DxOdyssey Admin Guide
DH2i TCP Tunneling is a new way for accessing specific applications without the cost, complexity, and security risks of VPNs. DH2i TCP Tunneling is designed for scaling across environments to build a secure hybrid/multi-cloud distributed application infrastructure from any platform to any platform, from any host to any host, anywhere. DH2i TCP Tunneling features:
Configuration and Management Simplicity
- Lightweight Windows or Linux install
- Simply install and connect
- No dedicated VPN routers
- No ACLs, no firewall rules
- No expensive cloud VPN services
Highest Level Security and Performance
- Application-level micro-tunneling
- Discreetly transports TCP payloads via UDP
- Eliminates lateral network attack surface
- Highly available, auto self-healing tunnels
- Invisible to port scanners
See the Tunnel Manager section below for details on how to configure a tunnel with DxOdyssey.
DxOdyssey uses Tunnel Groups to provide failover support and high availability. A tunnel group virtualizes the network name and IP address associated with a particular gateway. Rather than using the network name and IP address of an actual server, a group is created and assigned a unique name/IP-address pair. When the user configures a group, the user will need to specify at least one member and one tunnel to participate.
See the Tunnel Group Manager section below for details on how to configure a tunnel group with DxOdyssey.
DxOdyssey allows the user to create direct secure connections (tunnels) between two or more servers without the need for a VPN, expensive hardware, or data passing through a vendor portal. DxOdyssey transfers encrypted packages across system-assigned UDP ports so there is no need to open a TCP or UDP port to the internet. DxOdyssey can be used to create and manage heterogeneous Windows/Linux cross-platform connections. With DxOdyssey, data transfers securely between custom-designed tunnels. DH2i’s DxOdyssey uses a highly available proprietary cloud Matchmaking Service to keep connections alive, but no payload data is passed through the matchmaker – all data is directly encrypted between servers.
The following sections describe hardware and software requirements for DxOdyssey.
Minimal System Requirements
Physical/Virtual Server Requirements
DxOdyssey is hardware agnostic. Please follow operating system/application best practices to achieve performance expectations.
Supported Operating Systems
Below are the supported operating systems for DxOdyssey:
- Windows Server 2012, x64
- Windows Server 2012 R2, x64
- Windows Server 2016, x64
- Windows Server 2019, x64
- Windows 8 and above, x86 and x64 (DxConnect and DxOdyssey Clients Only)
- RedHat Enterprise Linux 7.x (No native DxOdyssey Client)
- Red Hat Enterprise Linux 8.x (No native DxOdyssey Client)
- CentOS Linux 7.x (No native DxOdyssey Client)
- CentOS Linux 8.x (No native DxOdyssey Client)
- Ubuntu 16.04.x (No native DxOdyssey Client)
- Ubuntu 18.04.x (No native DxOdyssey Client)
- Ubuntu 20.04.x (No native DxOdyssey Client)
- Oracle Linux 7.x (No native DxOdyssey Client)
DxOdyssey Software requires .NET Framework 4.5.2 on Windows and .Net Core 3.1 on Linux. Please ensure that these packages are installed on your servers prior to installing DxOdyssey Software.
Network Configuration Guidelines
DxOdyssey uses a proprietary communications protocol based on TCP and UDP for its gateway group communication. To mitigate or remove the potential for heavy network traffic adversely affecting DxOdyssey communications, DH2i allows the use of a private or stand-alone network for DxOdyssey. This dedicated network can be created using a crossover cable for a two-server cloud or an Ethernet switch for groups or clouds comprised of three or more servers.
DxOdyssey Software requires internet access to register with the DH2i Matchmaking Service.
DxOdyssey supports the following network configurations:
- Multiple subnet ranges
To ensure proper communication between the gateway group members, the following guidelines should be observed.
A static entry for each member’s private IP should exist in the hosts file on each member.
/etc/hostsExample hosts file:
192.168.1.101 gw1 #private IP
192.168.1.102 gw2 #private IP
“A” and “PTR” records are present in DNS for each group/IP for proper forward and reverse lookup. Dynamic DNS registration is not supported.
On Windows, ensure Register this computer’s addresses in DNS is unchecked for all network adapters under the properties for the interface. This prevents the virtual IP from being registered with DNS for the physical host. If this option is checked, it will cause resolution issues when the virtual IP moves between gateway group members.
Network ports used by DxOdyssey
- Open remotely:
- TCP: 7979 – DxLMonitor
- TCP: 7980 – DxCMonitor
- UDP: 7980 – DxLMonitor
- UDP: 7981 – DxCMonitor
- TCP: 7985 – DxWebEngine
- Open locally:
- 127.0.0.1:7804 - DxLEngine
- Open remotely:
Definitions, Acronyms, Abbreviations
Table 1-1 Acronyms & Abbreviations
|API||Application Program Interface.|
|Client||A remote client connecting to a tunnel.|
|Client Group||A group composed of one or more clients.|
|CIDR||Classless Inter-Domain Routing.|
|DxConnect||DH2i Client tool used to connect to a gateway tunnel.|
|GUI||Graphical User Interface.|
|IP||Internet Protocol. A numerical label assigned to each device connected to a computer network.|
|IPv4||Internet Protocol version 4. IPv4 addresses have a size of 32 bits.|
|IPv6||Internet Protocol version 6. IPv6 addresses have a size of 128 bits.|
|TCP||Transmission Control Protocol.|
|UDP||User Datagram Protocol.|
|VIP||Virtual IP address.|
|VPN||Virtual Private Network.|
Table 1-2 Definitions
|Gateway Group||The overall group of member servers.|
|Linux||The family of supported GNU/Linux operating systems.|
|Member||Members are devices, physical, virtual, or cloud on a larger network. A member is anything that has an IP address.|
|Process||A running application that resides in its own address space.|
|Screen||Refers to the display of related data.|
|Tunnel||Direct secure connection between two or more servers without the need for a VPN, expensive hardware, or data passing through a vender portal.|
|Tunnel Group||A collection of tunnels and members that allows for virtual tunnel configuration.|
|Window||Refers to a panel with a border as defined in the Windows Operating System. Typically, a window can be opened, closed, resized and moved. A tabbed window is an example of a single window containing more than one screen.|
|Windows||The family of Microsoft Windows operating systems.|
Table 1-3 Tunnel Group Aliases
|.ACTIVE||The active member in a tunnel group.|
|.INACTIVE||All inactive members in a tunnel group.|
|.ALL||All members in a gateway group.|
|.PART||Any member in the tunnel group.|
|.NONPART||Any member in the gateway group that is not in the tunnel group.|
|.NONDEST||Any member that is not the destination gateway.|
Installing and Configuring a New DxOdyssey Gateway Group
DxOdyssey leverages any OS, on any server, anywhere.
Pre-requisite procedure for a new DxOdyssey gateway group for Windows
- Install Windows and apply the latest patches. Consult Microsoft documentation for further details.
- Install Microsoft .NET Framework 4.5.2.
Pre-requisite procedure for a new DxOdyssey gateway group for Linux
- Install Linux and apply the latest updates. Consult Linux provider documentation for further details.
- Update the /etc/hosts file with IPs and host names for all members in the group.
- Install .Net Core 3.1 Runtime.
Installing and configuring the first server for a new DxOdyssey gateway group
- Install the DxOdyssey software.
- Activate the server.
- Create a tunnel and/or tunnel group.
Installing and configuring an additional server for a new DxOdyssey gateway group
- Install the DxOdyssey software.
- Join the additional server to an existing gateway group member.
- Join/participate in the tunnel group.
- Test failover/failback. (Optional).
Installing DxOdyssey Software for Linux
DxOdyssey can be installed on Linux either manually or using the DH2i Repository.
See the DxOdyssey Linux Installation Quick Start Guide for more information.
Installing DxOdyssey Software for Windows
See the DxOdyssey Windows Installation Quick Start Guide for more information.
Overview of DxOdyssey Client
The DxOdyssey Client is organized into multiple sections located in the Navigation Pane on the left side of the user interface and a Details Pane in the center that shows the details of a selection.
Each section is a distinct group of commands that perform a specific action.
The Navigation section contains the common management options available to a gateway group.
The main panel on the right-hand side of the user interface displays context-specific details depending on what is selected in other panes.
To connect to a server, click Connection Manager.
