Configuring the ACL rules for the StarWind Virtual SAN provisioned iSCSI target allows complying with security requirements or keeping targets separated in case multiple environments are served with the same storage based on the StarWind Virtual SAN server.
Configuring Global Access Rights Rules
By default, if no HA devices are configured on the server, a StarWind VSAN server has only one access rule added: DefaultAccessPolicy. This rule allows for all connections from all servers to all targets via all network interfaces and does not restrict access to any target or interface in any way. The Access Rights view for a standalone StarWind device is demonstrated in the screenshot below.
When HA devices are created on the StarWind VSAN node, the ACL rules for partner connections are added automatically as shown below.
Configuring Individual Access Rights Rules
If a target should be accessed from certain hosts and through certain network interfaces only, a separate rule can be created.
1. Right-click on the Access Rights pane and select Add Rule.
2. In the popup window, type in the rule name and select the Set to “Allow” checkbox.
3. In the Source tab, where the source is a server that connects to a StarWind target, click Add and choose the required option.
NOTE: Here, server IQNs will be used for configuring the connection source. To obtain the server IQN, open Microsoft iSCSI Initiator and navigate to the Configuration tab:
Alternatively, run the following PowerShell command:
4. Type in the IQN name of the server to be allowed to connect to the StarWind VSAN targets.
5. Perform the same action for each of the servers that are expected to connect to the StarWind target. The Source tab will look similar to the screenshot below:
6. Open the Destination tab, press Add to select the target on the StarWind VSAN server allowed to be connected to, and press OK.
Note: Multiple targets can be configured within the same ACL rule. Also, all targets are allowed to be connected to if no target is set explicitly.
7. In the Interface tab, specify the IP address(es) allowed to accept connections to the StarWind VSAN target. By default, all interfaces are allowed to be used in the newly created rule. If only dedicated interfaces are intended to be used for connecting to the targets, select the required interfaces from the dropdown list in the popup window:
NOTE: The loopback address 127.0.0.1 should be added for the Hyper-V hyperconverged scenario. For any other configuration scenario, this IP address is not required.
8. Add the IP address of the StarWind VSAN server interface intended for data exchange:
9. When all required IP addresses are added to the rule, press OK to confirm the rule creation.
10. Once all required rules are configured with the Allow checkbox selected, all other connections can be restricted. To perform this, double-click the DefaultAccessPolicy rule and uncheck the Set to “Allow” checkbox. This will block all connections that are not explicitly configured in the rules preceding DefaultAccessPolicy. Press OK to confirm.
11. To apply the newly configured rules to all iSCSI sessions and make sure that only necessary sessions are connected, restart the StarWind VSAN service on the node where changes have been introduced. If an HA setup is used, make sure that similar rules are configured on the partner server(s).