Secure Access Hub
This functionality is used to Secure Access to Servers with following advantages:
- Only outgoing connections from the Secure Zone are established.
-> No connection initiation from insecure to secure network.
- No ports are open when ApplicGate Agent or Server is stopped
- Optional authentication at ApplicGate Hub:
--- Certificates, OTP and TOTP
- Following routing algorithms are available at ApplicGate Hub:
-- Source address of client
-- Accessed IP address and port of hub
-- Authentication of client (Certificate, OTP or TOTP)
-- http host Header (https/TLS connections terminate at the hub)
- Simplification of firewall configuration
See schema here
The decription of the keywords mentioned below and some additional keywords can be found here.
Secure Access Hub Examples:
-> First Example
-> Rule selection at the hub dependent on the http host attribute
-> Hub forwards client certificates to the servers
================================================================================================================================
First Example:
Example for Routing Table at SRVA and SRVB ... The servers log on to the ApplicGate Hub:
SourceIP ;GatewayIP ;GatewayPort;GatewayIP2 ;DestinationIP;DestinationPort;Expiration;Type ;UID;Comment ;eMail
autologon;443|25 ; ; ;10.0.0.1 ;777 ;* ;GENINC ;1.0;to Hub ;
Example for Routing Table at ApplicGate Hub ... central proxy:
SourceIP ;GatewayIP ;GatewayPort;GatewayIP2 ;DestinationIP;DestinationPort;Expiration;Type ;UID;Comment ;eMail
* ;10.0.0.1 ;777 ;reverselogon;443|25 ; ;* ;NOCHKCC ;1.0;Logon ;
* ;1.2.3.1 ;443 ;forward ;443%SRVA ; ;* ; ;1.A; ;
* ;1.2.3.2 ;443 ;forward ;443%SRVB ; ;* ; ;1.B; ;
* ;1.2.3.1 ;25 ;forward ;25 ; ;* ; ;2.X; ;
Notes:
- There is no difference between the routing table on SRVA and SRVB, identification at the hub is done by the computer name.
- The keword GENINC generates corresponding incoming routing entries for SRVA and SRVB automatically, these are:
- Add keyword SSL (reverselogon) and SSLTARGET (autologon) to encrypt the connections.
SourceIP ;GatewayIP ;GatewayPort;GatewayIP2 ;DestinationIP;DestinationPort;Expiration;Type ;UID ;Comment;eMail
incoming ;443 ; ; ;127.0.0.1 ;443 ;* ; ;GEN-443; ;
incoming ;25 ; ; ;127.0.0.1 ;25 ;* ; ;GEN-25 ; ;
From outside and for port 443 the two servers are addressed via different IP addresses (1.2.3.1 and 1.2.3.2)
For port 25 only one IP address is used (redundant configuration). The link will be forwarded to the server where the logon session is newer.
================================================================================================================================
Rule selection at the hub dependent on the http host attribute:
Example for Routing Table at SRVA and SRVB ... The servers log on to the ApplicGate Hub:
SourceIP ;GatewayIP ;GatewayPort;GatewayIP2 ;DestinationIP;DestinationPort;Expiration;Type ;UID;Comment ;eMail
autologon;80 ; ; ;10.0.0.1 ;777 ;* ;GENINC ;1.0;to Hub ;
Example for Routing Table at ApplicGate Hub ... central proxy:
SourceIP ;GatewayIP ;GatewayPort;GatewayIP2 ;DestinationIP;DestinationPort;Expiration;Type ;UID;Comment ;eMail
* ;10.0.0.1 ;777 ;reverselogon;80 ; ;* ;NOCHKCC ;1.0;Logon ;
* ;1.2.3.1 ;443 ;1.2.3.1 ;X_Route ; ;* ;PRX, SSL:hub.mycomp.com.cer ;1.X; ;
incoming ;SRVA ; ;forward ;80%SRVA ; ;* ; ;1.A; ;
incoming ;SRVB ; ;forward ;80%SRVB ; ;* ; ;1.B; ;
Notes:
- The local links between the servers and the hub are not encrypted.
- To encrypt these links use the keyword SSL (e.g. SSL:hub.mycomp.com.cer) for the reverselogon entry
--- and the keyword SSLTARGET (e.g. SSLTARGET:hub.mycomp.com) for the autologon entry.
- From outside and for port 443 the two servers are addressed via the same IP address (1.2.3.1) that acts as reverse proxy (keyword PRX).
- Routing is done via the http host attribute.
- To be able to read the host attribute the TLS session must terminate at the hub, keyword SSL is used to specifiy the web server certificate.
- The certificate must be a wildcard certificate (e.g. *.mycomp.com) or must contain the names of both servers.
- The group X_Route must be defined as follows:GroupName;IPranges ;Comment ;eMail ;Expiration
X_Route ;srva.mycomp.com*>local:SRVA,srvb.mycomp.com*>local:SRVB ;Reverse proxy ; ;
Using this group the incoming sessions are routed to the appropriate incoming routing entries (dependent on the http host header).
================================================================================================================================
Hub forwards client certificates to the servers:
Example for Routing Table at SRVA and SRVB ... The servers log on to the ApplicGate Hub:
SourceIP ;GatewayIP ;GatewayPort;GatewayIP2 ;DestinationIP;DestinationPort;Expiration;Type ;UID;Comment ;eMail
autologon;80 ; ; ;10.0.0.1 ;777 ;* ;GENINC ;1.0;to Hub ;
Example for Routing Table at ApplicGate Hub ... central proxy:
SourceIP ;GatewayIP ;GatewayPort;GatewayIP2 ;DestinationIP;DestinationPort;Expiration;Type ;UID;Comment ;eMail
* ;10.0.0.1 ;777 ;reverselogon;80 ; ;* ;NOCHKCC ;1.0;Logon ;
* ;1.2.3.1 ;443 ;1.2.3.1 ;X_Route ; ;* ;PRX, SSL:hub.mycomp.com.cer, CCR ;1.X; ;
incoming ;SRVA ; ;forward ;80%SRVA ; ;* ;FWCC,SSLTARGET:srva.mycomp.com,SSLCC:hub.cer ;1.A; ;
incoming ;SRVB ; ;forward ;80%SRVB ; ;* ;FWCC,SSLTARGET:srvb.mycomp.com,SSLCC:hub.cer ;1.B; ;
Notes:
- The difference to the preceeding example is the usage of following keywords:
--- CCR: The hub requests a certificate from the clients.
--- FWCC: The client certificates will be forwarded to SRVA and SRVB within the http header SSL_CLIENT_CERT
--- SSLTARGET: To encrypt the link to the servers.
--- SSLCC: The hub authenticates itself at the servers using a client certificate
- Now SRVA and SRVB can read the http header SSL_CLIENT_CERT and check the client certificates.
================================================================================================================================