background image

 

 

 

GlobalSCAPE

®

 DMZ Gateway v3.1 

User Guide 

Module for 

EFT Server 

6.3 

Summary of Contents for DMZ Gateway v3.1

Page 1: ...GlobalSCAPE DMZ Gateway v3 1 User Guide Module for EFT Server 6 3 ...

Page 2: ... Selma Road Suite 150 San Antonio TX USA 78249 Sales 210 308 8267 Sales Toll Free 800 290 5054 Technical Support 210 366 3993 Web Support http www globalscape com support 2004 2011 GlobalSCAPE Inc All Rights Reserved Last Updated April 1 2011 ...

Page 3: ...SuSE Linux 21 Ubuntu Linux 22 Solaris 22 Upgrading or Repairing DMZ Gateway 22 Uninstalling DMZ Gateway 24 Uninstalling DMZ Gateway on a Windows System 24 Uninstalling DMZ Gateway on a non Windows System 24 RedHat Enterprise Linux SuSE Linux or Solaris x86 32 Bit or 64 Bit 25 Ubuntu Linux 32 Bit or 64 Bit 25 Example of Uninstallation Process on Solaris 25 Administering DMZ Gateway 27 DMZ Gateway C...

Page 4: ...DMZ Gateway Administration Diagnostics Logging 42 DMZ Gateway AdminLauncher Diagnostics Logging 42 Communicating with EFT Server or Mail Express Server 43 Enabling DMZ Gateway in EFT Server 43 Configuring the DMZ Gateway Connection in Mail Express 45 Routing AS2 Traffic through DMZ Gateway 47 Using DMZ Gateway as an Outbound Proxy 47 Testing the Configuration 53 Troubleshooting DMZ Gateway Communi...

Page 5: ...Gateway 1 This proprietary non encrypted connection is called the Peer Notification Channel PNC EFT Server and DMZ Gateway use the PNC to setup subsequent communications between EFT Server and incoming client connections When a client web browser FTP client etc connects to the DMZ Gateway 2 on the pre approved ports 21 22 80 443 etc DMZ Gateway creates a new listener 3 called an ephemeral port and...

Page 6: ...connection The server periodically queries the DMZ Gateway If a reply is not received within 10 seconds the server considers the connection lost severs the current connection and then attempts to reconnect The DMZ Gateway also maintains its own awareness ping pong of whether the server is connected Every 30 seconds DMZ Gateway determines whether it has received a pong message from the server since...

Page 7: ...7 DMZ Gateway Initialization and Connection Diagrams The diagrams below illustrate the initialization and connection sequences for DMZ Gateway and EFT Server communication ...

Page 8: ...DMZ Gateway User Guide 8 ...

Page 9: ...What s New in DMZ Gateway 9 ...

Page 10: ...DMZ Gateway User Guide 10 ...

Page 11: ...What s New in DMZ Gateway 11 ...

Page 12: ...er Sites simultaneously Can connect to Mail Express Server IP address access policy changes are now automatically propagated to DMZ Gateway when the policy is modified in EFT Server whether in the EFT Server interface or by the auto ban logic DMZ Gateway s interface was completely redesigned to accommodate multiple profiles and extended communication information Moved DMZ Gateway licensing to the ...

Page 13: ...eway v2 Accepts incoming connections from Mail Express Server v3 and later Supported operating systems o Windows Server 2003 32 bit and 64 bit o Windows Server 2008 R1 R2 32 bit and 64 bit o Red Hat Enterprise Linux release 5 4 32 bit and 64 bit o SuSE Linux Enterprise Server release 11 32 bit and 64 bit o Ubuntu 8 04LTS Server Edition 32 bit and 64 bit o Solaris 10 10 09 32 bit and 64 bit x86 com...

Page 14: ... help guides InstallingDMZGatewayInCluster pdf If a previous product version is installed the installer prompts you to uninstall the previous version before installing the new version To install DMZ Gateway 1 Close all unnecessary applications so that the installer can update system files without rebooting the computer 2 Start the installer The Welcome page appears 3 Click Next The License Agreeme...

