GlobalSCAPE DMZ Gateway v3.1 User Manual
GlobalSCAPE® DMZ Gateway v3.1
User Guide
Module for
EFT Server
6.3
GlobalSCAPE, Inc. (GSB)
Address:
4500 Lockhill-Selma Road, Suite 150
San Antonio, TX (USA) 78249
Sales:
(210) 308-8267
Sales (Toll Free):
(800) 290-5054
Technical Support:
(210) 366-3993
Web Support: http://www.globalscape.com/support/
© 2004-2011 GlobalSCAPE, Inc. All Rights Reserved
Last Updated: April 1, 2011
Table of Contents
Introduction to GlobalSCAPE DMZ Gateway ................................................................................................ 5
How Does it Work? .................................................................................................................................... 5
Technical Details ....................................................................................................................................... 6
DMZ Gateway Initialization and Connection Diagrams ................................................................................ 7
What's New in DMZ Gateway ..................................................................................................................... 12
Installing DMZ Gateway .............................................................................................................................. 13
System Requirements for DMZ Gateway v3 ........................................................................................... 13
Installing DMZ Gateway on a Windows System ..................................................................................... 14
Installing DMZ Gateway on a non-Windows System .............................................................................. 17
Installing DMZ Gateway on RedHat or SuSE Linux 32-Bit or 64-Bit ................................................... 18
Installing DMZ Gateway on Ubuntu Linux 32-Bit or 64-Bit .................................................................. 18
Solaris x86 32-Bit or 64-Bit .................................................................................................................. 19
Example of Installation Process ........................................................................................................... 19
Activating DMZ Gateway ......................................................................................................................... 21
Manually Registering and Deregistering the DMZ Gateway Server Daemon ......................................... 21
RedHat Enterprise Linux ...................................................................................................................... 21
SuSE Linux .......................................................................................................................................... 21
Ubuntu Linux ........................................................................................................................................ 22
Solaris .................................................................................................................................................. 22
Upgrading or Repairing DMZ Gateway ................................................................................................... 22
Uninstalling DMZ Gateway ...................................................................................................................... 24
Uninstalling DMZ Gateway on a Windows System ............................................................................. 24
Uninstalling DMZ Gateway on a non-Windows System ...................................................................... 24
RedHat Enterprise Linux, SuSE Linux, or Solaris x86 32-Bit or 64-Bit ........................................... 25
Ubuntu Linux 32-Bit or 64-Bit ........................................................................................................... 25
Example of Uninstallation Process on Solaris ................................................................................. 25
Administering DMZ Gateway ...................................................................................................................... 27
DMZ Gateway Components .................................................................................................................... 27
DMZ Gateway Server .......................................................................................................................... 27
DMZ Gateway Server Service ............................................................................................................. 27
DMZ Gateway Administration Interface ............................................................................................... 27
DMZ Gateway System Files .................................................................................................................... 28
The DMZ Gateway Interface ................................................................................................................... 28
Starting the DMZ Gateway Server Service ............................................................................................. 29
Specifying the Listening IP Addresses .................................................................................................... 30
What Does This Mean for the Peer Server Listeners? ........................................................................ 30
What Does This Mean for the Client Listeners? .................................................................................. 30
Creating a Profile ..................................................................................................................................... 31
Renaming a Profile .................................................................................................................................. 33
Deleting a Profile ..................................................................................................................................... 33
Editing a Profile ....................................................................................................................................... 34
Controlling Access by IP Address ........................................................................................................... 35
iii
DMZ Gateway User Guide
Managing the DMZ Gateway Server Service .......................................................................................... 36
Viewing Statistics ..................................................................................................................................... 36
Peer Notification Channels .................................................................................................................. 37
Client Listeners .................................................................................................................................... 37
