B.38 The --security-gateway Attribute

Description

You use the --security-gateway attribute to enable SGD Gateway usage for the SGD array. The attribute defines the following:

  • The SGD Clients that can access a SGD Gateway, based on their IP address or DNS name.

  • The address that client devices use to contact the SGD Gateway.

Note

The --security-gateway attribute is used for AIP connections only. Routing of HTTP connections is handled by the HTTP load balancing service on the Apache reverse proxy component of the Gateway.

Changes to the --security-gateway attribute apply to all SGD servers in the array.

Syntax

The syntax for the --security-gateway attribute is as follows:

--security-gateway filter-spec...

Replace filter-spec with a filter specification of the type:

client-ip-address|*:gateway protocol:gateway-address:gateway-port
  • The client-ip-address is the IP address of the SGD Client. For connections through the SGD Gateway, this is the interface that the SGD Gateway uses to connect to the SGD servers in the array.

    A single asterisk, *, represents all IP addresses.

    The client IP address string can contain the * and ? wildcards, where * matches multiple characters and ? matches a single character. For example:

    192.169.10.* matches all addresses on the 192.169.10 network.

    192.169.10.12? matches the address range from 192.169.10.120 to 192.169.10.129.

    Note

    If you are using an external load balancer with the SGD Gateway, enter the address of the load balancer for the client-ip-address.

  • The gateway protocol is sgdg for connections through the SGD Gateway, or direct for SGD Clients that connect directly to an SGD array, without going through the SGD Gateway.

  • The gateway-address is the external address of the SGD Gateway, or an external load balancer, if used. This is the address that client devices use to contact the SGD Gateway.

    For direct connections to an SGD array, specify the address of the primary server in the array.

  • The gateway-port is the TCP port that client devices use to connect to the SGD Gateway, or an external load balancer, if used.

    For direct connections to an SGD array, specify the port for the primary server in the array.

Separate multiple filter-spec entries with a comma and enclose the entire string in double quotation marks (" "). See Using Multiple Filters.

Examples

The following example enables all SGD Clients to connect using TCP port 443 of the SGD Gateway gateway1.example.com.

$ tarantella config edit --security-gateway "*:sgdg:gateway1.example.com:443"

The following example enables all SGD Clients to connect using an external load balancer, lb.example.com.

$ tarantella config edit --security-gateway "*:sgdg:lb.example.com:443"

The following example enables all SGD Clients to connect directly to an SGD array, without going through the SGD Gateway. The primary server in the array is sgd1.example.com.

$ tarantella config edit --security-gateway "*:direct:sgd1.example.com:443"

Using Multiple Filters

You can use multiple filter specifications, as shown in the following example.

Consider a basic deployment, as shown in Figure B.1, “Using Multiple Filter Specifications”. The deployment uses a single SGD Gateway, gateway1.example.com, with an SGD array that contains two SGD servers, sgd1.example.com and sgd2.example.com. The primary server in the array is sgd1.example.com.

The address of the SGD Gateway on the internal network is 192.168.0.250.

Figure B.1 Using Multiple Filter Specifications

Network Diagram Showing a Deployment Scenario That Uses Multiple Filters

The following filter specification might be used for this example:

"192.168.0.250:sgdg:gateway1.example.com:443,*:direct:sgd1.example.com:80"

With this configuration, the following applies:

  • Connections to the SGD servers in the array are allowed from the SGD Gateway IP address, 192.168.0.250. SGD Clients outside the organization connect using TCP port 443 of the SGD Gateway, gateway1.example.com.

  • All other SGD Clients, such as those on the local area network (LAN), connect directly to TCP port 80 on the primary SGD server sgd1.example.com. These connections do not use the SGD Gateway.

  • The order of the filters is important. If the order of the filters is reversed, all SGD Clients connect directly to the SGD server sgd1.example.com.