Page 15: ...fy a different location Also displayed is the amount of hard drive space required to install the program 7 Click Next The Choose Configuration Location page appears 8 In the Configuration Folder box specify the path at which to store configuration files for DMZ Gateway The installation location is specified by default but you can specify a separate location for backup and disaster recovery or for ...

Page 16: ...be installed on the Start menu in a folder called GlobalSCAPE You can keep this default location or specify a different location in which to install the shortcut 10 Click Install The product is installed and the installation log appears 11 Click Next The completed page appears ...

Page 17: ... DMZ Gateway on a non Windows System The installation process on each non Windows operating system is basically the same with a few minor differences The basic process of installation can be described as follows 1 Copy the appropriate installer archive file tgz to the target machine 2 Extract the contents of the installer archive The archive contains 2 files an installation script and an archive o...

Page 18: ...g opt dmzgateway etc o After everything is installed you will prompted to register and start the DMZ Gateway daemon service o If you start the service you can execute the DMZ Gateway Administration interface script e g type opt dmzgateway bin DMZGatewayAdmin Refer to the example below for details of the installation process Installing DMZ Gateway on Ubuntu Linux 32 Bit or 64 Bit To install DMZ Gat...

Page 19: ...talled you will prompted to register and start the DMZ Gateway daemon service o If you start the service you can execute the DMZ Gateway Administration interface script e g type opt dmzgateway bin DMZGatewayAdmin Refer to the example below for details of the installation process Example of Installation Process Below is an example of executing the Install sh script on a Solaris x86 32 bit computer ...

Page 20: ...p and shutdown Register the DMZ Gateway Server daemon service yes or no yes Creating symbolic link etc init d dmzgatewayd Registering system daemon ln sf etc init d dmzgatewayd etc rc0 d K99dmzgatewayd ln sf etc init d dmzgatewayd etc rc1 d K99dmzgatewayd ln sf etc init d dmzgatewayd etc rc2 d S99dmzgatewayd ln sf etc init d dmzgatewayd etc rc3 d S99dmzgatewayd Start Service The installation scrip...

Page 21: ...e not to register the daemon during the installation process use the procedure below to add or remove the DMZ Gateway Server daemon script dmzgatewayd from automatic system startup and shutdown There are multiple methods of configuring a daemon script for automatic startup shutdown on Linux Solaris Ultimately whatever method is used typically results in the creation of symbolic links in the etc rc...

Page 22: ...d K99dmzgatewayd ln sf etc init d dmzgatewayd etc rc1 d K99dmzgatewayd ln sf etc init d dmzgatewayd etc rc2 d S99dmzgatewayd ln sf etc init d dmzgatewayd etc rc3 d S99dmzgatewayd To deregister the script Remove the symbolic links as root rm etc rc0 d K99dmzgatewayd rm etc rc1 d K99dmzgatewayd rm etc rc2 d S99dmzgatewayd rm etc rc3 d S99dmzgatewayd Upgrading or Repairing DMZ Gateway Upgrades from v...

Page 23: ...a default configuration and uninstall the older version Follow the prompts to finish the upgrade Refer to Installing DMZ Gateway if necessary During the upgrade process the DMZ Gateway service Log On As account is set to use the Local System account To upgrade from DMZ Gateway 3 x on Windows systems 1 Close the Administration interface 2 Launch the installer The installer will detect an existing i...

Page 24: ...install Refer to Installing DMZ Gateway if necessary Uninstalling DMZ Gateway The DMZ Gateway will prompt you if a previous version of DMZ Gateway is installed and needs to uninstalled Uninstalling DMZ Gateway on a Windows System Uninstall DMZ Gateway using Windows Add Remove Programs tool or via the shortcut on the Start menu Uninstalling DMZ Gateway on a non Windows System The installation proce...

