manualshive.com logo in svg

GlobalSCAPE DMZ Gateway v3.1, Руководство пользователя

Поделиться
Скачать
GlobalSCAPE DMZ Gateway v3.1 Скачать руководство пользователя страница 6

DMZ Gateway User Guide 

Technical Details 

The DMZ Gateway routes all client data to the server over the server-initiated socket without any 
translation or modification to the packet’s payload. Thus, if the client is using HTTPS, then HTTPS traffic 
goes over that streaming connection. Unlike a network hardware bridge/router device, the DMZ Gateway 
does not "pass through" modified packets. The DMZ Gateway reads in a buffer full of data from the client 
TCP/IP stream (~4KB) and then sends that data over the server's TCP/IP socket. They are completely 
different TCP/IP packets with different source and destination locations; however, the payload is NOT 
changed at all. 

The DMZ Gateway does not forward client requests. The Peer Notification Channel (PNC) is used for 
brokering new incoming client connections using the process outlined above. Once the incoming client 
connection and the server connection are "glued" together, the client’s requests are streamed through the 
DMZ Gateway to the server. 

Both external (DMZ Gateway cloud facing) and internal (server-network facing) listening ports are 
specified from within the server for each supported (and enabled) protocol. These ports can be the same 
or different (even for the same protocol). 

Once configured to work with the DMZ Gateway, the server (when running) will always attempt to initiate, 
maintain, and if necessary reconnect to the DMZ Gateway server. No further administrative action is 
required in the server to establish or maintain communications after the initial setup. From the DMZ 
Gateway server perspective, if the PNC channel is broken, it will refuse new (and existing) client 
connections until the server re-establishes a connection. 

The server periodically queries the DMZ Gateway. If a reply is not received within 10 seconds, the server 
considers the connection lost, severs the current connection, and then attempts to reconnect. The DMZ 
Gateway also maintains its own awareness (ping/pong) of whether the server is connected. Every 30 
seconds, DMZ Gateway determines whether it has received a pong message from the server since the 
last ping. If it has, it will ping again; if not, it drops the connection. This allows it to free up ports if the 
server is not available (no longer responds to ping) and for error reporting. (Refer to the Knowledge Base 
article "

How do EFT Server and DMZ Gateway Server communicate with each other?

" for information 

about changing these defaults in EFT Server 6.2 and later and DMZ Gateway 3.0 and later.) 

DMZ Gateway performs client impersonation, which means none of the sockets created via the DMZ 
Gateway have the DMZ Gateway IP address and port; instead, all sockets created through the DMZ 
Gateway have the IP address and port of the client connection. This results in the server’s logs showing 
the actual connecting client IP addresses and ports, rather than those of the DMZ Gateway. 

Because the client connection is streamed through the DMZ Gateway to the server, user authentication is 
handled by the server, as if the client were logging in directly to the server from the internal network. 

With EFT Server, the DMZ Gateway can restrict incoming server PNC connections based upon IP 
address. The DMZ Gateway can also restrict incoming client connections via the IP address ban feature. 
Any IP addresses banned (manually or automatically) in EFT Server will also be banned by the DMZ 
Gateway. 

The server and DMZ Gateway PNC connection does not employ username and password credentials. 
There is nothing sensitive contained in the PNC notifications that requires encryption. 

Содержание DMZ Gateway v3.1

Страница 1: ...GlobalSCAPE DMZ Gateway v3 1 User Guide Module for EFT Server 6 3 ...

Страница 2: ... Selma Road Suite 150 San Antonio TX USA 78249 Sales 210 308 8267 Sales Toll Free 800 290 5054 Technical Support 210 366 3993 Web Support http www globalscape com support 2004 2011 GlobalSCAPE Inc All Rights Reserved Last Updated April 1 2011 ...