Statistics ............................................................................................................................................... 38
DMZ Gateway Logging ............................................................................................................................ 39
DMZ Gateway Communications Activity Logging ................................................................................ 39
DMZ Gateway Server Diagnostics Logging ......................................................................................... 40
DMZ Gateway Server Service Diagnostics Logging ............................................................................ 40
DMZ Gateway Statistics Logging ......................................................................................................... 40
DMZ Gateway Server Event Viewer (Windows Operating Systems Only) .......................................... 41
DMZ Gateway Server Syslog (Solaris/Linux-based Operating Systems Only) .................................. 41
DMZ Gateway Administration Interface Logging ................................................................................. 42
DMZ Gateway Administration Diagnostics Logging ......................................................................... 42
DMZ Gateway AdminLauncher Diagnostics Logging ...................................................................... 42
Communicating with EFT Server or Mail Express Server ........................................................................... 43
Enabling DMZ Gateway in EFT Server ................................................................................................... 43
Configuring the DMZ Gateway Connection in Mail Express ................................................................... 45
Routing AS2 Traffic through DMZ Gateway ............................................................................................ 47
Using DMZ Gateway as an Outbound Proxy .......................................................................................... 47
Testing the Configuration ........................................................................................................................ 53
Troubleshooting DMZ Gateway Communication .................................................................................... 54
Interface Reference ..................................................................................................................................... 55
IP Access Exception Entry Dialog Box .................................................................................................... 55
New Profile Wizard--Profile name ........................................................................................................... 55
New Profile Wizard--Peer Server Access................................................................................................ 56
New Profile Wizard--Configuration .......................................................................................................... 56
Frequently Used Commands (non-Windows) ......................................................................................... 57
License, Copyrights, and Release Notes .................................................................................................... 61
Copyright Information .............................................................................................................................. 61
DMZ Gateway Release Notes ................................................................................................................. 61
DMZ Gateway EULA ............................................................................................................................... 61
iv
Introduction to GlobalSCAPE DMZ Gateway
GlobalSCAPE® DMZ Gateway is designed to reside in the demilitarized zone and provide secure
communication with a server behind intranet firewalls without requiring any inbound firewall holes
between the internal network and the DMZ, and with no sensitive data stored in the DMZ, even
temporarily. DMZ Gateway supports connections from the server through the use of Profiles (depending
on the license purchased).
How Does it Work?
Using EFT Server as an example of the server as illustrated below, when a Site is started, EFT Server
establishes an outbound connection to the DMZ Gateway (1). This proprietary, non-encrypted connection
is called the Peer Notification Channel (PNC). EFT Server and DMZ Gateway use the PNC to setup
subsequent communications between EFT Server and incoming client connections.
When a client (web browser, FTP client, etc.) connects to the DMZ Gateway (2) on the pre-approved
ports (21, 22, 80 443, etc.), DMZ Gateway creates a new “listener” (3), called an ephemeral port, and
gives this port and other relevant information to EFT Server over the PNC (4).
EFT Server then generates a new outbound connection (5) to the ephemeral port created by the DMZ
Gateway. Next, the DMZ Gateway "glues" the incoming client connection together with EFT Server’s new
connection (6), and from that point forward, the client’s communications are streamed through the DMZ
Gateway to EFT Server over this connection (7).
5
DMZ Gateway User Guide
Technical Details
The DMZ Gateway routes all client data to the server over the server-initiated socket without any
translation or modification to the packet’s payload. Thus, if the client is using HTTPS, then HTTPS traffic
goes over that streaming connection. Unlike a network hardware bridge/router device, the DMZ Gateway
does not "pass through" modified packets. The DMZ Gateway reads in a buffer full of data from the client
TCP/IP stream (~4KB) and then sends that data over the server's TCP/IP socket. They are completely
different TCP/IP packets with different source and destination locations; however, the payload is NOT
changed at all.
The DMZ Gateway does not forward client requests. The Peer Notification Channel (PNC) is used for
brokering new incoming client connections using the process outlined above. Once the incoming client
connection and the server connection are "glued" together, the client’s requests are streamed through the
DMZ Gateway to the server.
Both external (DMZ Gateway cloud facing) and internal (server-network facing) listening ports are
specified from within the server for each supported (and enabled) protocol. These ports can be the same
or different (even for the same protocol).
Once configured to work with the DMZ Gateway, the server (when running) will always attempt to initiate,
maintain, and if necessary reconnect to the DMZ Gateway server. No further administrative action is
required in the server to establish or maintain communications after the initial setup. From the DMZ
Gateway server perspective, if the PNC channel is broken, it will refuse new (and existing) client
connections until the server re-establishes a connection.