Page 25: ... bin directory To uninstall DMZ Gateway on Ubuntu Linux 1 On the target machine open a terminal window 2 Run the Uninstall sh script sudo InstallDir bin Uninstall sh For example sudo opt dmzgateway bin Uninstall sh 3 Follow the prompts to complete uninstalling Example of Uninstallation Process on Solaris The following printout is a sample execution of the Uninstall sh installation script run on So...

Page 26: ...he DMZ Gateway Server daemon service dmzgatewayd from automatic startup and shutdown Deregister the DMZ Gateway Server daemon service yes or no yes ENTER Removing etc init d dmzgatewayd symbolic link Deregistering system daemon rm etc rc0 d K99dmzgatewayd rm etc rc1 d K99dmzgatewayd rm etc rc2 d S99dmzgatewayd rm etc rc3 d S99dmzgatewayd Removing installation files Uninstallation Complete ...

Page 27: ... functionality The JRE is installed with DMZ Gateway you do not need to install or maintain the JRE The DMZ Gateway Server component is never executed directly but rather controlled and monitored using the DMZ Gateway Server Service component DMZ Gateway Server Service The DMZ Gateway Server Service component is responsible for properly initializing the JRE and launching the DMZ Gateway Server com...

Page 28: ... Gateway Interface The DMZ Gateway interface is used for mapping and viewing DMZ Gateway connections Profiles are used to define connections to DMZ Gateway To open the interface On Windows systems double click the DMZ Gateway shortcut on the desktop or Start menu On non Windows systems after the server service has started execute the DMZ Gateway administration interface script e g opt dmzgateway b...

Page 29: ...eway Server Service Typically the DMZ Gateway server service is configured to start automatically when the computer is started When the DMZ Gateway administration interface is launched it determines whether the DMZ Gateway server service is running If the DMZ Gateway server service is not running a prompt appears asking if you like to start the DMZ Gateway service On Windows systems When you insta...

Page 30: ...MZ Gateway will listen on the IP address port combination ONLY IF that IP address port combination is not already being used by another Profile Profiles configured with an explicit IP address have precedence over Profiles configured with All Available What Does This Mean for the Peer Server Listeners Suppose you have 3 IP addresses on the computer IP 1 IP 2 and IP 3 and you have 2 Profiles Profile...

Page 31: ...e includes specifying the listening IP address for incoming clients specifying the listening IP addresses and port for the connecting server and specifying the IP addresses that are allowed or denied access To create a new Profile 1 Do one of the following In the Profiles tree right click then click New Profile On the toolbar click New Profile On the main menu click Profile New The New Profile Wiz...

Page 32: ... used by another Profile Profiles configured with an explicit IP address have precedence over Profiles configured with All Available 6 In the Port box provide the port number over which connections are allowed The connection will be refused if the port is being used by another DMZ Gateway Site or if the IP address is on the IP address ban list 7 Click Next The Peer Server Access page appears 8 All...

Page 33: ...Profile The Profile name appears in statistics logs messages and reports You can change the name in the DMZ Gateway interface To change the name of a Profile 1 Click the Profile in the tree then do one of the following Click the Profile name again Right click the Profile name then click Rename Profile On the toolbar click Rename Profile On the main menu click Profile Rename The name in the tree be...

Page 34: ...or more of the following In the Listening IP for incoming Clients box click the down arrow to select a different IP address or All Available Only the IP addresses defined on this computer appear in this box In the Listening IP for Server box click the down arrow to select a different IP address or All Available Only the IP addresses defined on this computer appear in this box In the Port box provi...

Page 35: ...y You can grant access to only one specific IP address or a range of IP addresses or deny access to one specific address or a range of addresses You can define up to 100 IP address masks For example if you want to allow only 192 168 174 159 and block every other IP address click Denied access click Add then type 192 168 174 159 in the IP mask box This will deny access to all IP addresses except 19...

Page 36: ...ck Server Start or click Start on the toolbar To restart the DMZ Gateway On the DMZ Gateway main menu click Server Restart or click Restart on the toolbar To stop the DMZ Gateway On the DMZ Gateway main menu click Server Stop or click Stop on the toolbar Viewing Statistics In the DMZ Gateway administration interface you can view a variety of statistics Whether you click All Profiles or a specific ...

