Forwarding

Concepts

A Network Resource is an arbitrary network IP address and port. This might be a Remote Desktop, a Database, an ERP system. Typical access control is done via network access control lists. To expand this via cryptographic-based zero-trust networking, the Agilicus system can expose the Network Resource via a Connector and then provide authentication and authorisation based security on it onwards to other users or systems.

A common use case for Forwarding is a need to have a Network Resource available from one site to another. As an example, consider a small company. It has two offices. Each office has a typical small business router and a few staff. One of the sites runs a database which is used by a desktop application.

In this case, consider the following approach:

1. Install Connector on site with database (on the database server or another)
2. Install Connector on site needing access (on the desktop running the application, or another)
3. Create a Network Resource for the database. Attach it to the proper Connector
4. Create a Forwarding Resource on the site needing access. Join the two.

To keep the terminology straight, a ‘network’ is the destination. It is where traffic *leaves* the Agilicus mesh, and onwards to the ultimate resource. A ‘forwarder’ is the ‘source’ or ‘ingress’, its where traffic enters the Agilicus mesh.

Thus if you had a Linux device you wanted to be able to ssh to unattended from a synology NAS, you would install a connector on the Synology, a connector on the Linux server, a network would be created attached to the Linux connector with ‘localhost:22’, and, a forwarder would be created attached to the synology connector listening to e.g. localhost:2222

You will be asked a few questions:

1. destination IP/hostname. This is the hostname or IP as resolvable by the connector installed on the site with the database. It will typically be the same as you would enter in your desktop application.
2. destination Port. Same as 1
3. Source IP/hostname. This is typically left blank(all), meaning the host with the connector will allow any local network host to use it. If you wish to lock it down to the local desktop consider entering ‘localhost’ here. By default this is ‘localhost’ (meaning the application wishing to connect must run on the same host as the Connector). You may change this to ‘0.0.0.0’ (meaning any host in the same network may connect.
4. Source Port. This is typically left blank (meaning same as destination). In some environments you may wish to use a different port here (for example, if the destination port is privileged, <1024, since the Connector runs unprivileged, you may e.g. use 80 for the destination port and 8080 for the source port)