About Surrogate
SocketAbout Surrogate
SocketSurrogate Socket is an application level gateway designed primarily to provide Internet connectivity to non-Windows hosts and devices located behind Microsoft Proxy Server.
Surrogate Socket is a product of CornerPost Software.
Surrogate Socket works by "listening" for incoming connections on your proxy server for each IP address and port mapping you define. Once a client connection is made Surrogate Socket establishes a second connection to the mapping's pre-defined host IP address and port. Then, the two connections are bridged together to allow the client and host to communicate. Whenever either the client or host disconnect, the corresponding bridged connection is also disconnected.
Still need help?
Visit our website for information on technical support.
Defining Socket Mappings
If you are defining a mapping to a system using one of the predefined protocols (AWS, FTP, POP3, SMTP, TELNET, Windows Terminal Server, or Windows Terminal Server with Metaframe) click on the Wizard button and you will be guided through a simple three-step process to create your mapping
To manually define a new socket mapping, select the Socket Mapping tab from Surrogate Socket Service Control. Click in the Protocol field on the row with an asterisk(*). Then enter the desired values in each of the other fields.
A Surrogate Socket Mapping consists of four required elements:
- Protocol: This setting must be set to TCP, and is included for future enhancements.
- Listen Address: This is the IP address on the proxy server which Surrogate Socket will listen for incoming(client) connections on. If your Proxy Server has multiple addresses, you can tell Surrogate Socket to listen on all of the proxy server's IP addresses by using an asterisk(*) for the Listen Address.
- Listen Port: This is the port number on the proxy server which Surrogate Socket will listen for incoming connections on. The port number is usually determined by the type of server application which the socket will be remoted to. For example, Windows Terminal Server is port 3389, Unix Telnet is port 23, etc. See your server application documentation for further information.
- Connect Address: This is the IP address of the host which will receive the remoted client connection defined by the Listen Address and Port.
- Connect Port: This is the port number of the host which will receive the remoted client connection defined by the Listen Address and Port.
Example:
In the example network to the right, we have an internal Windows Terminal Server and an internal Unix Host. The mappings for these two hosts are shown below: Windows Terminal Server:
Listen Address: a.b.c.e
Listen Port: 3389
Connect Address: 10.a.b.d
Connect Port: 3389Unix Host (Telnet):
Listen Address: a.b.c.e
Listen Port: 23
Connect Address: 10.a.b.e
Connect Port: 23
Other Settings
There are three optional settings which are included as security measures:
- Connect From IP: This is a mask (or optionally a list of up to 5 masks separated by semicolon(;)) which restrict which client IP addresses may connect to a socket mapping. You may mask out multiple positions in the IP address by using an asterisk or mask out individual positions by using a question mark(?). For example, a mask of 10.0.1.* would allow all clients in the range of 10.0.1.1 to 10.0.1.254 to connect to the selected mapping, and a mask of 10.1.1.1? would allow all clients in the range 10.1.1.10 to 10.1.1.19 to connect to the selected mapping. You could combine these two masks by entering 10.0.1.*;10.1.1.1? to allow both ranges.
- Ping?: This option acts as a deterrent to IP spoofing by pinging the client prior to allowing a connection to a socket mapping. Since IP spoofing depends on the impersonated client being unreachable at the time of the attack, this measure should reduce the possibility of a successful IP spoof attack. This option will degrade the performance of Surrogate Socket when set to "Yes."
- Socket Schedule: By clicking on the Schedule button, you can specify a range of days and hours during which the selected mapping will accept client connections.
Mapping Wizard
The mapping wizard guides you through a simple three step process to define your system mapping. Just follow the on-screen instructions.
Starting and Stopping Surrogate SocketSurrogate Socket runs as a service on Windows NT Server. When you first install Surrogate Socket, it is set for manual start. If you want Surrogate Socket to automatically start whenever you restart Windows NT, go to the Other Settings tab and click on Automatic for Startup Mode.
The Surrogate Socket Service Control program can also be used to start, stop and cycle(stop, then start) the Surrogate Socket service When the service is stopped, Clicking on the Start button will start it, and when it is running, clicking on the Stop button will stop it.
Scheduling Socket Mappings
The Schedule screen allows you to set up an access schedule for each of your defined mappings.
The Schedule screen is organized in a grid with hours of the day across the top of the grid and days of the week down the left edge. The intersection of each row and column identifies a discreet hour of a particular day of the week. Each cell which contains a green square represents an hour/day combination during which Surrogate Socket will accept client connections for the selected mapping.
To set up a schedule for a specific mapping, first select the mapping in the combo box at the top of the screen.
Next, select the days of the week and hours of the day you wish to allow or deny and click on the allow or deny button.
You can select a range in one of three ways: Click on a day button to select all hours of a specific day of the week; Click on an hour button to select a specific hour for all days; Or, click and drag on a cell to select a combination of hours and days.
The check box at the bottom of the screen tells Surrogate Socket whether of not to forcibly disconnect a user when the schedule for the selected mapping expires. If this box is not selected, Surrogate Socket will allow users to remain connected (as long as they connect within allowable hours) even if the schedule denies access.
If a client attempts to connect to a mapping outside the allowable hours for the mapping, they will receive the appropriate message from the Messages tab.
Limiting Who Can Connect
There are two ways you can limit who can connect to a Socket Mapping:
If your proxy server has two NIC's and you only want internal clients to connect to a mapping, simply enter the internal IP address of the proxy server as the Listen Address.