Page 37: ...g icons provide an indication of status Listening Inactive Warning Error The following columns displayed on the tab can be sorted by clicking the column header IP address IP address on which Peer Notification Channels communicate Port Port on which Peer Notification Channels communicates Active Sites Number of Sites connected to DMZ Gateway Active Connections Number of active connections to DMZ Ga...

Page 38: ...r creation failure Closed Inactive Listener IP Port address already assigned Statistics The Statistics tab of the Status panel displays the size and speed of server and client data being transferred When All Profiles is selected the aggregated data sizes are displayed and a Profile column displays the name of the applicable Profile The Statistics tab is configured by default to refresh automatical...

Page 39: ...ations Activity Logging The DMZ Gateway communications activity logging records messages relating to communications to a W3C Extended Log File formatted file By default this log file is created as installation directory logs DMZActivity log The format of the log file consists of a header at the beginning of the file and subsequent lines for each communications message generated by the DMZ Gateway ...

Page 40: ...t DMZ Gateway Server Diagnostics Logging The DMZ Gateway Server diagnostics logging functionality provides diagnostic level messages for the operation of the DMZ Gateway Server This diagnostic information may be used to identify errors warning and other information of interest that occur during the operation of the DMZ Gateway Server By default this functionality logs to the file installation dire...

Page 41: ... specified Profile Server The log is appended during each run of the DMZ Gateway service The log file automatically archives itself when reaching 10 MB in size and maintains the last 10 log files in the form DMZGatewayServerService log X where X is a number from 1 to 10 with 1 being the most recently archived log file and 10 being the oldest DMZ Gateway Server Event Viewer Windows Operating System...

Page 42: ...agnostic information may be used to identify errors or warnings that occur during the operation of the administration interface By default this functionality records to the file installation directory logs DMZGatewayAdmin log The log is appended during each run of the DMZ Gateway administration interface The log file automatically archives itself when reaching 10 MB in size and maintains the last ...

Page 43: ...g DMZ Gateway and allows you to enter the DMZ Gateway IP address and port number If Connect this site to EFT Server s DMZ Gateway is selected when you are creating a Site in the Site Setup wizard EFT Server attempts to establish a socket connection to DMZ Gateway when you click Next If the socket connection fails a message appears in which you are allowed to provide the DMZ Gateway information aga...

Page 44: ...elect the check boxes for the protocols and the ports that DMZ Gateway will use This is a separate configuration from the ports that EFT Server uses For example you could use port 21 for FTP traffic for EFT Server but port 14421 for FTP traffic through the DMZ Gateway 8 If you are using DMZ Gateway with a PASV mode IP address click PASV settings The Firewall NAT Routing dialog box appears a Select...

Page 45: ...o reside in the demilitarized zone and provide secure communication with the Mail Express Server behind intranet firewalls without requiring any inbound firewall holes between the internal network and the DMZ and with no sensitive data stored in the DMZ even temporarily When configured to use DMZ Gateway Mail Express functions normally giving no indication to end users of the system that the addit...

Page 46: ... Express client connections will typically include external recipients picking up files via the Pick Up portal and external users dripping off files via the Drop Off portal While the DMZ Gateway supports use of client ports other than port 443 it is highly recommended to use the default HTTPS port of 443 as this is the industry standard for HTTPS communications When using the standard port users w...

Page 47: ...ine the trading partner options 4 Add the Copy Move File to Host Action to the Rule 5 In the Rule pane click one of the undefined parameters e g FS PATH The Offload Action Wizard appears 6 Follow the instructions in Using DMZ Gateway as an Outbound Proxy to define the Rule Using DMZ Gateway as an Outbound Proxy Using the DMZ Gateway as proxy is available only in EFT Server Enterprise DMZ Gateway s...

Page 48: ...d protocol changes automatically based on the offload method Provide a different port number if necessary c Provide the Username and Password needed to establish the connection 6 Select the Use connected client s login credentials to authenticate check box if you want to use the local system account to authenticate 7 If you chose SFTP a In the SFTP Public Key File Path box type the path or click t...

