Processing of forward rules:
"forward" rules can be accessed directly or via an autologon client:
- If a request comes from an autologon client the routing entry with the requested ID will be selected:
-- The requested port (GatewayPort) and the UID must match.
- Authorization is done based on the content of the field SourceIP of the forward rule:
-- The email of the client and the issuer of the client certificate will be checked.
- Any * in a CONNECT keyword of the selected routing entry will be replaced by the requested port.
Forwarding the request to the remote ApplicGate:
- An active remote ApplicGate will be selected: email, RuleID and computer name must match according to the DestinationIP of the forward routing entry.
- The requested RuleID (part of DestinationIP of the "forward" routing entry) and the requested port will be sent to the remote ApplicGate.
-- Remark: The requested port will be sent only if both ApplicGate installations have version 10.0 or higher.
-- Note: The field Destination Port of a forward entry will not be used.
The remote ApplicGate processes incoming rules as follows:
- If no requested port has been received, no port processing will occur (for compatibility reasons).
- A routing entry will be selected where the RuleID matches the GatewayIP, the requested port matches the GatewayPort and access is authorized (see below).
-- If GatewayPort is "*" in the incoming routing entry then any port is allowed.
- If DestinationPort is "*" the requested port will be used to connect to the destination.
-- Hint: Multiple "incoming" routing entries with the same GatewayIP (same ruleID) but different GatewayPort lists can be configured.
-- If in any CONNECT keyword the destination port is"*" the requested port will be used as destination port.
- The optional keywords CCRI and ISSI can be used to check authorization.
Example 1:
Using one routing entry multiple ports can be configured between two ApplicGate installations where a cloud server acts as relay:
Cloud Server APPGWC:
SourceIP ;GatewayIP ;GatewayPort ;GatewayIP2 ;DestinationIP ;DestinationPort ;Expiration ;Type ;UID ;Comment ;eMail
* ;* ;7443 ;reverselogon ;R2|client ; ;* ;SSL:APPGWC.cer, CCR:appgwr@local|NoteB, ISS:myCA, CHKCC, TTL:30s ;R.0 ;reverselogon ;
NoteB ;127.0.1.2 ;1102,1122-1133 ;forward ;appgwr@local:R2%APPGWR ; ;* ;UIDN:"APPGWR!NoteB!" ;D01.2~http://*/main ;D01 Mgmt etc. ;x@xyz.com
Client NOTEB:
SourceIP ;GatewayIP ;GatewayPort ;GatewayIP2 ;DestinationIP ;DestinationPort ;Expiration ;Type ;UID ;Comment ;eMail
autologon ;client ;* ;* ;server.xyz.de ;7443 ; ;DISABLED,UPDATE, TTL:15s, SSLTARGET:server.xyz.de, SSLCC:NoteB.cer RETRY:10s ;A.0 ;Logon to cloud ;
Remote Server APPGWR:
SourceIP ;GatewayIP ;GatewayPort ;GatewayIP2 ;DestinationIP ;DestinationPort ;Expiration ;Type ;UID ;Comment ;eMail
autologon ;R2 ;* ;* ;server.xyz.de ;7443 ;* ;UPDATE, TTL:15s, SSLTARGET:server.xyz.de, SSLCC:APPGWR.p12/myPass, RETRY:10s ;A.0 ;Logon to cloud ;
incoming ;R2 ;1102 ;manage ; ; ;* ;REFRH:5,GRPUPD,RTUPD ;1.R21 ;Manage ;
incoming ;R2 ;1122 ;* ;127.0.0.1 ;22 ;* ; ;1.R22 ;ssh ;
incoming ;R2 ;* ;* ;127.0.0.1 ;* ;* ; ;1.R23 ;port 1123-1133 ;
Note:
- The group NoteB must contain the email address of the client, this email address must be defined in the certificat NoteB.cer (references to the Microsoft certificate store).
- The certificate APPGWC.cer (references to the Microsoft certificate store) must contain the server name server.xyz.de.
