Free Webinar
November 15 | 11am PT / 2pm ET
VMware & StarWind: Guarantee data safety and constant applications availability
Speaker: Alexey Khorolets, Pre-Sales Engineer, StarWind

StarWind Virtual SAN®
Configuring Access Control List (ACL) Rules

Published: September 14, 2018

INTRODUCTION

This guide has been written for experienced Windows Server users or system administrators. It provides detailed instructions on how to configure the ACL rules for the StarWind Virtual SAN provisioned iSCSI targets, which allows complying with security requirements or keeping targets separated in case multiple environments are served with the same storage based on the StarWind Virtual SAN server.

StarWind Virtual SAN is a hardware-less storage solution that creates a fully fault-tolerant and high-performing storage pool built for the virtualization workloads by mirroring existing server storage and RAM between the participating storage cluster nodes. The mirrored storage resource is then treated just as a local storage. StarWind Virtual SAN ensures a simple configuration of a highly-available shared storage for SoFS and delivers excellent performance and advanced data protection features.

A full set of up-to-date technical documentation can always be found here, or by pressing the Help button in the StarWind Management Console.

For any technical inquiries please visit our online community, Frequently Asked Questions page, or use the support form to contact our technical support department. Also, you can invoke Technical Support directly from StarWind VSAN Help.

Configuring Global Access Rights Rules

By default, if no HA devices are configured on the server, a StarWind VSAN server has only one access rule added. It is DefaultAccessPolicy. This rule is the basic one and it allows for all connections from all servers to all targets via all network interfaces. It does not restrict access to any target or interface in any way.

When HA devices are created on the StarWind VSAN node, the ACL rules for partner connections are added automatically as shown below.

Configuring Individual Access Rights Rules

If security requirements require that access to a target needs to be allowed from certain hosts and through certain network interfaces only, a separate rule can be created.

1.Right-click in the Access Rights pane and select Add Rule.

2. In the popup window, type in the rule name and set the Set to “Allow” checkbox.

3. In the Source tab, where source is a server that connects to a StarWind target, click on Add and choose the option from the three options available.

NOTE: For the purpose of this guide, server IQNs will be used for configuring the connection source. To obtain the server IQN, open Microsoft iSCSI Initiator and go to the Configuration tab:

Alternatively, run the following PowerShell command:

4. Type in the IQN name of the server to be allowed to connect to the StarWind VSAN targets.

5. Perform the same action for each of the servers that are expected to connect to the StarWind target. In the end, the Source tab will look similar to the picture below:

6. In the Destination tab, press Add to select the target from the list of the targets on the StarWind VSAN server allowed to be connected to and press OK.

Multiple targets can be configured within the same ACL rule:

NOTE: All targets are allowed to be connected to if no target is set explicitly.

7. In the Interface tab, specify the IP address(es) allowed to accept connections to the StarWind VSAN target. By default, all interfaces are allowed to be used in the newly created rule. If only dedicated interfaces are intended to be used for connecting to the targets, select the required interfaces from the dropdown list in the popup window:

NOTE: Loopback address 127.0.0.1 shall be added for the Hyper-V hyperconverged setup scenario. For any other configuration scenario, this IP address is not required.

8. Add the IP address of the StarWind VSAN server interface intended for data exchange:

9. When all required IP addresses are added to the rule, press OK to confirm the rule creation.

10. Once all required rules are configured with the Allow checkbox ticked, all other connections can be restricted. To do so, double-click the DefaultAccessPolicy rule and uncheck the Set to “Allow” checkbox. Press OK to confirm.

This will disallow all connections that are not explicitly configured in the rules preceding DefaultAccessPolicy.

11. To apply the newly configured rules to all iSCSI sessions and make sure that only necessary sessions are connected, restart the StarWind VSAN service on the node where changes have been introduced. If a HA setup is used, make sure that similar rules are configured on the partner server(s).

CONCLUSION

The guide has shown a complete configuration process of the ACL rule for a StarWind Virtual SAN server. With the help of this and similar rules, the environment can be kept clean and secure, with only allowed servers being able to connect to the iSCSI targets provisioned by StarWind Virtual SAN.