Extended Network Connectivity (ENC) › ENC Gateway Security

ENC Gateway Security

The ENC Gateway allows communication through firewalls in a secure manner using the following security mechanisms:

• Authentication

  All ENC Gateway nodes (clients, managers, servers, and routers) must mutually authenticate with each other, using transport layer security (TLS), which is an updated version of Secure Sockets Layer (SSL). This authentication method requires the installation of certificates using the Microsoft PKI or similar.

• Authorization

  All ENC Gateways are configured with a set of rules that define who is allowed to do what at what time to whom. This takes the form of:

  • Realm membership of nodes (analogous to NT groups but working over different networks)
  • IP address white listing. This is a list of IP addresses that are allowed to establish ENC Gateway connections.
  • Allow or deny rules for each ENC Gateway operation such as connect, register, and so on, based on realm membership, time of day, and so on.
  • Time ranges

When first installed, an ENC Gateway is locked down. It has no authorization rules and so refuses all connections. This is appropriate because these servers are usually facing the Internet. This can introduce problems because Client Automation is used to maintain the authorization rules, and a domain manager may be cut off from the computer that runs the ENC Gateway by a firewall. The steps around this are described in the Deployment Scenarios section.