September, 20 1pm PT
Live StarWind presentation
Meet industry-first
software-defined NVMe
over Fabrics
Target and Initiator
for Microsoft Hyper-V and
VMware vSphere

StarWind Virtual SAN®
Configuring Access Control List (ACL) Rules

Published: September 14, 2018

INTRODUCTION

This guide has been written for experienced Windows Server users or system administrators. It provides detailed instructions on how to configure the ACL rules for the StarWind Virtual SAN provisioned iSCSI targets, which allows complying with security requirements or keeping targets separated in case multiple environments are served with the same storage based on the StarWind Virtual SAN server.

StarWind Virtual SAN is a hardware-less storage solution that creates a fully fault-tolerant and high-performing storage pool built for the virtualization workloads by mirroring existing server storage and RAM between the participating storage cluster nodes. The mirrored storage resource is then treated just as a local storage. StarWind Virtual SAN ensures a simple configuration of a highly-available shared storage for SoFS and delivers excellent performance and advanced data protection features.

A full set of up-to-date technical documentation can always be found here, or by pressing the Help button in the StarWind Management Console.

For any technical inquiries please visit our online community, Frequently Asked Questions page, or use the support form to contact our technical support department. Also, you can invoke Technical Support directly from StarWind VSAN Help.

Configuring Global Access Rights Rules

By default, if no HA devices are configured on the server, a StarWind VSAN server has only one access rule added. It is DefaultAccessPolicy. This rule is the basic one and it allows for all connections from all servers to all targets via all network interfaces. It does not restrict access to any target or interface in any way.

<strong>StarWind Virtual SAN<sup>®</sup></strong>  Configuring Access Control List (ACL) Rules

When HA devices are created on the StarWind VSAN node, the ACL rules for partner connections are added automatically as shown below.

<strong>StarWind Virtual SAN<sup>®</sup></strong>  Configuring Access Control List (ACL) Rules

Configuring Individual Access Rights Rules

If security requirements require that access to a target needs to be allowed from certain hosts and through certain network interfaces only, a separate rule can be created.

1.Right-click in the Access Rights pane and select Add Rule.

<strong>StarWind Virtual SAN<sup>®</sup></strong>  Configuring Access Control List (ACL) Rules

2. In the popup window, type in the rule name and set the Set to “Allow” checkbox.

<strong>StarWind Virtual SAN<sup>®</sup></strong>  Configuring Access Control List (ACL) Rules

3. In the Source tab, where source is a server that connects to a StarWind target, click on Add and choose the option from the three options available.

<strong>StarWind Virtual SAN<sup>®</sup></strong>  Configuring Access Control List (ACL) Rules

NOTE: For the purpose of this guide, server IQNs will be used for configuring the connection source. To obtain the server IQN, open Microsoft iSCSI Initiator and go to the Configuration tab:

<strong>StarWind Virtual SAN<sup>®</sup></strong>  Configuring Access Control List (ACL) Rules

Alternatively, run the following PowerShell command:

<strong>StarWind Virtual SAN<sup>®</sup></strong>  Configuring Access Control List (ACL) Rules

4. Type in the IQN name of the server to be allowed to connect to the StarWind VSAN targets.

<strong>StarWind Virtual SAN<sup>®</sup></strong>  Configuring Access Control List (ACL) Rules

5. Perform the same action for each of the servers that are expected to connect to the StarWind target. In the end, the Source tab will look similar to the picture below:

<strong>StarWind Virtual SAN<sup>®</sup></strong>  Configuring Access Control List (ACL) Rules

6. In the Destination tab, press Add to select the target from the list of the targets on the StarWind VSAN server allowed to be connected to and press OK.

<strong>StarWind Virtual SAN<sup>®</sup></strong>  Configuring Access Control List (ACL) Rules

Multiple targets can be configured within the same ACL rule:

<strong>StarWind Virtual SAN<sup>®</sup></strong>  Configuring Access Control List (ACL) Rules

NOTE: All targets are allowed to be connected to if no target is set explicitly.

7. In the Interface tab, specify the IP address(es) allowed to accept connections to the StarWind VSAN target. By default, all interfaces are allowed to be used in the newly created rule. If only dedicated interfaces are intended to be used for connecting to the targets, select the required interfaces from the dropdown list in the popup window:

<strong>StarWind Virtual SAN<sup>®</sup></strong>  Configuring Access Control List (ACL) Rules

NOTE: Loopback address 127.0.0.1 shall be added for the Hyper-V hyperconverged setup scenario. For any other configuration scenario, this IP address is not required.

8. Add the IP address of the StarWind VSAN server interface intended for data exchange:

<strong>StarWind Virtual SAN<sup>®</sup></strong>  Configuring Access Control List (ACL) Rules

9. When all required IP addresses are added to the rule, press OK to confirm the rule creation.

<strong>StarWind Virtual SAN<sup>®</sup></strong>  Configuring Access Control List (ACL) Rules

10. Once all required rules are configured with the Allow checkbox ticked, all other connections can be restricted. To do so, double-click the DefaultAccessPolicy rule and uncheck the Set to “Allow” checkbox. Press OK to confirm.

<strong>StarWind Virtual SAN<sup>®</sup></strong>  Configuring Access Control List (ACL) Rules

This will disallow all connections that are not explicitly configured in the rules preceding DefaultAccessPolicy.

11. To apply the newly configured rules to all iSCSI sessions and make sure that only necessary sessions are connected, restart the StarWind VSAN service on the node where changes have been introduced. If a HA setup is used, make sure that similar rules are configured on the partner server(s).

CONCLUSION

The guide has shown a complete configuration process of the ACL rule for a StarWind Virtual SAN server. With the help of this and similar rules, the environment can be kept clean and secure, with only allowed servers being able to connect to the iSCSI targets provisioned by StarWind Virtual SAN.