Configuring Tubes

With the Tubes feature, you can organize the secure connection between this Location and its partner into logical tubes that regulate the access of each machine on your LAN to each machine on the remote LAN, and vice versa. Note that a tube does not create a distinct IPSec tunnel for the traffic. A tube is a firewalling mechanism.

At its basic level, a tube is a combination of a local User Group or application, a remote User Group or application, and an optional Firewall Policy that is assigned between them, which definines both the inbound and outbound traffic that the local side will allow over the connection. Each set of partners can have multiple tubes defined for their secure tunnel connection, but each combination of local User Group/application and remote User Group/application can be used in only a single local definition. Tubes can be configured on connections with Intranet Partners, Extranet Partners, and Client Groups, as well as used to define an Internet firewall for the LAN, enable port forwarding of Internet traffic to servers on the LAN, restrict access from the LAN to the Corente Services Gateway, and secure a DMZ.

Tubes are defined separately on both sides of a Location partnership. One side inspects the traffic that it sends, while the other side inspects the same traffic upon receipt. In order for traffic to route properly over the application network, the traffic must match a tube definition on both partners. In other words, for traffic to reach its destination over the connection, the tubes defined on the partner should not conflict with the tubes defined at the local Location gateway. Note that the firewall on tubes is stateful and return traffic is allowed through both firewalls, even if the firewalls usually block that type of traffic.

The Tubes table on the Partners tab lists all of the tubes that you have already configured for this Location in the partnership. If you have multiple tubes, you can rearrange the order in which they are applied to traffic by using the Up and Down buttons. Traffic will attempt to use the tubes in the specific order in which they appear on this table.

You can Edit or Delete any existing tube. To add a new tube, select the Add button. The Add Tube window will be displayed. You can also create new tubes for an existing partner-to-partner connection using the Tube wizard.

Complete the fields in this window as follows:

  1. (Optional) Enter a name for your tube in the Tube Display Name field that will help you keep track of this tube's purpose. If you do not enter a name, the tube will be named Tube num, where num is a number, starting at zero.

  2. The Local Side of the Tube section defines the local side of the tube.

    • User Group: Select User Group if you would like a local User Group to participate in this tube. Choose the User Group from the adjacent pull-down menu.

      Note

      If you are creating this tube to allow a remote User Group to perform such functions as access the local Corente Services Gateway with Gateway Viewer or monitor it with SNMP, select the Location LAN Address option from the User Group pull-down menu. When selecting a Firewall Policy for this tube, make sure that the following applies:

      • If you are providing remote access to Gateway Viewer, the gateway_viewer Firewall Service must be allowed in this Firewall Policy.

      • If you are monitoring remotely with SNMP, the SNMP Firewall Service must be allowed in this Firewall Policy

      When the User Group option is selected, you can define what traffic you will allow to enter and leave your LAN between the local and remote side. The following Firewall Policy option will be enabled:

      • Firewall Policy on Tube: Select a Firewall Policy that you would like to apply to traffic traveling between this User Group and the remote side of the tube.

        Below this option are the following additional fields:

        • Firewall Policy on User Group: If there is a Firewall Policy that was enabled when defining the selected User Group and always applies to this User Group, the Firewall Policy will be displayed in this field.

        • Default Firewall Policy: The default firewall policy for this type of connection will be displayed in this field. For example, LAN to Remote LAN, LAN to Client, or LAN to Extranet LAN.

        All three Firewall Policies are listed here to remind you that Firewall Policies will be enforced on the connection in this order: Tube Firewall Policy, User Group Firewall Policy, and then Default Firewall Policy.

    • Application: Select Application if you would like a local application to participate in this tube. Choose the application from the adjacent pull-down menu.

      For a third-party device, local applications are not supported.

  3. The Remote Side of Tube section defines the remote side of the tube. All of the partner's User Groups and applications are listed in the pull-down menus in this section, but depending on the permissions that are granted to you by this partner in its own tube definitions, you may not have access to all of them.

    • User Group: Select User Group if you would like a remote User Group to participate in this tube. Choose the remote User Group from the adjacent pull-down menu.

      For a third-party device, choose the Default User Group.