This will bring up the connection manager dialog. From here the user can enter the name or IP address of the target server and click Connect Server.
Server - The name or IP of the server to connect to. Localhost can be used to connect to the local server.
Pass Key - The pass key that is configured for the target connection.
Refresh - This button will refresh the data in DxOdyssey.
This section allows the user to manage gateway group members and license activation.
Set group coordinator - Click the check box labeled Coord in the Gateway Manager Entity View. This will set the member to be the gateway group coordinator. When a member is selected as the gateway group coordinator, it is responsible for coordinating gateway group communication between members.
Set app coordinator - Click the check box labeled App in the Gateway Manager Entity View. This will set the member to be the application service coordinator. When a member is selected as the application service coordinator, it is responsible for coordinating and maintaining the application command queue.
Gateway Manager Main Panel
The DxOdyssey Gateway Manager Membership section allows the user to define or join DxOdyssey gateway group members.
Update - When the Update button is selected or a gateway group member is double-clicked, the following dialog is displayed. The dialog allows the selection of one or more interfaces and order them as appropriate.
When the OK* button is clicked, the interfaces dialog will update and close. If there are multiple interfaces selected, the following dialog appears. This dialog lets the user order the interfaces from top to bottom; the interface placed at the top of the dialog will be the first interface selected for communication.
The asterisk (*) selection will cycle through the interfaces until there is a valid connection to the gateway group. No selection is valid after the asterisk, so all are ignored after the asterisk. These changes are reflected in the Gateway Manager display but are not committed until the Submit button is clicked.
Delete - This will delete the selected gateway group member in the grid of members and will also remove the member from the current gateway group. This change will only take effect after the Submit button at the bottom of the screen is clicked.
Resync Config - Resync Config will synchronize the configuration between all members. Be aware that this is a large task, so depending on the size of the gateway group it could take some time to complete.
Manage License - View, activate, or reactivate any gateway group member license.
Name - Each member in the gateway group will appear in its own row and show activation status of that member.
License Key - The license key used to activate the product.
Expiration Date - The last date the product can be used.
Support Date - The expiration of the support contract. The product may be used until the expiration date, but the ability to request customer service and receive new updates stops on the support date.
Is Valid - If the license is active this column will be checked. If not, select the member using the checkbox on the left side and click Activate.
Activate - Click to activate the selected servers.
Join Gateway Group - The Join Gateway Group option allows administrative re-assignment of the local server to another existing DxOdyssey gateway group.
Target Gateway Group Server - Enter the hostname or IP address of a server from an existing DxOdyssey gateway group. If joining the gateways via DH2i Matchmaking Service, enter match.dh2i.com.
Pass Key - Enter the passkey for the existing DxOdyssey gateway group. If joining via DH2i Matchmaking Service, enter the OTPK.
Activate after joining - Select if local server activation is required.
Accept EULA - Confirm acceptance of the software EULA. An option to view the EULA is provided by a link below the checkbox. Acceptance is required to continue.
OK - Click to process the request.
Close - Click to cancel and exit without saving change(s).
Manage OTPK - This is the One Time Pass Key Manager. Click New to generate a one-time pass key. Select when the key will expire or leave the default value. The key is needed to join a gateway group using the DH2i Matchmaking Service.
Submit - When finished making changes to the gateway group, click the submit button to commit the changes. The following confirmation message dialog will give the final option to commit the changes or return to the previous screen without saving.
The main panel shows the details of the gateway member selected in the entity view.
The main panel shows the overview details of the available tunnels. The entity view displays the tunnels with the status and an option to delete the tunnel. Clicking on a tunnel name in the entity view will display the complete tunnel details in the main panel.
Add Tunnel - Click on the add tunnel button, the following dialog is displayed to configure a new tunnel.
Tunnel Name - The logical name for the tunnel. This must be unique.
Gateway Name - The member name or .ACTIVE alias if the tunnel is part of a tunnel group.
Target Host/IP - The desired host name or IP address of the target server.
Target Port - The destination port of the target server.
Origin Name - The member name or alias for an origin server to create a listener.
Origin Network Address - The network address to create a listener. Designating all zeros (0.0.0.0) will create a "listen all".
Origin Listening Port - The origin port to create a listener on the origin side of the tunnel.
