RSP Wizard for RSP project creation
Goal:
- Easy definition and update of RSP projects
- Delegation of RSP project creation
- Granular management rights depending on management location
- Automated UID generation
- Automated IP address reservation
Routing Table:
Remote ApplicGate instances:
- following "incoming" routing entries must exist:
-- GatewayIP=R1, GatewayIP2=manage
-- GatewayIP=R3, Type=PRX
Example:
SourceIP ;GatewayIP ;GatewayPort;GatewayIP2;DestinationIP;DestinationPort;Expiration;Type ;UID;Comment ;eMail
* ;127.0.0.1 ;88 ;manage ;* ;* ;* ;RTUPD,GRPUPD, LGS, BPRI:AboveNormal, FLG:true,TINT:10 ;MGL;Manage local ;
autologon;R1|R3|mgmt;* ;* ;rsp.xyz.com ;446 ;* ;UPDATE, SSLTARGET:rsp.xyz.com!!abc@xyz.com.cer,RETRY:20s,TTL:325s;AL ;Autologon ;
incoming ;R1 ;* ;manage ;* ;* ;* ; ;MGR;Manage remote ;
incoming ;R3 ;* ;* ;* ;* ;* ;PRX ;PRX;Incoming Proxy;
Central ApplicGate:
System setting (only if GatewayIP2=manage):
- Keyword IPSTART:IPv4address ... Start address for new routes generated by RSP wizard.
-- The second octet should be an even number. Default value of IPSTART is 127.2.1.0
-- A new addresses is the next address after IPSTART or any existing 127.x.x.x address (whichever is higher)
Routing entries with GatewayIP2=manage or status:
- Keyword PRJSET:UIDprefixes!remoteEmail!MCHKvalue ... settings for the RSP wizard.
-- UIDprefixes ... list of strings separated | to chose a prefix for UID generation, e.g. S|T
-- remoteEmail .. string for email name generation for the certificate of the remote computer, e.g. .rsp@applicgate.com
--- The email name will be constructed as follows: UIDprefix+serialNo+remoteEmail, e.g. S120.rsp@applicgate.com
--- serialNo starts with 100 and will be incremented automatically
-- MCHKvalue ... value for keyword MCHK to control group updates
- Keyword PRJUPD:grouplist ... to define access to the RSP wizard.
-- grouplist ... a list of special groups (group name must start with "A_") separated by |
-- Example: PRJUPD:A_PW1|A_PW2
-- each group may contain one or more ACLs (separated by ,) with following format:
--- list of email addresses (separated by |) : accessType : list of management locations (separated by |)
--- email addresses may contain one or more * for wildcard, e.g. *@aon.at, ab*x@mycompany.com, *.mgmt.*@x.com.
--- Currently for accessType only W is supported
--- Example: x@mycompany.com|mike@mycompany.com:W:Linz|Graz
-- For manage routing entries the grouplist may be omitted, because all management locations can be selected.
-- If a new management locations has been defined, the routing table must be reloaded.
- Keyword GRPUPD must be defined.
User Interface:
Project creation: Configuration, New Project ... data entry via web form
- or New Project (upload) ... to upload a project definition .csv file. The format of the file is described here.
List my projects: UID_Lists, UID List (my Projects)
- Column UID: Hyperlink to routing table for this project to update and delete entries
- Column UIDname: Hyperlink to all groups of this project (all groups with names starting with UID_) to update and delete groups
- Using the buttons [Routes] and [Group]: new routes and groups for the project can be defined.
Administrative rights:
- Sessions via "manage" routing entries have full rights.
- Sessions via "status" routing entries have following rights:
-- Location Managers (mentioned in keyword PRJUPD):
--- Definition of new projects for the authorized location
--- All routing entries and groups in the authorized location: creation, update and delete
-- Users defined in the email field of a group:
--- Update of that group
Note:
Routing entries with keyword UIDN may be deleted only via "manage" sessions.