      Note

      If you want to create a tube to designate a local User Group that is allowed to perform such functions as access the local Location with Gateway Viewer or monitor it with SNMP, select the Location LAN Address option from the remote User Group pull-down menu. You should then select the local User Group that will participate in this tube. When selecting a Firewall Policy for this tube, make sure that the following applies:

      • If you are providing access to Gateway Viewer, the gateway_viewer Firewall Service must be allowed in this Firewall Policy .

      • If you are monitoring with SNMP, the SNMP Firewall Service must be allowed in this Firewall Policy.

    • Application: Select Application if you would like a remote application to participate in this tube. Choose the remote application from the adjacent pull-down menu.

      For a third-party device, remote applications are not supported.

  4. The Outbound QoS section enables you to enable Quality of Service (Quality of Service (QoS)) settings to the outbound traffic on this tube. QoS settings are viewable and configurable with the Quality of Service feature.

    • Setting on Tube: Choose a QoS entry from the pull-down menu to specify the priority of traffic outbound from the Location on this tube.

      Note

      As when performing any sort of QoS configuration, administrators must be careful when assigning QoS levels because if there is too much high priority traffic, any other traffic with a lower level of priority may become too slow or even be dropped. In addition, you cannot use QoS to prioritize traffic to or from a Corente Client.

    • Setting on User Group: If there is an Outbound QoS Setting that was enabled when defining the selected User Group/application and always applies to this User Group/application, the Outbound QoS Setting will be displayed in this field. This field is displayed to remind you that QoS settings will be enforced on the connection in this order: Tube QoS setting and then User Group QoS setting.

  5. The Inbound QoS section enables you to enable QoS settings to the inbound traffic on this tube.

    • Setting on Tube: Choose a QoS entry from the pull-down menu to specify the priority of traffic inbound from the Location on this tube.

    • Setting on User Group: If there is an Inbound QoS Setting that was enabled when defining the selected User Group/application and always applies to this User Group/application, the Inbound QoS Setting will be displayed in this field. This field is displayed to remind you that QoS settings will be enforced on the connection in this order: Tube QoS setting and then User Group QoS setting.

    When you have finished defining the tube, select OK to store your changes or Cancel to close the screen and discard your changes. The new tube will appear in the Tubes table.

Important Notes About Tubes

If traffic from a local User Group or Application tries to reach a remote User Group or Application, it will test each of the tubes defined on the local Corente Services Gateway. If its source, destination, and protocol type are allowed in the definition of any locally defined tube, the traffic will use that tube to reach the remote User Group or Application. The traffic then tests the remotely defined tubes to see if its source, destination, and protocol type are permitted in any of those definitions. This continues until a match is found on both sides. If no match is found, traffic will be treated according to the Firewall Policy of the last tube and whether or not Backhaul has been enabled on the Network tab of the Location form.

It is important that the Firewall Policy of the last tube should be set to Allow if no match on selected Services or Deny if no match on selected Services (rather than Continue). When Continue is selected for the Firewall Policy of a tube, the Corente Services Gateway will continue to try and match traffic to the next tube definition. This becomes a security hazard when applied to the last tube, and could allow unwanted traffic to enter or leave your LAN.

When traffic reaches the last tube without finding a compatible definition, the following applies:

  • If Backhaul is enabled, the Corente Services Gateway attempts to match the source address (for outbound traffic) or destination address (for inbound traffic) to an address included in one of the Location’s User Groups or applications. If it matches and the address does not have permission to participate in the application network or to send and receive this type of traffic, the traffic is dropped to prevent a security breach. If the address does not match any address in a User Group or used for an application, it is assumed that the user was trying to access the Internet and the traffic is sent to the Backhaul Server, if Backhaul Client is enabled, or to the Internet, if Backhaul Server is enabled.

    It is important to define a Special User Group for Internal Network Description on the User Groups tab for this Location when Backhaul is used, to prevent traffic from being mistakenly sent to non-application-network machines on the LAN rather than the Internet.

  • If Backhaul is not enabled, the traffic is unconditionally dropped.

Copyright © 2016, 2017, Oracle and/or its affiliates. All rights reserved. Legal Notices