Страница 3: ...SuSE Linux 21 Ubuntu Linux 22 Solaris 22 Upgrading or Repairing DMZ Gateway 22 Uninstalling DMZ Gateway 24 Uninstalling DMZ Gateway on a Windows System 24 Uninstalling DMZ Gateway on a non Windows System 24 RedHat Enterprise Linux SuSE Linux or Solaris x86 32 Bit or 64 Bit 25 Ubuntu Linux 32 Bit or 64 Bit 25 Example of Uninstallation Process on Solaris 25 Administering DMZ Gateway 27 DMZ Gateway C...

Страница 4: ...DMZ Gateway Administration Diagnostics Logging 42 DMZ Gateway AdminLauncher Diagnostics Logging 42 Communicating with EFT Server or Mail Express Server 43 Enabling DMZ Gateway in EFT Server 43 Configuring the DMZ Gateway Connection in Mail Express 45 Routing AS2 Traffic through DMZ Gateway 47 Using DMZ Gateway as an Outbound Proxy 47 Testing the Configuration 53 Troubleshooting DMZ Gateway Communi...

Страница 5: ...Gateway 1 This proprietary non encrypted connection is called the Peer Notification Channel PNC EFT Server and DMZ Gateway use the PNC to setup subsequent communications between EFT Server and incoming client connections When a client web browser FTP client etc connects to the DMZ Gateway 2 on the pre approved ports 21 22 80 443 etc DMZ Gateway creates a new listener 3 called an ephemeral port and...

Страница 6: ...connection The server periodically queries the DMZ Gateway If a reply is not received within 10 seconds the server considers the connection lost severs the current connection and then attempts to reconnect The DMZ Gateway also maintains its own awareness ping pong of whether the server is connected Every 30 seconds DMZ Gateway determines whether it has received a pong message from the server since...

Страница 7: ...7 DMZ Gateway Initialization and Connection Diagrams The diagrams below illustrate the initialization and connection sequences for DMZ Gateway and EFT Server communication ...

Страница 8: ...DMZ Gateway User Guide 8 ...

Страница 9: ...What s New in DMZ Gateway 9 ...

Страница 10: ...DMZ Gateway User Guide 10 ...

Страница 11: ...What s New in DMZ Gateway 11 ...

Страница 12: ...er Sites simultaneously Can connect to Mail Express Server IP address access policy changes are now automatically propagated to DMZ Gateway when the policy is modified in EFT Server whether in the EFT Server interface or by the auto ban logic DMZ Gateway s interface was completely redesigned to accommodate multiple profiles and extended communication information Moved DMZ Gateway licensing to the ...

Страница 13: ...eway v2 Accepts incoming connections from Mail Express Server v3 and later Supported operating systems o Windows Server 2003 32 bit and 64 bit o Windows Server 2008 R1 R2 32 bit and 64 bit o Red Hat Enterprise Linux release 5 4 32 bit and 64 bit o SuSE Linux Enterprise Server release 11 32 bit and 64 bit o Ubuntu 8 04LTS Server Edition 32 bit and 64 bit o Solaris 10 10 09 32 bit and 64 bit x86 com...

Страница 14: ... help guides InstallingDMZGatewayInCluster pdf If a previous product version is installed the installer prompts you to uninstall the previous version before installing the new version To install DMZ Gateway 1 Close all unnecessary applications so that the installer can update system files without rebooting the computer 2 Start the installer The Welcome page appears 3 Click Next The License Agreeme...

Страница 15: ...fy a different location Also displayed is the amount of hard drive space required to install the program 7 Click Next The Choose Configuration Location page appears 8 In the Configuration Folder box specify the path at which to store configuration files for DMZ Gateway The installation location is specified by default but you can specify a separate location for backup and disaster recovery or for ...

Страница 16: ...be installed on the Start menu in a folder called GlobalSCAPE You can keep this default location or specify a different location in which to install the shortcut 10 Click Install The product is installed and the installation log appears 11 Click Next The completed page appears ...