- The certificate APPGWR.p12 must contain the email address appgwr@local.
- After the client has client has enabled the autologon entry the remote server can be access via the local IP address 127.0.1.2 using the ports 1102 (manage ApplicGate on APPGWR) and 1122 to 1133 (port 1122 is ssh)
Example 2:
This is an extension of example 1 with additional authentication and encryption for a configuration where high security is needed (end-to-end functions are the same):
- Additional authentication for the autologon links using the se.SAM crypto processor
- End-to-end encryption and authentication and additional authentication using the se.SAM crypto processor between the client and the remote server
- Therefore the cloud server cannot see the data stream in clear text
Cloud Server APPGWC:
SourceIP ;GatewayIP ;GatewayPort ;GatewayIP2 ;DestinationIP ;DestinationPort ;Expiration ;Type ;UID ;Comment ;eMail
* ;* ;7443 ;reverselogon ;R2|client ; ;* ;SSL:server.cer, CCR:K_APPGWR|K_NoteB, ISS:myCA, CCR2:sesam:K_APPGWR|K_NoteB, CHKCC, TTL:30s ;R.0 ;reverselogon ;
K_NoteB ;127.0.1.2 ;1102,1122-1133 ;forward ;appgwr@local:R2%APPGWR ; ;* ;UIDN:"APPGWR!K_NoteB!", C$SSLTARGET:appgwr.x.de, C$SSLCC:NoteB.cer, C$SSLCC2:sesam:com8!P01!0 ;D01.2~http://*/main ;D01 Mgmt etc. ;x@xyz.com
Client NOTEB:
SourceIP ;GatewayIP ;GatewayPort ;GatewayIP2 ;DestinationIP ;DestinationPort ;Expiration ;Type ;UID ;Comment ;eMail
autologon ;client ;* ;* ;server.xyz.de ;7443 ; ;DISABLED,UPDATE, TTL:15s, SSLTARGET:server.xyz.de, SSLCC:NoteB.cer, SSLCC2:sesam:com8!P01!0, RETRY:10s ;A.0 ;Logon to cloud ;
Remote Server APPGWR:
SourceIP ;GatewayIP ;GatewayPort ;GatewayIP2 ;DestinationIP ;DestinationPort ;Expiration ;Type ;UID ;Comment ;eMail
autologon ;R2 ;* ;* ;server.xyz.de ;7443 ;* ;UPDATE, TTL:15s, SSLTARGET:server.xyz.de, SSLCC:APPGWR.p12/myPass, SSLCC2:sesam:/dev/ttyACM0!!0, RETRY:10s ;A.0 ;Logon to cloud ;
incoming ;R2 ;1102 ;manage ; ; ;* ;SSL:APPGWR_server.p12/pws, CCR:K_NoteB, ISS:"myCA", CCR2:sesam:K_NoteB, REFRH:5,GRPUPD,RTUPD ;1.R21 ;Manage ;
incoming ;R2 ;1122 ;* ;127.0.0.1 ;22 ;* ;SSL:APPGWR_server.p12/pws, CCR:K_NoteB, ISS:"myCA", CCR2:sesam:K_NoteB ;1.R22 ;ssh ;
incoming ;R2 ;* ;* ;127.0.0.1 ;* ;* ;SSL:APPGWR_server.p12/pws, CCR:K_NoteB, ISS:"myCA", CCR2:sesam:K_NoteB ;1.R23 ;port 1123-1133 ;
Note:
- The certificate APPGWR_server.p12 must contain the server name appgwr.x.de.
- The groups are using a special format (names starts with "K_") to store the public keys of se.SAM, e.g. K_APPGWR contains the email address appgwr@local associated withe the public key of se.SAM.
- The keywords C$SSLTARGET, C$SSLCC and C$SSLCC2 are downloaded to the client and will be acticated after the link from the client to APPGWR has been established.
- The corresponding keywords on APPGWR are SSL, CCR and CCR2.
- For C$SSLCC and C$SSLCC2 the parameters can be specified using "S_" groups to adapt to local needs.
