Satellite responsible for more than one zone

alfderheld · February 22, 2019, 10:58am

Hello,
a small description of the infrastructure:

master with 4 satellites
8 Zones like security zones e.g. DMZ1, SHZ1, IDMZ1, EDMZ1, DMZ2, SHZ2, IDMZ2, EDMZ2

Every satellite is in one Sec-Zone:
sat1dmz
sat2shz
sat3idmz
sat4edmz

object Zone "DMZ1" {
 endpoints = [ "sat1dmz" ]
 parent = "master"
}

object Zone "DMZ2" {
 endpoints = [ "sat1dmz" ]
 parent = "master"
}

object Endpoint "sat1dmz" {
 host = "xxx.xxx.xxx.xxx"
}

If I configure every satellite for 2 zones, i got “Endpoint ‘sat1dmz’ is in more than one zone”

Is there a way to configure this structure?
Thx

Alf

dnsmichi · February 22, 2019, 11:09am

Hi,

no, this is not supported. A satellite endpoint can only be a member of one zone. Upon this, the zone trust relationship is built.

Where are the satellites nodes located physically, are these security zones overlapping, or wouldn’t it be more reasonable to have a satellite in each security zone?

Cheers,
Michael

alfderheld · February 22, 2019, 11:33am

Hi,
the routing between the satelilte and DMZ1 and satellite and DMZ2 is like a star. That means, the satellite is responsible for 2 separate zones, no overlapping. But in every zone there are many clients. In zones.d/ there actually 4 zones: DMZ1,SHZ1, IDMZ1 and EDMZ1. Everything is ok. Now The satellite should manage the 4 other zones DMZ2, SHZ2, IDMZ2 and EDMZ2. There should be 8 directories in zones.d/. The configuration is ok. But what about the zones.conf? I think, there is no solution?! The simplest way is to have single sat for every zone. But here i descriped 2 zones with 1 Satellite. In large is it: 24 Zones with 8 satellites. That means, that i need 16 more satellites. My boss kill me

dnsmichi · February 22, 2019, 11:54am

What exactly is needed to gain access to such a security zone? I would imagine that such a satellite has different interfaces for each DMZ routing applied, and can access different host objects then.

Why not ignore the security zones for Icinga zones, and just name the satellite zone after its primary intent, e.g. “satellite-dmz-<locations”. The different host objects belonging to different IP subnets could then be put into hostgroups for example.

Cheers,
Michael

alfderheld · February 25, 2019, 6:44am

Hi,

yes that is the solution I follow now. In my case there are 4 contexte like:
1-Customer
dmz-Zone
test-Enviroment
mail-application

1-dmz-test-mail is the zone eg. the satellite

Now i want a satellite for all “test”-machines in DMZ, one for “prod” in SHZ and so on. Like:

1-dmz-test-mail
1-dmz-prod-mail
1-shz-test-mail

2-dmz-test-mail
2-dmz-prod-mail
2-shz-test-mail

I will compress all to:
1-dmz-testprod-mts
1-SHZ-testprod-mts

That is ok for me, but Im german and germans are 100% correct

Thank you.

maybe see us in november

dnsmichi · February 25, 2019, 7:45am

If it doesn’t fit, we’ll make it fit

On a more serious note, the satellite should be put somewhere where it can access the required hosts and transports. The visual layer can be abstracted with groups and even business process logic on top

I’ll be at OSMC for sure, see you then.

Cheers,
Michael