NAT Gateway
Access you need, when you need it
As cybersecurity threats continue to grow, more organisations are enforcing stricter access controls on their edge networks. In some cases, the Unified Control Node only has access to the Unified Control Hub via port 5671/tcp. No other access is allowed through the local firewall. And we expect this trend to continue as stricter governance and oversight is mandated by governments around the world.
While the UCN can operate with just this one port, there are still some UCN services that require occasional "internet" access in order to function correctly. These include
Software installation from trusted repositories (HTTPS)
Plugins
Security patches
Virus definition updates (HTTPS)
Clock synchronization (NTP)
Large file transfers from the Unified Control Hub (SFTP)
These services are what NAT Gateway aims to enable. By providing specific and temporary access to these services, UCNs can offer their full functionality without compromising the integrity of the local network.
Access
Leveraging the existing connection between the Message Broker and the UCN, the NAT Gateway creates a virtual pathway to deliver the required patches, files and updates.
Access is provided in such a way that access to/from each UCN happens in its own unique context, preventing any chance of "cross talk" between connections. Access to the NAT Gateway is given on a per device basis from the NETWORK SETTINGS -> ACCESS menu item. We recommend stopping the service as soon as the required actions are complete.
Control
This pathway is closed by default and cannot be initiated by the UCN. Privileged users in a workgroup can turn on the NAT Gateway for a maximum of 30 minutes. Access to the NAT Gateway is given on a per device basis from the NETWORK SETTINGS -> ACCESS menu item. We recommend stopping the service as soon as the required actions are complete.
Disable NAT Gateway for specific devices
NAT Gateway is an optional workgroup addon to assist with keeping UCNs synchronized, patched and up-to-date. Once NAT Gateway is available in a given workgroup (this can be enabled by speaking with your Account Manager if you don't already have one) you have the choice of restricting which UCNs can use the service.
Step 1: Create a Device Group
Browse to Admin -> Workgroups -> Device Groups. Create a new Device Group using the guide here: Device Groups
Step 2: Update the NAT Gateway access
Browse to Admin -> Access -> API tokens.
Find "NAT Gateway" in the list of "Devices with API Access", click Edit, select the new Device Group and click Update.
Last updated