Страница 17: ... DMZ Gateway on a non Windows System The installation process on each non Windows operating system is basically the same with a few minor differences The basic process of installation can be described as follows 1 Copy the appropriate installer archive file tgz to the target machine 2 Extract the contents of the installer archive The archive contains 2 files an installation script and an archive o...

Страница 18: ...g opt dmzgateway etc o After everything is installed you will prompted to register and start the DMZ Gateway daemon service o If you start the service you can execute the DMZ Gateway Administration interface script e g type opt dmzgateway bin DMZGatewayAdmin Refer to the example below for details of the installation process Installing DMZ Gateway on Ubuntu Linux 32 Bit or 64 Bit To install DMZ Gat...

Страница 19: ...talled you will prompted to register and start the DMZ Gateway daemon service o If you start the service you can execute the DMZ Gateway Administration interface script e g type opt dmzgateway bin DMZGatewayAdmin Refer to the example below for details of the installation process Example of Installation Process Below is an example of executing the Install sh script on a Solaris x86 32 bit computer ...

Страница 20: ...p and shutdown Register the DMZ Gateway Server daemon service yes or no yes Creating symbolic link etc init d dmzgatewayd Registering system daemon ln sf etc init d dmzgatewayd etc rc0 d K99dmzgatewayd ln sf etc init d dmzgatewayd etc rc1 d K99dmzgatewayd ln sf etc init d dmzgatewayd etc rc2 d S99dmzgatewayd ln sf etc init d dmzgatewayd etc rc3 d S99dmzgatewayd Start Service The installation scrip...

Страница 21: ...e not to register the daemon during the installation process use the procedure below to add or remove the DMZ Gateway Server daemon script dmzgatewayd from automatic system startup and shutdown There are multiple methods of configuring a daemon script for automatic startup shutdown on Linux Solaris Ultimately whatever method is used typically results in the creation of symbolic links in the etc rc...

Страница 22: ...d K99dmzgatewayd ln sf etc init d dmzgatewayd etc rc1 d K99dmzgatewayd ln sf etc init d dmzgatewayd etc rc2 d S99dmzgatewayd ln sf etc init d dmzgatewayd etc rc3 d S99dmzgatewayd To deregister the script Remove the symbolic links as root rm etc rc0 d K99dmzgatewayd rm etc rc1 d K99dmzgatewayd rm etc rc2 d S99dmzgatewayd rm etc rc3 d S99dmzgatewayd Upgrading or Repairing DMZ Gateway Upgrades from v...

Страница 23: ...a default configuration and uninstall the older version Follow the prompts to finish the upgrade Refer to Installing DMZ Gateway if necessary During the upgrade process the DMZ Gateway service Log On As account is set to use the Local System account To upgrade from DMZ Gateway 3 x on Windows systems 1 Close the Administration interface 2 Launch the installer The installer will detect an existing i...

Страница 24: ...install Refer to Installing DMZ Gateway if necessary Uninstalling DMZ Gateway The DMZ Gateway will prompt you if a previous version of DMZ Gateway is installed and needs to uninstalled Uninstalling DMZ Gateway on a Windows System Uninstall DMZ Gateway using Windows Add Remove Programs tool or via the shortcut on the Start menu Uninstalling DMZ Gateway on a non Windows System The installation proce...

Страница 25: ... bin directory To uninstall DMZ Gateway on Ubuntu Linux 1 On the target machine open a terminal window 2 Run the Uninstall sh script sudo InstallDir bin Uninstall sh For example sudo opt dmzgateway bin Uninstall sh 3 Follow the prompts to complete uninstalling Example of Uninstallation Process on Solaris The following printout is a sample execution of the Uninstall sh installation script run on So...

Страница 26: ...he DMZ Gateway Server daemon service dmzgatewayd from automatic startup and shutdown Deregister the DMZ Gateway Server daemon service yes or no yes ENTER Removing etc init d dmzgatewayd symbolic link Deregistering system daemon rm etc rc0 d K99dmzgatewayd rm etc rc1 d K99dmzgatewayd rm etc rc2 d S99dmzgatewayd rm etc rc3 d S99dmzgatewayd Removing installation files Uninstallation Complete ...

