- CheckMates
- :
- Products
- :
- Quantum
- :
- SMB Gateways (Spark)
- :
- Native application - iOS application that should t...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Native application - iOS application that should talk to server
Her commes the long shot!
FW info:
HA Cluster:
2x1590 appliances
Version: R81.10.10 (2993)
I' trying to make object: I GUESS native application that should enable iOS application on Ipad/Iphone to talk to one of clients servers.
Developer of CROSSPAD application provided med with information in form of:
- application name
- IFS STI path
-URL:
*query manager information
*webservice information
*RPA service information
and
*Service Monitor Console
all URLs are HTTP URLs
I still not sure what to go for here. Anyone have a valid solution to present me with?
I appreciate every help I can get.
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I do not see much of a problem - you want to connect from one internal net to another, so all depends on the inspection and routing settings. First step is to try communication and note the log entries, you will see what has to be configured on the way !
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are these SMB gateways locally managed or centrally managed through Smart-1 (Cloud)?
What's the topology here?
Specifically, where is the iOS device, the server, and the SMB gateways relative to each other?
Is this over a VPN or just out to the Internet?
If these URLs are HTTPS URLs, if you need to be more granular than the host portion of the URL, you will need HTTPS Inspection.
The more information you can give us, the more likely we will be able to assist you.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SMB Gateways are centrally managed.
IOS device is in production network and should talk to server on server network, all managed by cluster (LAN1.A network and LAN2.B network, we can call it like that).
There is no need for VPN.
Question still stands, what type application or form of communitaction/rule should I implement here.
No need for VPN.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Both the client and server are on protected segments of the gateway, correct?
Without knowing the exactly details provided and the specific security requirements, it's difficult to provide specific advice.
However, you have two basic options: by port or by URL.
To allow access to a "URL," in general, involves a Custom Application/Site object, which are inspected on the standard HTTP/HTTPS ports plus the proxy port (8080) by default (ports can be added to this).
If the URLs are not HTTP specifically (i.e. they are HTTPS), then for those URLs to be properly inspected, you also need to use HTTPS Inspection.
This requires deploying a trusted CA certificate on the relevant endpoints, which is a bit of a cumbersome process on iOS devices without some sort of Mobile Device Management solution.
If the application uses Certificate Pinning and/or requires mutual TLS authentication, HTTPS Inspection will not work.
If you cannot or don't wish to use HTTPS Inspection, then you open the relevant TCP/UDP ports for the application.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I do not see much of a problem - you want to connect from one internal net to another, so all depends on the inspection and routing settings. First step is to try communication and note the log entries, you will see what has to be configured on the way !
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes,
I see that I overcomplicated the case here. I have already set policy rules that clearly state that traffic is allowed from network to network via a specific TCP port.