Deployment scenarios

Note

It is advised to deploy the Wheel Fudo PAM within the IT infrastructure, so it only mediates administrative connections. It will allow for lowering system load, network traffic optimization as well as maintaining access to hosted services in case of hardware malfunction.

Bridge

In bridge mode Wheel Fudo PAM mediates communication between users and servers regardless whether the traffic is being monitored (i.e. it uses any of supported protocols) or not.

../../_images/deployment_bridge.png

Mediating packages transfer, Wheel Fudo PAM preserves source IP address when forwarding requests to destination servers.

Such solution allows keeping existing rules on firewalls which control access to internal resources.

For more information on configuring bridge refer to the Network configuration topic.

Forced routing

Forced routing mode requires using a properly configured router. Such solution allows controlling network traffic in third ISO/OSI network layer, so only administrative requests are routed through Wheel Fudo PAM and the rest of the traffic is forwarded directly to the destination server.

../../_images/deployment_router.png

This mode does not require changes in existing network topology and enables network traffic optimization due to separating requests from system administrators and regular users.

Connection modes

Transparent

In transparent mode, users connect to destination server using given server’s IP address.

../../_images/deployment_transparent.png

Gateway

In gateway mode, users connect to destination server using the server’s actual IP address. Wheel Fudo PAM mediates connection with the server using own IP address. This ensures that the traffic from the server to the user goes through Wheel Fudo PAM.

../../_images/deployment_gateway.png

Proxy

In proxy mode, administrator connects to destination server using combination of Wheel Fudo PAM IP address and unique port number assigned to given server. Uniqueness of this combination enables establishing connection with a particular resource.

../../_images/deployment_proxy.png

Such approach enables concealing actual IP addressing and allows configuring servers to only accept requests sent from Wheel Fudo PAM.

Bastion

In bastion mode, the account on the target host is specified within the string identifying the user, e.g. ssh john_smith#admin@10.0.0.8. This enables facilitating access to a group of monitored servers through the same IP address and port number combination.

../../_images/deployment_bastion.png

Note

  • The bastion mode is supported when connecting over SSH, RDP, VNC, Telnet or Telnet 3270 protocols.
  • In case the specified account is not found, Wheel Fudo PAM will try to match the name with a server object.

Related topics: