Skip to main content

Gateway Management and Tunnel Features

  • Updated

 

What is a Gateway? Why do you need a Gateway?

A Gateway is the core proxy server component within a system, responsible for relaying user connection requests and establishing controlled, secure connections. It ensures secure and compliant data transmission while improving connection efficiency and stability.

 

Gateway Management Logic:

  1. How the system selects a Gateway:
    When a user connects to a resource, the system applies the following logic based on whether the resource is tagged with a Gateway segment (e.g., gateway-office1):

    • No Tag: The system randomly selects an available Gateway to fulfill the request. This is suitable for general needs without specific proxy server requirements.
    • Tagged: The system randomly selects an available Gateway within the specified segment, ensuring efficient and targeted connections.

  2. Ensuring Gateway Availability:
    The system periodically syncs the status of each Gateway (every 15 seconds) and automatically retries upon detecting anomalies. If a Gateway is unavailable, the system logs an error and displays a connection failure message.

  3. Executing Connections:
    After successfully selecting a Gateway, the system establishes the connection and starts session recording, logging the full operation history. If the connection fails, only an audit log is generated.

  •  

Handling Connection Failures:

  • If no Gateway is available or the proxy cannot connect to the target device, the system logs an error and displays a connection failure message.
  • Session recording is only enabled upon successful connection; otherwise, only an audit log is generated.
  •  

Supported Protocols:
Currently supports RDP, VNC, SSH, and SFTP, catering to diverse access needs both inside and outside the enterprise.

  •  

What is the Tunnel Feature?

The Tunnel feature ensures all connections pass through the system's default Gateway, enabling secure access to closed networks. It provides encrypted and isolated data traffic, reducing the risk of internal network exposure.

 

 

Use Cases for Gateway Management and Tunnel Features:

  1. Scenario 1: Resources Without Tags
    A company has an internal file server without any Gateway segment tag, and the resource has no specific proxy server requirements.
  • When a user attempts to connect, the system randomly selects a Gateway from all available options to handle the request, ensuring a controlled and successful connection.
  • This applies to general resources without additional proxy planning.

  1. Scenario 2: Resources Differentiated by Cloud Environments
    A company has multiple resources distributed across cloud providers like AWS and GCP. To optimize connection efficiency, administrators tag these resources with different Gateway segments:

    • AWS Resources: Tagged as gateway-aws.
    • GCP Resources: Tagged as gateway-gcp.
    • When users connect to AWS or GCP resources, the system randomly selects a Gateway within the corresponding segment. For example, when connecting to an AWS resource, the system only chooses from the gateway-aws segment, avoiding cross-cloud proxies to reduce latency and improve efficiency.

  2. Scenario 3: Internal Network Connections for Compliance
    To meet security and compliance requirements, a company enables the Tunnel feature, ensuring all resource access passes through the default internal Gateway, preventing direct internal network exposure to the public internet.

    • With the Tunnel feature enabled:
      • All connection requests must pass through the system's default internal Gateway, even for resources without specific segment tags.
      • The system automatically provides encrypted channels for all connection traffic, ensuring end-to-end data protection and mitigating risks of data leakage or interception.
      • External users (e.g., third-party vendors) are also subjected to strict connection paths filtered and controlled by the internal Gateway, ensuring secure resource access.

 

FAQ

Q1: How do I manage my Gateway?

A1: Use the Gateway Management page:

  1. Define Segments: Name each Gateway segment and download the configuration file for installation on remote Gateways, e.g., gateway-office1.
  2. Tag Resources: In the resources list, add the corresponding Gateway segment name in the "Tag" field, e.g., gateway-office1.
  3. Submit Public Key: After installation, upload the public key to the corresponding Gateway in the management page to enable secure connections.
  4. Test Connections: Wait approximately 10 minutes to ensure synchronization and test the connection.

Q2: What does the Tunnel feature do?

A2: When activated, the Tunnel ensures all connections pass through the default proxy server, providing encryption and isolation, reducing internal network exposure risks.

Q3: Does the Gateway have auto-sync and retry mechanisms?

A3: Yes, the system synchronizes Gateway status every 15 seconds. If synchronization fails, it automatically retries to enhance reliability.

Q4: What if no Gateway is available?

A4: Ensure the Gateway is properly installed and synchronized in the system. If the issue persists, check the proxy connection settings and network status.

Q5: Can I specify multiple Gateways?

A5: Yes, multiple Gateways can be configured within the same segment. The system will randomly select an available Gateway to ensure stability.

Q6: When should I tag a Gateway?

A6: Tagging is recommended in the following scenarios:

  • Specific Regions: For resources in particular regions (e.g., AWS or GCP servers), add corresponding Gateway tags, e.g., gateway-aws or gateway-gcp.
  • Connection Efficiency: For large, distributed resources, tagging allows the system to select an optimal Gateway within the region, improving speed and stability.
  • Business Needs: For resources requiring specific Gateway handling (e.g., internal servers or sensitive data), tagging ensures compliance.
  • Resource Segregation: For enterprises with multiple Gateways, tagging helps separate resources used by different departments or business units.

Q7: How does the Gateway operate? What is the connection flow between MAVIS, the Gateway, and the target machine?

A7:
The Gateway is the core proxy component in the system, responsible for relaying and forwarding user connection requests.
The connection process can be simply described as:

  • The user (MAVIS client) first connects to the Gateway.

  • The Gateway then proxies the connection to the target machine (server or desktop).

This architecture centralizes access control, ensures data security, and supports session recording and operation logging for auditing purposes.

Q8: What communication protocols and ports are used between MAVIS, the Gateway, and the target machine? Which network ports need to be opened?

A8:
The system mainly uses the following network ports to ensure proper and secure connections:

  • TCP 443 (HTTPS): Used for management and authentication communication between MAVIS and the Gateway.

  • TCP 7993, 7994, 7995 (system-specific ports): Used for proxy traffic forwarding between the Gateway and the target machine.

    Connection Direction Protocol Example Ports Purpose
    MAVIS → Gateway TCP 443 Management and authentication
    Gateway → Target Machine TCP 7993-7995 Proxy connection (RDP, VNC, SSH, etc.)

Recommended practice:

  • By default, to ensure full functionality and connection stability, please open TCP ports 443 and 7993–7995 in your firewall or network policies via CLI.

  • In special cases, if your organization has strict security policies and the admin understands port usage, selective opening is possible.

  • If unsure, open all required ports first to ensure system functionality, then adjust later if needed.

Q9: Why must these ports be opened? What happens if they are not?

A9:

These ports are essential for proper communication between the Gateway, MAVIS, and the target machines. If not opened, it may cause:

  • Users cannot connect to the target machine through the Gateway, resulting in service interruptions.

  • Session recordings and audit logs may be incomplete, affecting compliance auditing.

  • Unstable or frequently disconnected connections, impacting user experience.

    Please ensure firewalls, routers, and cloud security groups allow these ports.

Q10: What do ports 7993, 7994, and 7995 represent? Are there standard usages?

A10:
Ports 7993, 7994, and 7995 are internal proxy ports used for traffic forwarding between the Gateway and the target machines.

  • These ports have no industry-standard assignment and are allocated according to system design needs.

  • They typically support multiple concurrent connections to ensure stable proxy traffic and load distribution.

  • The specific protocol handled by each port (e.g., RDP, VNC, SSH) depends on system configuration.

Please refer to system deployment documentation or confirm with your system administrator for actual port mappings.

Related articles