System TLS Connection (using SPA)

  • 1 minute read
Prev Next

TLS Port

The inbound TLS connection port to the Appliance. For a Gateway appliance this is also used for TLS tunnel between Client and Gateway.

Allowed Sources

To allow a connection to this port the requesting IP address must match at least one of these Allowed Sources. By default the list contains 2 entries: address (0.0.0.0) and netmask 0 & address :: and netmask 0.

  • If the list is empty, no connections are allowed.

  • If an entry contains address, netmask and interface, then both subnet and interface must match.

  • If an entry only contains address and netmask, then only subnet needs to match.

  • If an entry only contains interface, then only the interface must match.

Example:

Address

(OPTIONAL: IPv4 or IPv6 address of host or subnet to allow)

Netmask Length

(OPTIONAL: Netmask, set to 32 (IPv4) or 128 (IPv6) for single host)

Interface

(OPTIONAL: ethX, only allow connections through this interface)

SPA Mode

Override the SPA Mode on this appliance.

The SPA override feature allows the SPA mode to be changed for a specific appliance. This is useful when the global SPA mode is not appropriate for every situation. For example:

  • When a Site with two Gateways needs added security, then UDP-TCP SPA mode could be enabled for just these two appliances.

  • When users have issues connecting from some locations and a fallback Gateway could be set to allow the use of TCP SPA mode.

Refer to the section on Single Packet Authorization before enabling this feature.

Enable Proxy Protocol

When enabled the appliance will ONLY accept packets which have the Proxy Protocol header included.

NOTE

The traffic is now coming from a known source so this should be added to Allowed Sources.

Failure to do this introduces a security risk as it becomes easy for a malicious user to send a Proxy Protocol packet which will allow them to misrepresent their source IP address by using the Proxy Protocol header. This in turn will set a fake ClientSrcIP claim which might be used to assign Policies or in Conditions.

Refer to Network Connectivity for more information.

Related articles