Page 49: ...e Authentication check box then provide a Username and Password d Click OK to return to the Offload Action Wizard 9 Click Proxy 10 Select the Use proxy settings below when connecting to remote host check box click Use EFT Server s DMZ Gateway as the proxy then click OK to close the Proxy Settings dialog box 11 To specify transfer options and time stamps click Advanced The Advanced Options dialog b...

Page 50: ...de If the PASV connection fails the Server attempts to connect in PORT mode automatically PASV Helps avoid conflicts with security systems PASV support is necessary for some firewalls and routers because with PASV the client opens the connection to an IP Address and port that the Server supplies PORT Use PORT when connections or transfer attempts fail in PASV mode or when you receive data socket e...

Page 51: ... Source path box provide the path to the file s that you want to offload No validation is performed For example type pub usr jsmith file txt or mydomain common jsmith file txt 14 If you want to Delete source file after it has been offloaded select the check box 15 Click Next The Destination File Path page appears ...

Page 52: ...e YYYYMMDD and or time HHMMSS are added to the filename when it is moved copied Do not use EVENT TIME because the colon e g 28 Aug 07 10 01 56 makes it unsuitable for file naming For example in the Offload Action wizard in the Destination path box provide the path and variables For example type C Documents and Settings Administrator My Documents upload EVENT DATESTAMP _ EVENT TIMESTAMP _ FS FILE_N...

Page 53: ...nnecting to the server via DMZ Gateway and transferring a few files To test your configuration Suppose your server is at IP address 192 168 174 176 and DMZ Gateway is at IP address 192 168 174 142 and you have configured DMZ Gateway in the server to allow connections over the HTTPS port 443 1 Open a browser and in the address bar type https 192 168 174 142 the IP address of DMZ Gateway then press ...

Page 54: ...ng Access by IP Address for the procedure for blocking unblocking IP addresses 5 Verify that the DMZ Gateway settings in the server have the proper IP address and port and that the allowed protocols and ports have been defined for allowed incoming client connections 6 Try pinging from the server computer to the DMZ Gateway computer and from the DMZ Gateway computer to the server computer If you ca...

Page 55: ...P address e g 192 168 43 201 or an IP address mask using wildcards e g 192 168 43 For example if you want to allow only 192 168 174 159 and block every other IP address click Denied access click Add then type 192 168 174 159 in the IP mask box This will deny access to all IP addresses except 192 168 174 159 To specify the IP address or mask 1 In the IP Mask box specify the IP address or range of I...

Page 56: ...mputer should be used as the listening IP addresses To specify the client side and server side listening addresses 1 In the Listening IP boxes click the down arrow to select the IP address or leave the default of All Available All Available means that the communications code will listen on the IP address port combination ONLY IF that IP address port combination is not already being used by another...

Page 57: ... defaults Solaris ln sf etc init d dmzgatewayd etc rc0 d K99dmzgatewayd ln sf etc init d dmzgatewayd etc rc1 d K99dmzgatewayd ln sf etc init d dmzgatewayd etc rc2 d S99dmzgatewayd ln sf etc init d dmzgatewayd etc rc3 d S99dmzgatewayd Deregister the script Redhat chkconfig del dmzgatewayd Suse insserv r dmzgatewayd Ubuntu rm etc init d dmzgatewayd update rc d dmzgatewayd remove Solaris rm etc rc0 d...

Page 58: ...DMZ Gateway User Guide 58 ...

Page 59: ...elp file is copyrighted confidential property of GlobalSCAPE Inc Copying use or disclosure without the express written consent of GlobalSCAPE Inc is prohibited DMZ Gateway Copyright 2005 2011 GlobalSCAPE Inc All rights reserved DMZ Gateway Release Notes The DMZ Gateway release notes document is available in the installation folder DMZ Gateway EULA The license agreement is available in the installa...

Page 60: ...DMZ Gateway User Guide 60 ...

Reviews: