Go to main content

Oracle^® Advanced Support Gateway Security Guide

Exit Print View

» ...Documentation Home » Oracle^® Advanced Support ... » Oracle Advanced Support Gateway Security Guide » External Connection » TLS VPN and the Gateway

Updated: April 2024

Oracle^® Advanced Support Gateway Security Guide

Document Information

Oracle Advanced Support Gateway Security Guide

About the Gateway

General Requirements

Changes to the Security Guide Since the Last Release

Firewall Port Requirements

External Connection

TLS VPN and the Gateway

Alternative External Connection Option

Controlling Remote VPN Access

Customer Access to the Gateway

Internal Connection

Firewall Rules: Ports and Protocols

Firewall Rules for External Traffic

Firewall Rules for External Traffic Through the Encrypted VPN Tunnel

Firewall Rules for Internal Traffic

Firewall Rules Between the Gateway and the Customer Network

Firewall Rules for Gateway Hardware Self-Monitoring

Firewall Rules Between the Gateway and Exadata

Firewall Rules Between the Gateway and ZDLRA

Firewall Rules Between the Gateway and ZFS

Firewall Rules Between the Gateway and Exalogic

Firewall Rules Between the Gateway and SuperCluster

Firewall Rules Between the Gateway and Exalytics

Firewall Rules Between the Gateway and Oracle Database Appliance

Firewall Rules Between the Gateway and Oracle Big Data Appliance

Firewall Rules Between the Gateway and Oracle Private Cloud Appliance

Firewall Rules Between the Gateway and Oracle Standalone Hosts

Firewall Rules Between the Gateway and Oracle Third-Party Hosts

Implementation Changes to a Customer System

The Monitoring Matrix

Implementation Impact on the Environment

All Systems With An Agent Deployed

Engineered Systems Storage Cells

Engineered System Cisco Switches

Engineered System InfiniBand Switches

Engineered System PDU's

Engineered Systems Compute Nodes (Physical Implementation) and Virtual Machines

OVS Compute Nodes

KVM Compute Nodes

Exalogic Compute Nodes (Physical Implementation) and Exalogic Virtual Machines / Control Virtual Machines

ZFS Storage Array Storage Heads

Utilization Impact Risk of OEM Cloud Control Agent on Monitored Systems

Server Prerequisites for Monitoring Deployment

Server Prerequisites for Monitoring Deployment

Monitoring Access: an Overview

User Privileges

Solaris 11 Initial Setup User RBAC Profile

Solaris 10 Initial Setup User RBAC Profile

Solaris sudo Profile

Linux sudo Profile

ILOM User Privileges

Storage Prerequisites for Monitoring Deployment

Monitoring Deployment: an Overview

Oracle ZFS Storage Appliances

Sample Logging Messages

Managing ASR Audit Logs

About ASR Audit Logs

Viewing ASR Audit Logs

Downloading ASR Audit Logs

Installing the Gateway

Gateway Infrastructure Maintenance and Change Management Process

Understanding Responsibilities

Customer Responsibilities

Oracle Responsibilities

Generating a Change Management Request

Understanding the Change Management Workflow

Understanding Maintenance Activities

Language:

TLS VPN and the Gateway

The Gateway is configured with a software TLS-based VPN client. When the Gateway boots up, it opens an outbound connection to one of three Oracle Services Support centers, establishing a TLS VPN tunnel. At that point, this connection is used for inbound connectivity between the Oracle Services Support center and the Gateway. No inbound firewall port openings are required, as the initial connection is outbound. The Gateway is assigned a unique ID and password and connects to one of three Oracle VPN concentrators. The TLS-based VPN has the following features:

Connection based on TLS, AES256 symmetric encryption to ensure traffic integrity and confidentiality
Continuous VPN connection availability through the use of active/passive VPN cluster servers at the Oracle Services Support centers. Any hardware or software issues on the active VPN server failover all connections to the backup VPN.
Disaster recovery processes that use multiple clusters around the world. Any connection issue with one of the Oracle Services Support centers failover client connections to the other Oracle Services Support centers.

Figure 2 A TLS-Based VPN Client Connection from the Gateway to Oracle

image:Picture of a TLS-based VPN client connection from the Gateway to
Oracle

Note - The TLS VPN is the standard method for establishing the connection with Oracle. Alternative connection methods are available on an exception, customer-by-customer basis that is summarized in Alternative External Connection Option. If you wish to explore these options further, please contact your Oracle Implementation Manager.

Copyright © 2024, Oracle and/or its affiliates.