CacheGuard-OS
User's Guide - Version UF-2.2.2
Using a Manager
If you deploy several CacheGuard Gateways in your organisation, you have the possibility to configure them separately one by one. But most of the time deployed Gateways in the same organisation have similar configurations and you are required to repeat the same configuration process as many times as you have deployed Gateways. A CacheGuard Manager system gives you the possibility to centrally configure and manage several remote Gateways from a single point. With a manager you have the possibility to create a configuration template and build Gateway configurations based on that template. Built configurations on a Manager system can then be pushed in parallel to several gateways with just a couple of clicks or commands.
Also if you need to automatically update data like URL lists, the Manager allows you to download them only once and push them in parallel to all managed Gateways. The Manager allows you to manage your Gateways in a uniform and optimised way.
Gateway Access
Before being able to manage Gateways from a Manager, Gateways should allow the Manager to have a management access to them. The Manager uses the SSH protocol and SSH keys to connect to Gateways. That's why Gateways should allow the Manager's IP address to have an SSH access to them and authorise the Manager's SSH public key (to do not have to enter a password for each SSH access). A Gateway can be managed by one master Manager and optionally a backup Manager. The backup manager has always a hot copy of all Gateway configurations on the master Manager and can be activated in case of a failure on the master Manager.
Note that a Manager system has only one logical network interface called internal. To get the Manager's IP address and its SSH public key, you can use the following commands on the Manager:
- ip internal
- manager ssh show
To allow a master Manager that has the IP address 192.168.1.22 and the SSH public key 'ssh-rsa AAAAB3Nza...' to have a management access on a Gateway system via its external NIC, use the following commands on the Gateway:
- manager add master external 192.168.1.22 'ssh-rsa AAAAB3Nza...'
- apply
Gateway Enrolment
Once a Manager is allowed to access a Gateway, the first step is to enrol Gateways on the Manager and optionally pull Gateways current configurations and save them on the Manager. Gateway configurations on the Manager are identified by a unique identifier that you have to set during the enrolment. In addition, Gateways on the Manager are organised by groups called domains and a Gateway should belong to one and only one domain. In this way, you can push or pull configurations in parallel on all Gateways belonging to a domain.
To enrol and pull the configuration of a Gateway having the IP address 10.0.10.254 use the following commands on the Manager:
- manager gateway add my-company gateway-1 10.0.10.254
- manager gateway pull my-company gateway-1
Note that in this example,
my-company and
gateway-1 are respectively the identifier and domain name selected for the enrolled Gateway. The pull operation is performed in background. To get a report on the latest pull operation, use the following command:
- manager gateway report pull
Gateway Configuration
Gateway configurations can be modified on the Manager and then be pushed to remote Gateways by the Manager. To begin editing a Gateway configuration on the Manager, use the following command:
- manager gateway begin conf gateway-1
This command takes you inside the Gateway configuration context where you can use commands that you normally use on a Gateway system. Once you finished configuring the Gateway, you can use the
apply command to verify and validate its integrity and then use the
end command go back to the Manager configuration level. At this stage you have the possibility to push the new Gateway configuration to the remote Gateway by using the following command:
- manager gateway push my-company gateway-1
The push operation is performed in background. To get a report on the latest push operation you can use the following command:
- manager gateway report push
Working with Templates
The Manager's strength is its ability to work with templates. A template is a particular Gateway configuration that you can apply to Gateways. In this way, you can quickly configure multiple Gateway systems that have almost the same configuration. You will just need to customise what should be different on a Gateway compared to another (its IP addresses for instance). To create a template called
my-template on a Manager system and then begin to configure it use the following commands:
- manager template add my-template
- manager template begin conf my-template
Once you finished configuring the template, you can use the
apply command to verify and validate its integrity and then use the
end command go back to the Manager configuration level.
Now that you have a template, you can apply it to a Gateway configuration. To achieve that, you must be inside a Gateway configuration context. To configure a managed Gateway using a template called
my-template use the following command:
- conf manager template my-template
Master & Slave Managers
In order to offer recovery and availability, a slave Manage can be configured to have a hot copy of all data on the master Manager. In this way, in case of a failure on a master Manager, the slave Manager can be activated in order to offer service continuity in handling managed Gateways. To allow the master and slave Managers to communicate with each other, both Managers should know the IP address of the other. In addition, the slave Manager should be know the SSH public key of the master Manger to allow it to connect using SSH.
Assuming that the master Manager has the 192.168.1.22 IP address and the slave Manager the 192.168.1.33 IP address, use the following commands on the master Manager:
- manager sync role master
- manager sync peer 192.168.1.33
- apply
And the following commands on the slave Manager:
- manager sync role slave
- manager sync peer 192.168.1.22 'ssh-rsa AAAAB3Nza...'
- apply
Where
'ssh-rsa AAAAB3Nza...' is the SSH public key of the master Manager.