt Srv2 SSL;bob@test.com
* ;10.20.1.2 ;87 ;forward ;srv2@test.com:S1;* ;* ; ;T100.1~http://*/ ;Mgmt Srv2 ;bob@test.com
* ;10.20.1.2 ;443 ;forward ;srv2@test.com:S2;* ;* ; ;T100.S~https://*/;Mgmt Srv2 SSL;bob@test.com
* ;10.20.1.1 ;443 ;reverselogon;S1|S2 ;* ;* ;SSL:srv1.test.com.cer,CCR:*@test.com,CHKCC,ISS:TestCA ;S200.1 ;reverselogon ;bob@test.com
Example for Routing Table at SRV2
SourceIP ;GatewayIP ;GatewayPort;GatewayIP2  ;DestinationIP   ;DestinationPort;Expiration;Type                                                         ;UID             ;Comment      ;eMail
autologon;S1|S2 ; ; ;10.20.1.1 ;443 ;* ;TTL:6,SSLTARGET:srv1.test.com,SSLCC:srv2@test.com.cer,RETRY:2;AUT1 ;autologon ;
incoming ;S1 ; ;manage ; ;* ;* ; ;T100.1 ;Mgmt Srv2 ;bob@test.com
incoming ;S2 ; ;manage ; ;* ;* ;SSL:srv2.test.com.cer ;T100.S ;Mgmt Srv2 SSL;bob@test.com

Example of autologon and autologon via reverselogon:

(This is a complex configuration and it is shown just for completeness!)
SRV0 can manage SRV1 (10.10.1.2:87) via reverselogon.
SRV1 can see the status of SRV0 (10.20.1.2:777) via reverselogon that is transported via autologon at SRV1.

Example for Routing Table at SRV0
SourceIP ;GatewayIP ;GatewayPort;GatewayIP2  ;DestinationIP   ;DestinationPort;Expiration;Type                                                         ;UID             ;Comment      ;eMail
* ;10.10.1.1 ;443 ;reverselogon;R1|X1 ;* ;* ;SSL:srv0.test.com.cer,CCR:*@test.com,CHKCC,ISS:TestCA ;S100.1 ;reverselogon ;alice@test.com
* ;10.10.1.2 ;87 ;forward ;srv1@test.com:R1;* ;* ; ;T100.1~http://*/;Mgmt Srv1 ;alice@test.com
autologon;Y1 ;* ;forward ;srv1@test.com:X1;* ;* ;TTL:6,SSLTARGET:srv1.test.com,SSLCC:srv0@test.com.cer,RETRY:2;Z100.1a ;autologon via forward;
incoming ;Y1 ;* ;status ; ;* ;* ;LGD ;Z101 ;Status ;
Example for Routing Table at SRV1
SourceIP ;GatewayIP ;GatewayPort;GatewayIP2  ;DestinationIP   ;DestinationPort;Expiration;Type                                                         ;UID              ;Comment      ;eMail
autologon;R1|X1 ; ; ;10.10.1.1 ;443 ; ;TTL:6,SSLTARGET:srv0.test.com,SSLCC:srv1@test.com.cer,RETRY:2;AUT0 ;autologon ;bob@test.com
incoming ;R1 ; ;manage ; ;* ;* ;UIDN:"Test!RSPtest" ;T100.1 ;Mgmt ;bob@test.com
incoming ;X1 ; ;reverselogon;Y1 ;* ;* ;SSL:srv1.test.com.cer,CCR:*@test.com,CHKCC,ISS:TestCA ;RV1 ; ;
* ;10.20.1.2 ;777 ;forward ;srv0@test.com:Y1;* ;* ;UIDN:SRV0!* ;Z101~http://*/ ;Status SRV0 ;charly@test.com
Here are sample log files with
- autologon
- autologon via reverselogon
An alternate solution to for the status link from SRV1 to SRV0 could be e.g. a proxy rule at SRV0.
The selection of to rules at SRV0 could be done via different ports or different client certificates.
ApplicGate Logo  reinhold.leitner@applicgate.com (C) March 2024
www.applicgate.com