Страница 27: ... functionality The JRE is installed with DMZ Gateway you do not need to install or maintain the JRE The DMZ Gateway Server component is never executed directly but rather controlled and monitored using the DMZ Gateway Server Service component DMZ Gateway Server Service The DMZ Gateway Server Service component is responsible for properly initializing the JRE and launching the DMZ Gateway Server com...

Страница 28: ... Gateway Interface The DMZ Gateway interface is used for mapping and viewing DMZ Gateway connections Profiles are used to define connections to DMZ Gateway To open the interface On Windows systems double click the DMZ Gateway shortcut on the desktop or Start menu On non Windows systems after the server service has started execute the DMZ Gateway administration interface script e g opt dmzgateway b...

Страница 29: ...eway Server Service Typically the DMZ Gateway server service is configured to start automatically when the computer is started When the DMZ Gateway administration interface is launched it determines whether the DMZ Gateway server service is running If the DMZ Gateway server service is not running a prompt appears asking if you like to start the DMZ Gateway service On Windows systems When you insta...

Страница 30: ...MZ Gateway will listen on the IP address port combination ONLY IF that IP address port combination is not already being used by another Profile Profiles configured with an explicit IP address have precedence over Profiles configured with All Available What Does This Mean for the Peer Server Listeners Suppose you have 3 IP addresses on the computer IP 1 IP 2 and IP 3 and you have 2 Profiles Profile...

Страница 31: ...e includes specifying the listening IP address for incoming clients specifying the listening IP addresses and port for the connecting server and specifying the IP addresses that are allowed or denied access To create a new Profile 1 Do one of the following In the Profiles tree right click then click New Profile On the toolbar click New Profile On the main menu click Profile New The New Profile Wiz...

Страница 32: ... used by another Profile Profiles configured with an explicit IP address have precedence over Profiles configured with All Available 6 In the Port box provide the port number over which connections are allowed The connection will be refused if the port is being used by another DMZ Gateway Site or if the IP address is on the IP address ban list 7 Click Next The Peer Server Access page appears 8 All...

Страница 33: ...Profile The Profile name appears in statistics logs messages and reports You can change the name in the DMZ Gateway interface To change the name of a Profile 1 Click the Profile in the tree then do one of the following Click the Profile name again Right click the Profile name then click Rename Profile On the toolbar click Rename Profile On the main menu click Profile Rename The name in the tree be...

Страница 34: ...or more of the following In the Listening IP for incoming Clients box click the down arrow to select a different IP address or All Available Only the IP addresses defined on this computer appear in this box In the Listening IP for Server box click the down arrow to select a different IP address or All Available Only the IP addresses defined on this computer appear in this box In the Port box provi...

Страница 35: ...y You can grant access to only one specific IP address or a range of IP addresses or deny access to one specific address or a range of addresses You can define up to 100 IP address masks For example if you want to allow only 192 168 174 159 and block every other IP address click Denied access click Add then type 192 168 174 159 in the IP mask box This will deny access to all IP addresses except 19...

Страница 36: ...ck Server Start or click Start on the toolbar To restart the DMZ Gateway On the DMZ Gateway main menu click Server Restart or click Restart on the toolbar To stop the DMZ Gateway On the DMZ Gateway main menu click Server Stop or click Stop on the toolbar Viewing Statistics In the DMZ Gateway administration interface you can view a variety of statistics Whether you click All Profiles or a specific ...

Страница 37: ...g icons provide an indication of status Listening Inactive Warning Error The following columns displayed on the tab can be sorted by clicking the column header IP address IP address on which Peer Notification Channels communicate Port Port on which Peer Notification Channels communicates Active Sites Number of Sites connected to DMZ Gateway Active Connections Number of active connections to DMZ Ga...

