Restrict Gateway hosts

Overview Copied

In order to provide an extra level of security, you can configure a Netprobe to only accept connections from a nominated trusted list of Gateway hosts.

This is done by setting the TRUSTED_GATEWAY_HOSTS variable, either in the Windows registry, or as an environment variable on Linux and other platforms. This variable should be set to the names of the trusted hosts, separated by commas. For more information, see Setting Variables for Netprobe on Windows Platforms in variables.

The TRUSTED_GATEWAY_HOSTS and TRUSTED_GATEWAY_NAMES variables are comma-separated lists containing one or more trusted hostnames or IP addresses or names of Gateways. If set, the Netprobe will accept connection from any of these Gateways.

By default, these variables are set to +, which means that all connections are accepted. You are not required to set both variables, but if you do, then any connections must match TRUSTED_GATEWAY_HOSTS and TRUSTED_GATEWAY_NAMES.

If a connection fails to match, then a warning message is logged on the Netprobe, all connected Gateways, and Active Console Event Tickers.

For security, you can only set these variables in the start-up environment on the machine running the Netprobe. You cannot configure them as part of the Netprobe on the Gateway.

If you have set TRUSTED_GATEWAY_HOSTS, the Netprobe checks the source IP of any connections against the list of hostnames and IP addresses. If an explicit IP address fails to match, then the Netprobe will try a reverse DNS lookup of the source IP by checking if any hosts in the list match. If the previous check still fails, then the Netprobe will check each hostname in the list and check the first returned IP address. Hostnames with multiple A records may not be validated correctly.

If a connection is permitted after the TRUSTED_GATEWAY_HOSTS check, then the Netprobe will check the name that the Gateway supplies against TRUSTED_GATEWAY_NAMES. If there is no match, then the connection is dropped, and an error message is logged.

Note

On IBM AIX, there is a known limitation that only IP addresses are checked, and no hostnames are resolved. Only one Gateway should attempt to connect to each Netprobe. If multiple Gateways connect to a single Netprobe, then only the first connection attempt can achieve a successful connection. Any subsequent connection attempts will be rejected.
["Geneos"] ["Geneos > Netprobe"] ["Technical Reference"]

Was this topic helpful?