Origin Source Filter - Predefined source filter rules that are defined in the Source Filter Manager.
Add Row - Adds a row to the origin listener set.
Delete Row - Deletes the selected row from the tunnel definition.
DxOdyssey allows the tunnel to be configured using aliases if the tunnel is a member of a tunnel group and the NATEnabled setting is true. The aliases are defined in the alias table in Definitions, Acronyms, Abbreviations section.
Tunnel Detail View
The main panel displays the details of the selected tunnel from the entity view.
Edit/Save - The edit button allows editing of the data that is set up in the Add Tunnel screen with the exception of the tunnel name. After clicking edit, the same button changes to Save. Click Save to save any changes made to the tunnel details or click Cancel to exit editing without saving. The tunnel name is the unique identifier in the gateway group and can only be changed by deleting the tunnel and adding a new one with the same parameters but a different tunnel name.
Cancel - This will undo any changes made in the edit screen and will return the tunnel detail view to read-only mode.
Manage Clients - Clicking the Manage Clients button allows the user to manage the remote clients and remote client groups associated with the tunnel. The clients and client groups assigned to the tunnel will then be able to access the tunnel using DxConnect. For more information about DxConnect, please see the DxConnect Admin Guide.
Remote Tunnel Clients - The remote tunnel clients displays the clients or client groups assigned to the tunnel with the listening address.
Add client - This will create a new dialog to select client(s) to add to the tunnel.
Search - This will filter the view of the clients based on user input.
Navigation Bar - The navigation bar allows a set number of items per page and to navigate to a specific page.
IP Address - The client listening address. This is the IP address that the client will use to connect to the tunnel. The loopback address (127.0.0.1) is recommended.
Port - The client listening port.
Add Selected - This will add the selected clients and associate them with the IP address and port defined by the user. Clients can be added multiple times to a tunnel with different IP addresses and/or ports.
Add group - This will create a dialog that displays client groups that can be added to the tunnel.
Remove from tunnel - This will remove the selected client or group from the tunnel.
Submit - This will save the changes made by the user and close the client management screen.
Close - This will close the client management screen without saving any changes.
Tunnel Group Manager
To create a tunnel group, click on Tunnel Group Manager and select Add Tunnel Group at the bottom of the left-hand pane.
Tunnel group Name - Use this field to specify a group name. Make sure the group and IP address pair is registered in DNS. The name entered in this field cannot include spaces.
Virtual IPs - Specify the IP address(es) that will be associated with this tunnel group. There are two types of virtual IPs supported by DxOdyssey:
The default is
*127.0.0.1. This specifies that the tunnel group will not attempt to bind to an IP address. Recommended for multi-cloud environment, where the virtual IP may not be available to bind to all sites.
A specific IP address or a comma delimited list of IP addresses. This specifies that the tunnel group will attempt to bind the specified IP address(es) to the active member for the tunnel group.note
DxOdyssey will bind the virtual IP to the adapter within the same subnet. A DNS entry must exist for each group/IP address. The entry must include an A record and a [PTR] record for forward and reverse lookup. Windows authentication may fail if these records do not exist. Be sure to create a DNS entry for each group/IP created. Dynamic DNS registration is not supported.
Available Gateways / Selected Gateways - Move the DxOdyssey members from the Available Gateway column to the Selected Gateway column to add them to the tunnel group. The member at the top of the list will become the primary member. The up and down arrows can be used to reorder the members in the Selected Gateways column.
OK - When OK is selected, a confirmation dialog is displayed asking to confirm the changes.
Selecting Yes on the Confirmation Dialog will create the tunnel group.
Close - If the Close button is selected, the tunnel group will not be created and the dialog will close.
Tunnel Group Detail
The tunnel group detail view displays the configuration of the selected tunnel group from the entity view.
Update - When the update button is selected, the following dialog is displayed. This dialog allows the reorder of the gateway group members in the tunnel group or to change the virtual IP.
Stop - When stop is selected, the tunnel group is set to disabled and no member is active.
Add Gateway - To add a member to the tunnel group, click Add Gateway. The following dialog is displayed.
Add - The Add button on the right in the tunnel section allows the addition of a new tunnel to the tunnel group.
