@dmuensterer wrt to you question to a specific deployment scenario, where you want to intercept all traffic at your remote client, or at least sessions to private applications hosted in the private datacenter, there are a couple of deployment architectures depicted there that fits your use case and depends what you mean by all.
-
Client to router
-
Client to host
- All means internet and private destinations -
client to router, internet destination would forwarded to the internet destination through some type of Secure Internet Gateway located in the data center, private destination would be forwarded to servers located inside the data center,
Advanced service that includes all Public and 1918 IP space. Service configuration for intercept.v1 would look something like this:
{
"protocols":["tcp"],
"addresses":["64.0.0.0/3","168.0.0.0/6","176.0.0.0/4","208.0.0.0/4","0.0.0.0/5","24.0.0.0/5","32.0.0.0/5","56.0.0.0/5","96.0.0.0/5","112.0.0.0/5","136.0.0.0/5","152.0.0.0/5","160.0.0.0/5","16.0.0.0/6","44.0.0.0/6","48.0.0.0/6","108.0.0.0/6","120.0.0.0/6","144.0.0.0/6","200.0.0.0/6","8.0.0.0/7","14.0.0.0/7","20.0.0.0/7","42.0.0.0/7","54.0.0.0/7","106.0.0.0/7","124.0.0.0/7","128.0.0.0/7","134.0.0.0/7","148.0.0.0/7","174.0.0.0/7","194.0.0.0/7","196.0.0.0/7","206.0.0.0/7","11.0.0.0/8","12.0.0.0/8","22.0.0.0/8","41.0.0.0/8","53.0.0.0/8","105.0.0.0/8","126.0.0.0/8","130.0.0.0/8","133.0.0.0/8","151.0.0.0/8","173.0.0.0/8","193.0.0.0/8","199.0.0.0/8","205.0.0.0/8","13.128.0.0/9","23.128.0.0/9","40.128.0.0/9","52.128.0.0/9","104.0.0.0/9","131.0.0.0/9","132.0.0.0/9","150.0.0.0/9","172.128.0.0/9","192.0.0.0/9","198.128.0.0/9","204.128.0.0/9","13.0.0.0/10","23.0.0.0/10","40.0.0.0/10","52.0.0.0/10","104.192.0.0/10","131.128.0.0/10","132.128.0.0/10","150.192.0.0/10","172.64.0.0/10","192.192.0.0/10","198.64.0.0/10","204.0.0.0/10","13.64.0.0/11","23.64.0.0/11","40.64.0.0/11","52.64.0.0/11","104.160.0.0/11","131.192.0.0/11","132.192.0.0/11","150.128.0.0/11","172.32.0.0/11","192.128.0.0/11","198.32.0.0/11","204.96.0.0/11","13.112.0.0/12","23.112.0.0/12","40.112.0.0/12","104.128.0.0/12","131.224.0.0/12","132.224.0.0/12","150.176.0.0/12","172.0.0.0/12","192.176.0.0/12","198.0.0.0/12","204.80.0.0/12","13.96.0.0/13","23.104.0.0/13","104.152.0.0/13","131.240.0.0/13","132.248.0.0/13","150.160.0.0/13","192.160.0.0/13","198.24.0.0/13","204.64.0.0/13","13.108.0.0/14","23.96.0.0/14","52.100.0.0/14","52.108.0.0/14","52.116.0.0/14","52.124.0.0/14","104.148.0.0/14","131.248.0.0/14","132.240.0.0/14","150.172.0.0/14","192.172.0.0/14","198.20.0.0/14","204.72.0.0/14","13.104.0.0/15","23.100.0.0/15","40.106.0.0/15","40.110.0.0/15","104.144.0.0/15","131.254.0.0/15","132.246.0.0/15","150.168.0.0/15","192.170.0.0/15","198.16.0.0/15","204.76.0.0/15","13.106.0.0/16","23.102.0.0/16","40.109.0.0/16","104.147.0.0/16","131.252.0.0/16","132.244.0.0/16","150.170.0.0/16","192.169.0.0/16","204.78.0.0/16","23.103.0.0/17","40.108.0.0/17","104.146.0.0/17","131.253.128.0/17","150.171.128.0/17","204.79.0.0/17","13.107.192.0/18","23.103.192.0/18","131.253.64.0/18","150.171.64.0/18","204.79.128.0/18","13.107.32.0/19","13.107.160.0/19","23.103.128.0/19","131.253.0.0/19","150.171.0.0/19","204.79.224.0/19","13.107.144.0/20","23.103.176.0/20","131.253.48.0/20","150.171.48.0/20","204.79.208.0/20","13.107.8.0/21","13.107.24.0/21","131.253.40.0/21","204.79.200.0/21","13.107.0.0/22","13.107.20.0/22","13.107.132.0/22","13.107.140.0/22","131.253.36.0/22","150.171.36.0/22","150.171.44.0/22","204.79.192.0/22","13.107.4.0/23","13.107.16.0/23","131.253.34.0/23","204.79.198.0/23","13.107.7.0/24","13.107.19.0/24","131.253.32.0/24","204.79.196.0/24"],
"portRanges":[{"low":443, "high":443},{"low":80, "high":80}]
}
- If all means only all private services -
Client to routeras well , but obviously the service configure would have less ip prefixes, i.e only entire 1918 ip space or perhaps some narrow range of specific ip subnets. The internet traffic would break out locally at the client.
{
"protocols":["tcp"],
"addresses":["10.0.0.0/8","172.16.0.0/12 ","192.168.0.0/16"],
"portRanges":[{"low":443, "high":443},{"low":80, "high":80}]
}
- You could use
router to host deploymentfor the all private services case as well but then you would need to configure a service per destination, since each service would terminate on each host, more secure but at lot more of services.
Also, the service configuration can contain urls or wildcard urls as well instead of ips, or mix of both.