Страница 38: ...r creation failure Closed Inactive Listener IP Port address already assigned Statistics The Statistics tab of the Status panel displays the size and speed of server and client data being transferred When All Profiles is selected the aggregated data sizes are displayed and a Profile column displays the name of the applicable Profile The Statistics tab is configured by default to refresh automatical...

Страница 39: ...ations Activity Logging The DMZ Gateway communications activity logging records messages relating to communications to a W3C Extended Log File formatted file By default this log file is created as installation directory logs DMZActivity log The format of the log file consists of a header at the beginning of the file and subsequent lines for each communications message generated by the DMZ Gateway ...

Страница 40: ...t DMZ Gateway Server Diagnostics Logging The DMZ Gateway Server diagnostics logging functionality provides diagnostic level messages for the operation of the DMZ Gateway Server This diagnostic information may be used to identify errors warning and other information of interest that occur during the operation of the DMZ Gateway Server By default this functionality logs to the file installation dire...

Страница 41: ... specified Profile Server The log is appended during each run of the DMZ Gateway service The log file automatically archives itself when reaching 10 MB in size and maintains the last 10 log files in the form DMZGatewayServerService log X where X is a number from 1 to 10 with 1 being the most recently archived log file and 10 being the oldest DMZ Gateway Server Event Viewer Windows Operating System...

Страница 42: ...agnostic information may be used to identify errors or warnings that occur during the operation of the administration interface By default this functionality records to the file installation directory logs DMZGatewayAdmin log The log is appended during each run of the DMZ Gateway administration interface The log file automatically archives itself when reaching 10 MB in size and maintains the last ...

Страница 43: ...g DMZ Gateway and allows you to enter the DMZ Gateway IP address and port number If Connect this site to EFT Server s DMZ Gateway is selected when you are creating a Site in the Site Setup wizard EFT Server attempts to establish a socket connection to DMZ Gateway when you click Next If the socket connection fails a message appears in which you are allowed to provide the DMZ Gateway information aga...

Страница 44: ...elect the check boxes for the protocols and the ports that DMZ Gateway will use This is a separate configuration from the ports that EFT Server uses For example you could use port 21 for FTP traffic for EFT Server but port 14421 for FTP traffic through the DMZ Gateway 8 If you are using DMZ Gateway with a PASV mode IP address click PASV settings The Firewall NAT Routing dialog box appears a Select...

Страница 45: ...o reside in the demilitarized zone and provide secure communication with the Mail Express Server behind intranet firewalls without requiring any inbound firewall holes between the internal network and the DMZ and with no sensitive data stored in the DMZ even temporarily When configured to use DMZ Gateway Mail Express functions normally giving no indication to end users of the system that the addit...

Страница 46: ... Express client connections will typically include external recipients picking up files via the Pick Up portal and external users dripping off files via the Drop Off portal While the DMZ Gateway supports use of client ports other than port 443 it is highly recommended to use the default HTTPS port of 443 as this is the industry standard for HTTPS communications When using the standard port users w...

Страница 47: ...ine the trading partner options 4 Add the Copy Move File to Host Action to the Rule 5 In the Rule pane click one of the undefined parameters e g FS PATH The Offload Action Wizard appears 6 Follow the instructions in Using DMZ Gateway as an Outbound Proxy to define the Rule Using DMZ Gateway as an Outbound Proxy Using the DMZ Gateway as proxy is available only in EFT Server Enterprise DMZ Gateway s...

Страница 48: ...d protocol changes automatically based on the offload method Provide a different port number if necessary c Provide the Username and Password needed to establish the connection 6 Select the Use connected client s login credentials to authenticate check box if you want to use the local system account to authenticate 7 If you chose SFTP a In the SFTP Public Key File Path box type the path or click t...

