Seon Proxy

From Seon
Jump to: navigation, search

Seon Proxy is the solution to connect your internal OFTP station to the external internet.


Due to the fact that internet is often not accessible from internal stations AND internal stations are normally not available from external internet, Seon Proxy offers a secure solution to interact with the global internet without offering direct access of the OFTP station to the offending internet.

Involved programs

The Seon Proxy consists of two parts:

  • Seon Proxy: the program communicating to the external internet
  • Seon Proxyclient: the program communicating to the internal network

The external communication is completely free in configuration on which port and device it listens. The internal proxy client is capable to forward incoming calls to a given internal service reachable via TCP/IP. This may be on the local host or even on another different station.

Common situations

Some situations are common sense of security and offer a wide range of network implementations.

Expose a single port to the internet

In order to listen on a specified port on a single IP address in the DMZ (de-militarized zone), the Seon proxy can be installed in this instance in order to forward OFTP data to an internally connected proxy client.

Forward internal OFTP data to the external internet

When connecting to the outside world over a single point of connectivity, the Seon Proxy constellation will solve this situation.

Licensing

Seon Proxy is licensed via a license file at the Seon Proxy (not client) side: only one license is needed to keep the system up and running. This license is based on an Seon Proxy ID on the proxy server side, which can be easily obtained via a command line parameter: 

dmz:~ # /opt/seon/seon_proxy -L
Seon Proxy ID: c6bc8d9b37c5e36333a41acdda653aaef7fd4a00459eeb32a8a41059e23017c8px

This Seon Proxy ID is needed for license generation, which can be done for test purposes on the product website at http://www.seon.de/key.

The valid license will be searched by default at 

/etc/seon_proxy.lic

but an alternative location can be given with the commandline option "-l": 

dmz:~ # /opt/seon/seon_proxy -l /usr/licenses/seon_proxy.lic

Seon Proxy

All external communication is done via the Seon Proxy. This daemon runs normally in the background without any interaction. It's optimized on size and speed. No logical operations are implemented here, so no OFTP operations are located in this securely separated location.

Behaviour

The Seon Proxy searches for a valid license for startup. This is searched at the location given with the parameter "-l" or at the default location "/etc/seon_proxy.lic". If something is wrong with the license, the actual Seon Proxy ID will be printed out with a message that the license file (with location) is invalid. Example: 

dmz:~ # /opt/seon/seon_proxy -l /tmp/invalid.lic
ERROR: invalid license found in '/tmp/invalid.lic'! Please obtain a valid Seon Proxy license for your Seon Proxy ID:
  c6bc8d9b37c5e36333a41acdda653aaef7fd4a00459eeb32a8a41059e23017c8px

After successful startup, the Seon Proxy listens on the port for internal communication only. No external availability is given at this point of time! After a Seon Proxyclient connects to the Seon Proxy, the Seon Proxy will open the configured external port on the configured IP listening for incoming connections.

Every single incoming connection will be signalized to the connected Seon Proxyclient, which will then open a new connection to the Seon Proxy over the used TCP/IP port for handling this incoming connection. Additionally, the Seon Proxyclient will establish a connection to the configured internal network target. If this connection fails, the external connection will instantly be closed.

Every single new incoming internal connection on the Seon Proxy side will handle the internal protocol for outgoing connections. This is used for establishing outgoing connections initiated from the internal network connected over the Seon Proxyclient. If one of both ends closes the connection, the corresponding other side will be actively informed about this situation which will then close the other end connection.

Commandline options

Seon Proxy daemon build 20110412

usage:
-h: this help text
-v: display version
-i [<IP of device>]:<port>: accept from (optional) device on given port for internal connections.
                            defaults: IP of device: 0.0.0.0 (any)
                            --------- port: 65432
-e [<IP of device>]:<port>: accept from (optional) device on given port for external connections.
                            defaults: IP of device: 0.0.0.0 (any)
                            --------- port: 6619
[-T <seconds>: TCP/IP timeout (default: 180 seconds)]
-d: enable debug mode (don't daemonize)
-t: enable trace mode (don't daemonize, extreme logging)

License options:
-L: print out Seon Proxy ID (basis for license)
-l <license file>: point to readable license file (default: /etc/seon_proxy.lic)

Seon Proxyclient

The Seon Proxyclient communicates with the Seon Proxy via a single given TCP/IP port. All internal OFTP communication traffic is routed over this internal daemon.

Commandline options

Seon Proxy client build 20110411

usage:
-h: this help text
-v: display version
[-Q <portnumber>: internal port number to listen for internal connections for outgoing connections (default: 65433)]
-i [<IP of Seon receive daemon>]:<port>: forward packages to internal Seon receive daemon.
                            defaults: localhost
                            --------- port: 6619
-e [<IP of proxy>]:<port>: connect to given Seon proxy server.
                            defaults: IP of device: none - to be set
                            --------- port: 65432
[-T <seconds>: TCP/IP timeout (default: 180 seconds)]
-d: enable debug mode (don't daemonize)
-t: enable trace mode (don't daemonize, extreme logging)
Retrieved from "https://wiki.seon.de/wiki/index.php?title=Seon_Proxy&oldid=1193"