To integrate the Corente Services Gateway into your network, you must reserve specific IP addresses and configure IP addressing to support the Corente Services Gateway. Likewise, you must ensure that any firewall rules and network router settings allow Corente Services traffic.
You must ensure that Corente Services Gateways are not assigned the following IP addresses:
|
|
The following information also applies to IP address configuration on your network:
You must assign a private IP address to your LAN interface.
Oracle recommends that you use network address translation (NAT) to:
Prevent IP address conflicts between locations on your network.
Ensure unique IP address spaces at each location on your network. Connected networks cannot have overlapping IP address ranges.
You can configure the following NAT options in App Net Manager:
Outbound NAT
Inbound NAT
Auto Resolve NAT
For more information about using NAT, see the Corente Services Administration Guide.
If you plan to allocate the Corente Services Gateway with an IP address in the
10.0.0.0range, the minimum network mask is255.128.0.0.If you plan to use an inline configuration for the Corente Services Gateway with two Ethernet interfaces, the LAN interface and WAN interface cannot reside on the same subnet.
If your network uses a firewall, you must configure the following rules:
- Outbound Firewall Rules
TCP Port 443 must allow traffic from the Corente Services Gateway IP address to any IP address.
The Corente Services Gateway requires TCP Port 443 to download configuration settings from the Corente Services Control Point (SCP) over HTTPS.
UDP Port 53 must allow traffic from the Corente Services Gateway IP address to any IP address. Permit traffic from Corente Services Gateway IP address to UDP Port 53 of ANY IP address (for name resolution of the SCP via DNS.
The Corente Services Gateway uses UDP Port 53 to resolve the DNS name of the failover instance of the Corente SCP. This allows the Corente Services Gateway to automatically connect to the failover Corente SCP in the event that the primary Corente SCP becomes unavailable.
TCP Ports 1025 through 65535 must allow traffic from the Corente Services Gateway IP address to TCP Destination Port 551 for any IP address.
Port 551 is the Corente service port. The Corente service port allows trusted devices in the network to authenticate with 168-bit 3DES encrypted keys and establish secure tunnels. All traffic that passes through the Corente service port is encrypted and never leaves your Corente Services network.
UDP Port 551 must allow traffic from the Corente Services Gateway IP address to TCP Port 551 for any IP address.
- Inbound Firewall Rules
TCP Ports 1025 through 65535 must allow traffic from any IP address to TCP Port 551 for the Corente Services Gateway IP address.
UDP Port 551 must allow traffic from from any IP address to UDP Port 551 for the Corente Services Gateway IP address.
Corente Services Gateways also use certain ports and protocols to establish tunnels with Mobile Users and Third-party devices. Your firewall rules must allow traffic from Corente Services Gateways with the following ports and protocols:
UDP 500 for
ISAKMPUDP 4500 for
NATTIP Protocol 50 for
IPSec
In general, you should configure your network so that the Corente Services Gateway is the default router. If your network has multiple subnets, you should enable dynamic routing, such as the RIPv2, OSPF, or BGP protocols, so the Corente Services Gateway can advertise routes for Corente Services traffic.
If the Corente Services Gateway is not the default router on your network, you might need to create static routes on your network so that traffic passes through the Corente Services Gateway. You can either configure static routes on your entire network or on each device that participates in the Corente Services network.