Страница 49: ...e Authentication check box then provide a Username and Password d Click OK to return to the Offload Action Wizard 9 Click Proxy 10 Select the Use proxy settings below when connecting to remote host check box click Use EFT Server s DMZ Gateway as the proxy then click OK to close the Proxy Settings dialog box 11 To specify transfer options and time stamps click Advanced The Advanced Options dialog b...

Страница 50: ...de If the PASV connection fails the Server attempts to connect in PORT mode automatically PASV Helps avoid conflicts with security systems PASV support is necessary for some firewalls and routers because with PASV the client opens the connection to an IP Address and port that the Server supplies PORT Use PORT when connections or transfer attempts fail in PASV mode or when you receive data socket e...

Страница 51: ... Source path box provide the path to the file s that you want to offload No validation is performed For example type pub usr jsmith file txt or mydomain common jsmith file txt 14 If you want to Delete source file after it has been offloaded select the check box 15 Click Next The Destination File Path page appears ...

Страница 52: ...e YYYYMMDD and or time HHMMSS are added to the filename when it is moved copied Do not use EVENT TIME because the colon e g 28 Aug 07 10 01 56 makes it unsuitable for file naming For example in the Offload Action wizard in the Destination path box provide the path and variables For example type C Documents and Settings Administrator My Documents upload EVENT DATESTAMP _ EVENT TIMESTAMP _ FS FILE_N...

Страница 53: ...nnecting to the server via DMZ Gateway and transferring a few files To test your configuration Suppose your server is at IP address 192 168 174 176 and DMZ Gateway is at IP address 192 168 174 142 and you have configured DMZ Gateway in the server to allow connections over the HTTPS port 443 1 Open a browser and in the address bar type https 192 168 174 142 the IP address of DMZ Gateway then press ...

Страница 54: ...ng Access by IP Address for the procedure for blocking unblocking IP addresses 5 Verify that the DMZ Gateway settings in the server have the proper IP address and port and that the allowed protocols and ports have been defined for allowed incoming client connections 6 Try pinging from the server computer to the DMZ Gateway computer and from the DMZ Gateway computer to the server computer If you ca...

Страница 55: ...P address e g 192 168 43 201 or an IP address mask using wildcards e g 192 168 43 For example if you want to allow only 192 168 174 159 and block every other IP address click Denied access click Add then type 192 168 174 159 in the IP mask box This will deny access to all IP addresses except 192 168 174 159 To specify the IP address or mask 1 In the IP Mask box specify the IP address or range of I...

Страница 56: ...mputer should be used as the listening IP addresses To specify the client side and server side listening addresses 1 In the Listening IP boxes click the down arrow to select the IP address or leave the default of All Available All Available means that the communications code will listen on the IP address port combination ONLY IF that IP address port combination is not already being used by another...

Страница 57: ... defaults Solaris ln sf etc init d dmzgatewayd etc rc0 d K99dmzgatewayd ln sf etc init d dmzgatewayd etc rc1 d K99dmzgatewayd ln sf etc init d dmzgatewayd etc rc2 d S99dmzgatewayd ln sf etc init d dmzgatewayd etc rc3 d S99dmzgatewayd Deregister the script Redhat chkconfig del dmzgatewayd Suse insserv r dmzgatewayd Ubuntu rm etc init d dmzgatewayd update rc d dmzgatewayd remove Solaris rm etc rc0 d...

Страница 58: ...DMZ Gateway User Guide 58 ...

Страница 59: ...elp file is copyrighted confidential property of GlobalSCAPE Inc Copying use or disclosure without the express written consent of GlobalSCAPE Inc is prohibited DMZ Gateway Copyright 2005 2011 GlobalSCAPE Inc All rights reserved DMZ Gateway Release Notes The DMZ Gateway release notes document is available in the installation folder DMZ Gateway EULA The license agreement is available in the installa...

Страница 60: ...DMZ Gateway User Guide 60 ...

Отзывы:

Нет отзывов

Бренды по названию

Популярные бренды

Загрузить еще бренды