Delete - The delete button on the right side of the tunnel section allows the deletion of the tunnel from the gateway group. To remove the tunnel from the group but keep the tunnel configuration, click the Assign button.
Assign - To assign or remove a tunnel from the tunnel group, click the Assign button. The following dialog is displayed.
To remove a tunnel, move it from the Selected Tunnels to the Available Tunnels. To assign a tunnel, move it from the Available Tunnels to the Selected Tunnels. To move a tunnel between available and selected, you can double-click on the tunnel or select the tunnel and use the appropriate arrow.
OK - All changes are committed when the user clicks OK.
Close - This will close the Assign dialog without making any changes.
Source Filter Manager
The Source Filter Manager dialog allows the configuration of specific rules for allowing or denying one or many IP addresses, subnets, ports or ranges.
Add Source Filter
Click to create a new rule. The following dialog is displayed.
Filter Name - The name of the rule to create.
Address - The first column is a text entry that allows input in the following formats:
- IPAddress – 10.0.0.10
- IPAddress:Port – 10.0.0.10:2345
- IPAddress/CIDR – 10.0.0.0/24
- IPAddress/Mask – 10.0.0.0/255.255.255.0
Action - The second column is a drop down with the following selections:
- Allow - Allows the configured address access to the tunnel.
- Deny - Denies the configured address access to the tunnel.
Delete - When the user clicks on the “X” in the delete column, the selected IP definition is removed from the rule.
Default - Select DENY ALL or ACCEPT ALL for the default rule. What is selected depends on whether it is desired to deny all connections but allow a specific connection or allow all connections and deny a specific connection.
Up Arrows Button - To move the selected IP definition up in the sorting order of the rule.
Down Arrows Button - To move the selected IP definition down in the sorting order of the rule.
Delete Button - To remove the selected IP definition from the rule.
New Row - Add a new IP definition for the rule.
Submit - Close the form and commit changes.
Close - Close the form without making changes.
Edit - Highlight a selection and click edit to modify the rule.
Delete - Highlight a selection and click delete to remove the rule.
Client and Group Manager
The client and group manager allows the user to add a new remote client, a remote client group, edit a client, or edit a group. This is where the configuration file is generated that allows the user to access one or more tunnels based on which tunnels the user is associated using DxConnect. For more information on DxConnect, please see the DxConnect Admin Guide.
Grid Navigation Bar
The navigation bar allows the user to set the number of items per page and navigate to a specific page.
From left to right the actions are:
- Move to first page.
- Move back one page.
- Set the page number manually.
- Move forward one page.
- Move to last page.
- Number of items per page.
- Refresh data.
- Display the details of the selected client (only available in client view).
Add New Group
Click this button to add a new remote client group. A remote client group is a unique name used to group members together. The Add New Group window is the same as the edit window, the only difference being the group name cannot be changed.
The Group Name must be unique, and it is not case-sensitive (i.e. DEVTEAM, devteam and DevTeam are considered the same name; and will be displayed in all capitals – DEVTEAM).
Search… - Select to filter the list of clients based on the search parameters.
Add Client - Select to display the Add New Client dialog.
Add Arrows - After selecting one or more clients, click this button to add them to the remote group. No changes are saved until the Submit button is clicked.
Remove Arrows - After selecting one or more client members, the user can click this button to remove them from the current group. Changes are not saved until after the Submit button is clicked.
Grid Navigation Bar - The navigation bar allows a set the number of items per page and to navigate to a specific page. The last button is to refresh the display.
Submit - Changes are saved and the dialog closes.
Close - Changes are not saved and the dialog closes.
Add New Client
Select to add a new remote client. The Add Remote Client dialog is the same as the Edit Remote Client dialog, except the username cannot be changed in edit mode.
The username must be unique, and it is case-sensitive (i.e. Harry and harry are two distinct names).
Submit - This button submits the data and closes the dialog. If apply or submit has not been selected, any information in the fields will not be saved.
Close - This button closes the dialog.
Apply - This button submits the current data and clears the form so the user can add another remote client.
Export Config File
Click this button to export the configuration file. The configuration file will be needed, along with the username and password, for a user to connect to a tunnel using the DxConnect application. For more information on DxConnect, please see the DxConnect Admin Guide.
The advanced settings section has additional functionality for more experienced users.
