Addressable Terminators

Support General Questions
1

Hey,

I’ve been looking into Addressable Terminators and trying to understand whether they can be used together with ZDEW, specifically for a remote desktop–style use case.

From examples, I understand that Addressable Terminators allow a client to dial a specific service host when multiple hosts provide the same service. For example, the chat-p2p sample highlights that addressable terminators let clients dial a particular host even when several identities are bound to the same service. chat-p2p

What I want to achieve is something like this:

  • Several machines run an RDP–style service through OpenZiti
  • Each machine has their own identity.
  • From my client machine, I want to choose which host to connect to.

My questions:

  1. Does ZDEW support Addressable Terminators?
    Can I choose a specific identity when dialing?

My goal / use case

The idea is to have a single service that multiple desktop machines “bind” to, and then allow the user to select which machine to remote into by specifying the identity name.

2

Hi @montwepa:

You can do something like below which would allow you to dial the endpoint by identity name by matching the names to ziti DNS URLS.
So the identities both bind and dial on the same service and using ziti dns hostname to identity name conversion. If you can split the bind and dials if some will only be dialers and some will be serving e.g. #WINNET_DIALERS, #WINNET_LISTENERS. The below assumes symmetrical dial and bind modify as needed.

Identity 1 Name : client1.ziti.net : “roleAttributes”: [“WINNET”]
Identity 2 Name : client2.ziti.net : “roleAttributes”: [“WINNET”]

{
"name": "addressable-service.intercept.v1",
"configTypeId": "g7cIWbcGg",
"data": {
"portRanges": \[
{
"high": 8000,
"low": 8000
}
\],
"addresses": \[
"\*.ziti.net"
\],
"dialOptions": {
"identity": "$dst_hostname"
},
"protocols": \[
"tcp"
\]
},
"tags": {}
}

{
"name": "addressable-service.host.v1",
"configTypeId": "NH5p4FpGR",
"data": {
"protocol": "tcp",
"address": "127.0.0.1",
"forwardPort": true,
"allowedPortRanges": \[
{
"high": 8000,
"low": 8000
}
\],
"httpChecks": [ ],
"listenOptions": {
"identity": "$tunneler_id.name"
},
"portChecks": [ ]
},
"tags": {}
}

{
"name": "addressable-service",
"roleAttributes": [ ],
"configs": \[
"3LWQRbt4o6qzYy7BwwG7RA",
"3jCq6ijiqnQVbs2i8VeMPD"
\],
"encryptionRequired": true,
"terminatorStrategy": "smartrouting",
"tags": {}
}

{
"name": "addressable-service.bind",
"appData": "",
"serviceRoles": \[
"@6rbpqOTppibWKgT5LAuBj1"
\],
"identityRoles": \[
"#WINNET"
\],
"postureCheckRoles": [ ],
"semantic": "AnyOf",
"type": "Bind",
"tags": {}
}

{
"name": "addressable-service.dial",
"appData": "",
"serviceRoles": \[
"@6rbpqOTppibWKgT5LAuBj1"
\],
"identityRoles": \[
"#WINNET"
\],
"postureCheckRoles": [ ],
"semantic": "AnyOf",
"type": "Dial",
"tags": {}
}
1 Like
3

Hey @rcsoleng thanks for the answer!

I was able to get this working with the examples you provided, but when I tried it on a clustered setup I wasn't able to get it to work.

Any ideas if this should work in a clustered setup? I double and triple checked and everything should match my non clustered setup where I was able to get it to work.