Multihop Scenario
Users potentially need to connect from their remote device, to one or more intermediate hops, before they finally access their target environment. These hops may be inside or outside your organization and may involve multiple DMZ structures. At any point along these hops, you may want to know information from the remote device, or from one of the intermediate hops. deviceTRUST supports different Multi-Hop scenarios to facilitate this:
Managed Hops
The Managed Hops scenario brings information from a client machine to a target machine, passing over one or more hops. On the target, context will be evaluated and actions will be executed.
In this scenario, all hops as well as the target require a licensed deviceTRUST Agent to be installed and configured.
The following configuration elements are required:
| Machine | Software Components | Configuration |
|---|---|---|
| Client | deviceTRUST Client Extension | None |
| Hop1
|
deviceTRUST Client Extension
deviceTRUST Agent |
Evaluate properties
|
| Hop2 - HopN
|
deviceTRUST Client Extension
deviceTRUST Agent |
Forward properties
|
| Target
|
deviceTRUST Agent
|
Build context
Run actions |
This is how the implementation looks from an achitectural view:
A reference configuration can be found in our GitHub repository and as a base for your implementation. The configurations are described within GitHub.
Unmanaged Hops
The Unmanaged Hops scenario brings information from a remote device directly to a target machine, passing over one or more intermediate hops. On the target, context will be evaluated and actions will be executed.
In this scenario, only the target requires a licensed deviceTRUST Agent to be installed and configured. The hops use a special function of the deviceTRUST Client Extension (available from version 23.1.100) to forward the properties.
If any of the deviceTRUST Client Extensions do not recognize a local deviceTRUST Agent, they will attempt to communicate further upstream. A secure channel will be established between the deviceTRUST Agent and the deviceTRUST Client Extension on the user’s remote device.
A subset of the properties from the intermediate hops can also be requested. These properties include:
- deviceTRUST - The Version property.
- Domain - All properties.
- Name - All properties.
- User - The Name, Domain, Domain DNS, Distinguished Name, Sid and Domain Logon properties.
The following configuration elements are required:
| Machine | Software Components | Configuration |
|---|---|---|
| Client | deviceTRUST Client Extension | None |
| Hop1 - HopN | deviceTRUST Client Extension | None |
| Target
|
deviceTRUST Agent
|
Evaluate properties
Build context based on properties Run actions |
This is how the implementation looks from an achitectural view:
A reference configuration can be found in our GitHub repository and as a base for your implementation. The configurations are described within GitHub.
Managed Hops with Properties
This scenario extends the Managed Hops scenario with additional properties from the intermediate hops. deviceTRUST can gather data from any hop in a multi-hop scenario and use the information on any subsequent hop and the target.
You might want to know when accessing the target session that a user only hopped over machines that are joined to your domain and thus controlled and secured by your organization. Or you could make sure the user took a pre-defined path, hopping through your DMZ structure. These scenarios would require evaluating information not only on the user’s device but also on the hops along the chain.
The following configuration elements are required:
| Machine | Software Components | Configuration |
|---|---|---|
| Client | deviceTRUST Client Extension | None |
| Hop1 - HopN
|
deviceTRUST Client Extension
deviceTRUST Agent |
Evaluate remote properties
Evaluate local properties Evaluate multi-hop properties Build context Run actions Push properties forward |
| Target
|
deviceTRUST Agent
|
Evaluate remote properties
Evaluate multi-hop properties Build context Run actions |
This is how the implementation looks from an achitectural view:
A reference configuration can be found in our GitHub repository and as a base for your implementation. The configurations are described within GitHub.