This section allows the setting of various advanced internal settings for the gateway group itself. This is not typically recommended without specific advice or explanation from DH2i Support or Engineering staff.
- Cluster Passkey - A pass key is required to log in to the gateway group for administration. The pass key is case-sensitive and can be any combination of alpha-numeric characters, punctuation, or symbols. If the user has not configured a pass key or has forgotten the pass key, the user will be unable to log in remotely or log in using unprivileged accounts. The pass key requirement can be bypassed by launching DxOdyssey as an administrator on a gateway node.
ClientHeartBeat - The remote client heartbeat. How often the server checks the remote client connection for alive status, in seconds. Default is 60.
NATAgentHeartBeat - How often the nodes check in with Matchmaking Service, in seconds. Default is 60.
NATEnabled - Enable or Disable registration with Matchmaking Service.
NatKeepAlive - How often the nodes check in with the Matchmaking Service in seconds. The default is 30 seconds.
NATMatchAgent - The comma delimited list of Matchmaking Service used to resolve cluster member servers across clouds.
TunnelBufSize - The maximum buffer size for tunnel, in bytes. The default is 8192.
TunnelMaxPending - The maximun number of tunnels waiting to connect. Default is 5.
UDPBufSize - The maximum buffer size for UDP, in bytes. The default is 1048576.
This section defines the network share(s) used as the gateway group witness. In order to prevent a split-brain scenario when the gateway group members are unable to communicate with one another, the witness is used to decide which set of members should own the resources (i.e. configuration). The rule for deciding the winning side is as follows, from highest to lowest ranking:
Majority witness quorum
To achieve the best tie-breaking/witness system, DH2i recommends that you employ an odd number of witness(es).
Witness List - The list of currently configured witnesses.
Add Witness - Opens the Add Witness dialog for adding a new witness. Note that changes will not be saved until selecting OK from the Witness Manager dialog and applying the gateway group configuration.
Delete Witness - Removes the currently-selected witness from the witness configuration. Note that changes will not be saved until selecting OK from the Witness Manager dialog and applying the configuration.
OK - Accepts the witness configuration as displayed. The changes will not be saved until the configuration is applied.
Close - Reverts the witness configuration to its state prior to opening the Witness Manager dialog.
Witness Type - The type of witness being configured. Valid options are Network Share (SMB) and Azure Blob Storage. These options are described in more detail below.
Witness Path - The path used as a witness. This will vary depending on the type of witness that is being configured.
For Network Share (SMB), use the standard UNC form
For Azure Blob Storage, use a Shared Access Signature (SAS) URL.
Alternatively, use an Azure connection string.
A Shared Access Signature created for use as a witness must have permission to use blob services, must have permission to access service, container, and object resources, and must have read, write, delete, list, add, create, and update permissions.
For more information on how to set up Azure blob storage and how to create either a Shared Access Signature or a connection string, please refer to the Azure portal documentation.
User - Network Share (SMB): the user credential used to access the witness share.
Password - Network Share (SMB): the password used to access the witness share.
Test - Test the validity of the witness share with user credentials. The test must pass before the witness properties can be committed.
OK - Accept the witness settings. The witness will be added to the list of witnesses in the parent Witness Manager dialog.
Close - Cancel witness properties modification.
The alerts screen displays the current alerts and the details of each alert. Below the current history is a grid of past alert history consisting of as many as the most recent 500 alerts since the user logged in. The history can be cleared as needed.
The processes screen shows all processes initiated against the gateway group from the current server since login. The list of processes shows the process command, the status, and the date it was initiated. There is also a select check box that allows the selection a process and to delete it by clicking on the Delete Selected button. When the row is selected, the detailed results of the process are displayed below.
The collect logs utility automatically gathers logs and configuration files from the selected members, zips them up and then stores them at the following locations on each member:
The debug commands section allows the execution of commands internal to DxOdyssey. Use of this section is not recommended without a specific request from DH2i Support or Engineering staff.
The Search dialog exists to allow to search for and select any entity within the connected server from a single pane.
Clicking on search displays a pane and provides a text box to search for arbitrary entities. This includes an option to make the search case-sensitive or clear the search. Clicking any result will show the details of that result.
The about dialogue displays the version, copyright and installed features for the current product.