User Guide
98.....Avocent® Universal Management Gateway Appliance Installer/User Guide
2. In the User Defined Services table, check the box next to the service you want to modify or
delete.
3. Make your changes and click Apply.
-or-
Click Delete to delete the service definition.
Policy
An administrator can control the flow of IPtraffic in, out and through the appliance with a NAT
and/or firewallpolicy.
An administrator can create policies that will allow an external host or server to communicate
directly with IPdevices (hosts)that are securely connected to the private ports of the appliance.
ANATor forward policy will allow traffic to bypass the normal authentication and permission
securities built into the appliance. It is recommended that such a security bypass only be
implemented for select few situations.
For example, an SPmanagement tool (HP SIM) residing on the production network could be
allowed to directly communicate with SPs (iLO)connected to the private ports of the appliance for
the purpose of monitoring, configuration and firmware updates. But user sessions would not be
permitted to bypass the appliance's securities and SP interaction would be governed by appliance-
based permissions. This could be achieved through a simple NAT or IPforward policy rule allowing
the management tool access to the SP. In addition, a firewall filter rule would prevent users from
exploiting the NAT/forwardrule used by the management tool.
The following criteria should be used to make the determination between a NATrule or an
IPforward rule for providing bypass access to private hosts. An IP forward rule requires that the
private IPnetwork/subnet is unique with regard to other production networks and even other
appliance private networks. If two appliances have the exact same IPnetwork associated with their
private ports/hosts, an external host would be unable to properly make a routing decision between
the appliances when trying to send traffic to a private host behind one of them. The benefit of a
NATrule is that the same IPnetwork/subnet can be repeated for private ports/hosts on multiple
appliances without the same routing conflict. The appliance supports two forms of NAT: 1-to-1 NAT
(IPmasquerading)and port address translation (PAT/NAToverload).
For successful end-to-end communication leveraging an IPforward policy rule, the private host
must treat the nearest appliance IPas its gateway and all external hosts must have routes (static or
dynamic)that reference the private network/subnet and nearest appliance IP.