More likely, you will want to limit access to a particular subnet on the Internet - such as your local ISP. To accomplish this, you can specify a mask value for the Connect From IP field. This value may be a single mask or a list of up to 5 masks separated by semicolon(;).
If a user attempts to connect from an IP which is disallowed by the Connect From mask, they will receive the message specified on the Messages tab.
Other Settings
Surrogate Socket has several additional settings which affect performance and aid in debugging connectivity problems:
Logging Level: Surrogate Socket logs information to the file surrogatesocket.log located in the Surrogate Socket program directory. If you are experiencing difficulties setting up Surrogate Socket, this information may prove valuable in determining the cause of problems. There are four different levels which determine how much information Surrogate Socket logs:
- 0 - Errors only. Surrogate Socket only writes an entry to the log whenever an error occurs.
- 1 - Connections. Logs connects and disconnects.
- 2 - Sockets. Logs additional information about the sockets being used.
- 3 - Data. Logs the amount of data being transmitted through each socket. Use this setting only during testing as it will severely degrade performance.
Performance Tuning: These settings determine the sizes of the memory buffers used internally by Surrogate Socket. Certain application specific protocols may respond to changes in these settings. Contact Product Support for more information.
Connect Timeout: This setting determines the amount of time in seconds that Surrogate Socket will wait for an outbound (host) socket to connect before disconnecting the corresponding inbound (client) socket.
Startup Mode: This setting determines whether or not Surrogate Socket will start automatically at system boot. A setting of Automatic will cause Surrogate Socket to automatically start whenever the system is rebooted; Manual start requires you to start Surrogate Socket manually whenever the system is rebooted; and Disabled means Surrogate Socket cannot be started.
Automatically Synchronize System Time with the Internet Time Host: This setting tells Surrogate Socket to periodically check the selected Internet Time Host and synchronize the PC's time to it.
Messages Displayed to Clients
Whenever a client is refused a connection by Surrogate Socket either for connecting outside allowable hours, or connecting from a disallowed IP address, they will receive the appropriate message entered on this tab.
Note: Some applications such as a mail client and Windows Terminal Server client will not display these messages to the client. There will, however, be a message in the Surrogate Socket log indicating the connection refusal.
Special Protocol Settings
Certain protocols such as FTP and SQL*Net require special attention. For these protocols, Surrogate Socket must monitor the data stream transferred to and from the client for embedded IP addresses. When Surrogate Socket detects one of these embedded IP addresses, it will automatically fix the IP address reference to reflect the address translation that Surrogate Socket has performed.
To reduce the overhead required to perform this processing, Surrogate Socket must know the port numbers these special protocols use. Use this tab to enter those port numbers. You must still enter the actual mappings on the mappings tab.
For FTP, the default port of 21 is already monitored. If your FTP server uses other ports, such as 2000 in the example to the right, you will need to add them to the list.
For SQL*Net, Surrogate Socket needs to know the port numbers of the SQL listeners you are expecting connection requests on. In addition, Surrogate Socket needs a port number to use on the proxy server for shared client access. When using SQL*Net, you will need to enter mappings for the Listener Ports, BUT NOT for the Shared Port. Surrogate Socket dynamically opens the shared port as needed.
Error and Information Logging
Surrogate Socket logs information about connection attempts, system events, and errors according to the Logging Level setting on the Other Settings tab.
The Log tab displays the contents of the log. This information can be useful in diagnosing connection problems. The information displayed in the list box is also stored in the file surrogatesocket.log in the Surrogate Socket directory.
In addition to displaying past events, you can see current connections by clicking on the Connections radio button. The display will change to show the currently connected sockets.
When in Log view, the display does not automatically update to show the most recent events, to cause the display to update, click on the Refresh button.
To clear the log, click on the Clear button.
NOTE: You can also double-click on the Log list box to open it using Notepad.
IP Spoofing Deterrent
Since IP Spoof attacks depend upon a lack of connectivity between the attacked host and the impersonated client, Surrogate Socket has an optional setting which will verify connectivity between Surrogate Socket and the client prior to permitting a client connection.
When set to Yes, the Ping? option causes Surrogate Socket to ping the client attempting to connect to a socket prior to allowing the connection. If the client is unreachable via ping, Surrogate Socket will not allow the client to connect.
Please note that a number of ISP's do not allow ICMP ping traffic to reach their clients. In a situation such as this, you must set Ping? to No.
Dynamic Redirection[ssdoc/_private/footer_page1.htm]Client Redirections allow you to set up a mapping and then have that mapping dynamically redirected based on the IP address of the client who connects to it. This capability is provided by the Authentication Add-in, so mappings you wish to use in this way must have Auth? turned on in the Mapping setup.
The list box at the top of this tab shows the redirections currently defined. When you select a redirection by clicking on it, the detail will fill in the fields below the list box. This tab functions in "Save and Add" mode. This means when you click on a redirection, change one or more of the fields, and then save it, it adds another redirection rather than replacing the selected redirection. This simplifies the process of adding a large number of redirections.
The fields which define a Client Redirection are shown below.
Client IP: The IP address of client you wish to redirect.
Listen Mapping: A list of available Mappings. This combo-box only lists the Mappings with Auth? turned on.
Connect To: The IP Address or hostname of the system to redirect the client to whenever they connect to the Listen Mapping. The text box to the right is the port number.
NOTE: If you change the Listen Address or Listen Port of a Mapping which has one or more Client Redirections based upon it, the Client Redirections will no longer function.
