Tunnel Rules
2 min
tunnel rules are used to apply policies to tunneling requests—whether remote or local—initiated through a server where an agent is installed since a tunnel might be established from a remote location to an agent installed server, or initiated locally from the server itself, the agent can govern these requests based on defined policies to create a tunnel rule, navigate to the tunnel tab under advanced policy and click the add button in the top right corner 1 first step assign a name to the policy and specify the users or user groups to whom this policy will apply 2 second step define which agents (and consequently, which endpoints ) this policy will be active on you can select an agent group , a specific agent , or a device group a agent group lists groups created in the agent dashboard b agent lists individual endpoints where the agent is installed c device group lists groups from the device tree; however, only endpoints with an installed agent within these groups will receive the policy 3 third step if a local tunnel rule exists, select a policy to either allow or deny the request you can completely block or permit incoming requests to the agent installed endpoint additionally, you can create policies that allow all tunnel requests with specific exceptions, or deny all requests while permitting only authorized ones 4 fourth step similar to the third step, rules for remote tunnel requests can be defined here remote tunneling can be fully permitted or restricted, and specific exceptions can be configured as needed tunnel request examples an example of a local tunnel request is as follows to explain this command ssh l port\ targetip\ targetport user\@agentip · l indicates that the tunneling request is being made locally in this context, it means the command is executed from an environment other than the agent installed server let's call this environment environment x · port refers to a random, unused port on environment x · targetip the destination ip address where the request arriving at environment x’s local port should be forwarded · targetport the specific port at the targetip where the request is headed · user the agent installed server will forward the incoming request to the target environment using the permissions of this specific user · agentip the ip address of the server where the agent is installed, which acts as the intermediary to route the request to the target to summarize, this command allows a request arriving at a specific port on one environment to be forwarded to a target destination through the agent installed server our agent provides the mechanism to apply policies and supervise these requests 2 an example of a remote tunnel request is as follows to explain this command ssh r sourceport\ targetip\ targetport user\@agentip · r indicates that the tunneling request is being made remotely in this scenario, the command is executed directly on the agent installed server , and the request originates from an external source targeting the agent installed server · sourceport this is the source port on the agent installed server external requests will arrive at this specific port · targetip the destination ip address where the agent installed server will forward the incoming request · targetport the specific port at the targetip where the request is headed · user the agent installed server forwards the request to the target environment using the specific permissions of this user · agentip the ip address of the server where the agent is installed, which acts as the gateway to route the traffic to summarize, this command allows a request arriving at the sourceport of the agent installed server to be forwarded to a target destination through the agent's environment our agent provides the necessary mechanism to apply policies and supervise these incoming remote tunneling requests