ZoneRanger Allows NMS to Reach into DMZ over Single TCP Port

THE CHALLENGE

Extending an NMS (UniCenter®, Spectrum®, Tivoli/TEC®, Open/NMS® , etc.) into a firewall partitioned network is possible but not trivial. Opening ports in the firewall to pass the needed network management protocols (ICMP/ping, SNMP, SNMPTRAP, telnet, syslog) is not acceptable for many companies. Deploying an application specific remote poller is a common approach but can incur additional software cost, a server to run it on and configuration expertise. Performance data collected via SNMP may not roll up transparently to the main NMS server or in real-time. Duplicate IP addresses can be managed with NAT on gateway devices but this requires additional expertise and access to the device or bumping up against maintenance windows to configure and maintain.

 

The ZoneRanger Solution

Tavve’s ZoneRanger appliance allows a NMS to transparently reach into the DMZ over a single encrypted TCP Port. ICMP and SNMP into the DMZ are sent over one port. This allows for one central NMS server to monitor internal and external (DMZ) devices. There are no additional servers in the DMZ to administer (operating system maintenance). A single SNMP data collector can now poll all nodes into a central reporting database. SNMP traps and syslog messages are forwarded out of the DMZ to the NMS server over a single secure TCP port. Bi-directional NAT is possible with the ZoneRanger. This allows status polling of overlapping IP addresses with ICMP and SNMP. It can also be used to modify the source address of SNMP traps and syslog messages from nodes with duplicate IP addresses so that they appear unique. TCP pollers can be proxied through to the DMZ devices for full “query / response” application polling. It’s now possible to access a managed device securely with SSH to perform “screen scrapes” for configuration data archiving.

In environments where the NMS GUI is not used, but rather “management by exception” is the rule, the ZoneRanger can be configured as a stand-alone status poller. This off loads the central NMS server and frees node licenses for deployment elsewhere in the enterprise. The ZoneRanger can perform auto-discovery using Tavve’s patented technology or to only poll nodes that are added to it’s database manually. Its status poller can use ICMP and/or SNMP to poll interfaces. There is also a TCP port poller for testing application availability. The syslog and trap receiver on the ZoneRanger can filter messages before forwarding them on to the NMS. Syslog messages can be converted to SNMP traps for processing in the SNMP trap handler.