You use the --security-gateway
attribute to enable SGD Gateway usage for the
SGD array. The attribute defines the following:
The SGD Clients that can access a SGD Gateway, based on their IP address or DNS name.
The address that client devices use to contact the SGD Gateway.
The --security-gateway
attribute is used for AIP connections only. Routing of HTTP
connections is handled by the HTTP load balancing service on the
Apache reverse proxy component of the Gateway.
Changes to the
--security-gateway
attribute
apply to all SGD servers in the array.
The syntax for the
--security-gateway
attribute
is as follows:
--security-gateway filter-spec
...
Replace filter-spec
with a filter
specification of the type:
client-ip-address
|*
:gateway protocol
:gateway-address
:gateway-port
The client-ip-address
is the IP
address of the SGD Client. For connections
through the SGD Gateway, this is the interface
that the SGD Gateway uses to connect to the
SGD servers in the array.
A single asterisk, *
, represents
all IP addresses.
The client IP address string can contain the
*
and ?
wildcards, where
*
matches multiple characters and
?
matches a single character. For example:
192.169.10.*
matches all addresses on the
192.169.10
network.
192.169.10.12?
matches the address range
from 192.169.10.120
to
192.169.10.129
.
If you are using an external load balancer with the
SGD Gateway, type the address of the load
balancer for the
client-ip-address
.
The gateway protocol
is
sgdg
for connections through the
SGD Gateway, or direct
for
SGD Clients that connect directly to an
SGD array, without going through the
SGD Gateway.
The gateway-address
is the external
address of the SGD Gateway, or an external load
balancer, if used. This is the address that client devices use
to contact the SGD Gateway.
For direct
connections to an
SGD array, specify the address of the primary
server in the array.
The gateway-port
is the TCP port
that client devices use to connect to the SGD
Gateway, or an external load balancer, if used.
For direct
connections to an
SGD array, specify the port for the primary
server in the array.
Separate multiple filter-spec
entries
with a comma and enclose the entire string in double quotation
marks ("
"
). See
Section B.31, “
Using Multiple Filters
”.
The following example enables all SGD Clients to
connect using TCP port 443 of the SGD Gateway
gateway1.example.com
.
$ tarantella config edit --security-gateway "*:sgdg:gateway1.example.com:443"
The following example enables all SGD Clients to
connect using an external load balancer,
lb.example.com
.
$ tarantella config edit --security-gateway "*:sgdg:lb.example.com:443"
The following example enables all SGD Clients to
connect directly to an SGD array, without going
through the SGD Gateway. The primary server in the
array is sgd1.example.com
.
$ tarantella config edit --security-gateway "*:direct:sgd1.example.com:443"
You can use multiple filter specifications, as shown in the following example.
Consider a basic deployment, as shown in
Figure B.1, “Using Multiple Filter Specifications”. The
deployment uses a single SGD Gateway,
gateway1.example.com
, with an
SGD array that contains two SGD servers,
sgd1.example.com
and
sgd2.example.com
. The primary server in the
array is sgd1.example.com
.
The address of the SGD Gateway on the internal
network is 192.168.0.250
.
The following filter specification might be used for this example:
"192.168.0.250:sgdg:gateway1.example.com:443,*:direct:sgd1.example.com:80"
With this configuration, the following applies:
Connections to the SGD servers in the array are
allowed from the SGD Gateway IP address,
192.168.0.250
. SGD Clients
outside the organization connect using TCP port 443 of the
SGD Gateway,
gateway1.example.com
.
All other SGD Clients, such as those on the local
area network (LAN), connect directly to TCP port 80 on the
primary SGD server
sgd1.example.com
. These connections do
not use the SGD Gateway.
The order of the filters is important. If the order of the
filters is reversed, all SGD Clients connect
directly to the SGD server
sgd1.example.com
.