Create and manage services

Introduction

This guide goes over the specifics of creating and managing services in the NetFoundry Console, and covers the following topics:

See Introduction to Services for an overview of services and how they work.

To manage your Services in the console, navigate to Network Settings → Manage AppWANs → Manage Services.

Click on a service row to edit it. Click the blue plus-sign in the upper right corner to create a new service. Use the ellipsis menu at the end of each row to take actions on an individual service. Use the select bubbles in the first column of the table to select multiple services for bulk delete.

manage_services_page.png

Create a new IP Host service

An IP Host service allows access to a single IP address, protocol, and one or more ports. It has the following attributes:

Service Name

A free-form text label to uniquely identify this service on your network

Gateway

Select the egress gateway closest to the service host. The host IP address must be reachable from this egress gateway.

IP Address

The real IP address of the service host, in dotted-quad format.

Port/Range

Specify the service port(s) on this host. You can name a single port, or a hyphen-separated range of ports (e.g. "1-1023").

Intercept IP Address

Specify an alternate IP address in dotted-quad format that clients will use to reach this service host, rather than using the real IP address. This is analogous to Destination NAT. For example, if you specify an IP address "10.0.0.1", and an intercept address "11.0.0.1", then clients must use 11.0.0.1 to reach the service. The egress gateway will translate the intercept address into the real address when forwarding the packet toward the service host.

Intercept Port/Range

Specify an alternate set of ports that clients will use to reach the host, similar to Intercept IP address. You must specify the same number of ports here that you entered in the Port/Range field. For example, if you specify port "80", and an intercept port "8080", then clients must use port 8080 to reach the service. The egress gateway will translate the intercept port into the real port when forwarding the packet toward the service host.

Protocol

Choose the protocol your service is using: TCP, UDP, or TCP/UDP

Advanced Options

Transparency, Enable Permanent Connection, Data Interleaving. See Advanced Options for more information.

create_ip_host_service.png

Create a new IP Network service

An IP Network Service permits access to an entire range of IP addresses on any protocol/port. It has the following attributes:

Service Name

A free-form text label to uniquely identify this service on your network

Gateway

Select the egress gateway closest to the network. The network must be reachable from this egress gateway.

Network Address

The real IP address(s) of the network range, in CIDR format.

Intercept Address

Specify an alternate IP address in dotted-quad format that clients will use to reach the first address in the range, rather than using the real IP addresses. This is analogous to Destination NAT. For example, if you specify a network address "10.0.0.0/24", and an intercept address "11.0.0.0", then clients must use the 11.0.0.0/24 address block to reach the 10.0.0.0/24 hosts. The egress gateway will translate the intercept address into the real address when forwarding the packet toward the service host.

Port Intercept Mode

Choose to intercept all destination ports, or select specific ports to intercept. Choosing all ports will forward all traffic to the destination network across NetFoundry. However if this is too broad, you can narrow it down to specific ports through a set of whitelist and blacklist port numbers. 

Advanced Options

Enable ICMP Tunneling, Transparency, Enable DNS Tunneling, Enable Permanent Connection, Data Interleaving. See Advanced Options for more information.

network_service_attributes.png

Create a new Ping Host service

A Ping Host Service permits ICMP echo request and ICMP echo reply packets to the destination, without allowing any other protocols or ports. It has the following attributes:

Service Name A free-form text label to uniquely identify this service on your network

Gateway

Select the egress gateway closest to the service host. The host IP address must be reachable from this egress gateway.
IP Address The real IP address of the service host, in dotted-quad format.

Intercept IP Address

Specify an alternate IP address that clients will use to reach this service host, rather than using the real IP address. This is analogous to Destination NAT. For example, if you specify an IP address "10.0.0.1", and an intercept address "11.0.0.1", then clients must use 11.0.0.1 to reach the service. The egress gateway will translate the intercept address into the real address when forwarding the packet toward the service host.

Advanced Options

Enable Permanent Connection. See Advanced Options for more information.

create_ping_host_service.png

Advanced service options

Each service type has one or more advanced options, but not all services support all advanced options. The default setting will work for most circumstances. Most of the time you can leave these values as-is unless a NetFoundry support engineer instructs you to change them.

Transparency

By default, the gateway will hide the source IP of the client and present the gateway IP address as source IP for the client to access the target host for a service. The selection of the transparency option allows the source IP of client to be presented to the target host for the service rather than the gateway IP address.

Enable Permanent Connection

The permanent connection option can reduce the time required to setup the initial service connection for a client. By default, the transport connection will timeout after a period of time if there is no active data transfer. The selection of the permanent connection option can speed up the initial access to a service by creating an active transport connection.

Data Interleaving 

The selection of data interleaving option can provide additional security as data interleaving will split data traffic of a session across several transport paths. The selection of the data interleaving option may affect total data throughput in certain cases depending upon packet sizes.

Enable ICMP (Ping) Tunneling

The selection of the Enable ICMP (Ping) tunneling option allows a ping to be tunneled through the host gateway to the target host. Only ICMP echo request/reply packets are supported.

Enable DNS Tunneling

The selection of the Enable DNS tunneling option allows clients to use the DNS resolver address(es) configured on the gateway to resolve DNS requests. The local client DNS lookup can be used in the event of a DNS request timeout from the gateway DNS resolves address(es).

 

Was this article helpful?
1 out of 1 found this helpful

Comments

0 comments

Please sign in to leave a comment.