deviceTRUST for Windows and the deviceTRUST Client Extension for IGEL OS 12 and macOS are now available.
×

Multihop Scenario

Users potentially need to connect from their remote device, to one or more intermediate hops, before they finally access their target environment. These hops may be inside or outside your organization and may involve multiple DMZ structures. At any point along these hops, you may want to know information from the remote device, or from one of the intermediate hops. deviceTRUST supports different Multi-Hop scenarios to facilitate this:

  1. Managed Hops
  2. Unmanaged Hops
  3. Managed Hops with Properties

Managed Hops

The Managed Hops scenario brings information from a client machine to a target machine, passing over one or more hops. On the target, context will be evaluated and actions will be executed.

In this scenario, all hops as well as the target require a licensed deviceTRUST Agent to be installed and configured.

The following configuration elements are required:

Machine Software Components Configuration
Client deviceTRUST Client Extension None
Hop1
 
deviceTRUST Client Extension
deviceTRUST Agent
Evaluate properties
 
Hop2 - HopN
 
deviceTRUST Client Extension
deviceTRUST Agent
Forward properties
 
Target
 
deviceTRUST Agent
 
Build context
Run actions

This is how the implementation looks from an achitectural view:

Managed Hops
Managed Hops

A reference configuration can be found in our GitHub repository and as a base for your implementation. The configurations are described within GitHub.

Unmanaged Hops

The Unmanaged Hops scenario brings information from a remote device directly to a target machine, passing over one or more intermediate hops. On the target, context will be evaluated and actions will be executed.

In this scenario, only the target requires a licensed deviceTRUST Agent to be installed and configured. The hops use a special function of the deviceTRUST Client Extension (available from version 23.1.100) to forward the properties.

If any of the deviceTRUST Client Extensions do not recognize a local deviceTRUST Agent, they will attempt to communicate further upstream. A secure channel will be established between the deviceTRUST Agent and the deviceTRUST Client Extension on the user’s remote device.

A subset of the properties from the intermediate hops can also be requested. These properties include:

  • deviceTRUST - The Version property.
  • Domain - All properties.
  • Name - All properties.
  • User - The Name, Domain, Domain DNS, Distinguished Name, Sid and Domain Logon properties.

The following configuration elements are required:

Machine Software Components Configuration
Client deviceTRUST Client Extension None
Hop1 - HopN deviceTRUST Client Extension None
Target
 
 
deviceTRUST Agent
 
 
Evaluate properties
Build context based on properties
Run actions

This is how the implementation looks from an achitectural view:

Multihop with Unmanaged Hops
Multihop with Unmanaged Hops

A reference configuration can be found in our GitHub repository and as a base for your implementation. The configurations are described within GitHub.

Managed Hops with Properties

This scenario extends the Managed Hops scenario with additional properties from the intermediate hops. deviceTRUST can gather data from any hop in a multi-hop scenario and use the information on any subsequent hop and the target.

You might want to know when accessing the target session that a user only hopped over machines that are joined to your domain and thus controlled and secured by your organization. Or you could make sure the user took a pre-defined path, hopping through your DMZ structure. These scenarios would require evaluating information not only on the user’s device but also on the hops along the chain.

The following configuration elements are required:

Machine Software Components Configuration
Client deviceTRUST Client Extension None
Hop1 - HopN
 
 
 
 
 
deviceTRUST Client Extension
deviceTRUST Agent
 
 
 
 
Evaluate remote properties
Evaluate local properties
Evaluate multi-hop properties
Build context
Run actions
Push properties forward
Target
 
 
 
deviceTRUST Agent
 
 
 
Evaluate remote properties
Evaluate multi-hop properties
Build context
Run actions

This is how the implementation looks from an achitectural view:

Managed Hops and Intermediate Properties
Managed Hops and Intermediate Properties

A reference configuration can be found in our GitHub repository and as a base for your implementation. The configurations are described within GitHub.