The server periodically queries the DMZ Gateway. If a reply is not received within 10 seconds, the server
considers the connection lost, severs the current connection, and then attempts to reconnect. The DMZ
Gateway also maintains its own awareness (ping/pong) of whether the server is connected. Every 30
seconds, DMZ Gateway determines whether it has received a pong message from the server since the
last ping. If it has, it will ping again; if not, it drops the connection. This allows it to free up ports if the
server is not available (no longer responds to ping) and for error reporting. (Refer to the Knowledge Base
article "How do EFT Server and DMZ Gateway Server communicate with each other?" for information
about changing these defaults in EFT Server 6.2 and later and DMZ Gateway 3.0 and later.)
DMZ Gateway performs client impersonation, which means none of the sockets created via the DMZ
Gateway have the DMZ Gateway IP address and port; instead, all sockets created through the DMZ
Gateway have the IP address and port of the client connection. This results in the server’s logs showing
the actual connecting client IP addresses and ports, rather than those of the DMZ Gateway.
Because the client connection is streamed through the DMZ Gateway to the server, user authentication is
handled by the server, as if the client were logging in directly to the server from the internal network.
With EFT Server, the DMZ Gateway can restrict incoming server PNC connections based upon IP
address. The DMZ Gateway can also restrict incoming client connections via the IP address ban feature.
Any IP addresses banned (manually or automatically) in EFT Server will also be banned by the DMZ
Gateway.
The server and DMZ Gateway PNC connection does not employ username and password credentials.
There is nothing sensitive contained in the PNC notifications that requires encryption.
6
DMZ Gateway Initialization and Connection Diagrams
The diagrams below illustrate the initialization and connection sequences for DMZ Gateway and EFT
Server communication.
7
DMZ Gateway User Guide
8
What's New in DMZ Gateway
9
DMZ Gateway User Guide
10
What's New in DMZ Gateway
11
DMZ Gateway User Guide
What's New in DMZ Gateway
DMZ Gateway was completely rebuilt for version 3. DMZ Gateway can now be installed not only on
Windows, but also on RedHat, SuSE Linux, and Solaris, on 32-Bit or 64-Bit operating systems. (For a list
of supported operating systems, refer to System Requirements for DMZ Gateway.)
Other changes include:
Can connect to up to 15 EFT Server Sites simultaneously
Can connect to Mail Express Server
IP address access policy changes are now automatically propagated to DMZ Gateway when the
policy is modified in EFT Server whether in the EFT Server interface or by the auto-ban logic
DMZ Gateway's interface was completely redesigned to accommodate multiple profiles and
extended communication information
Moved DMZ Gateway licensing to the server to simplify DMZ Gateway installation and activation
Logging was improved and expanded
Hardened to better withstand attacks from several Denial of Service (DoS) attack tools
12
Installing DMZ Gateway
The topics in this section provide instructions for installing DMZ Gateway.
System Requirements for DMZ Gateway
Installing DMZ Gateway on Windows Systems
Installing DMZ Gateway on non-Windows Systems
Activating DMZ Gateway
Manually Registering and Deregistering the DMZ Gateway Server Daemon
Upgrading or Repairing DMZ Gateway
Uninstalling DMZ Gateway
System Requirements for DMZ Gateway v3
The GlobalSCAPE Quality Assurance team tests our products with a variety of operating systems,
software, and hardware. It is possible for DMZ Gateway to function with other operating systems,
software, and hardware, but is only tested and approved for use with the following:
Accepts incoming connections from EFT Server Enterprise v6.2 and later, and EFT Server 6.2
and later. (Versions prior to v6.2 require DMZ Gateway v2)
Accepts incoming connections from Mail Express Server v3 and later
Supported operating systems:
o Windows Server 2003 32-bit and 64-bit
o Windows Server 2008 R1&R2 32-bit and 64-bit
o Red Hat Enterprise Linux release 5.4 32-bit and 64-bit
o SuSE Linux Enterprise Server release 11 32-bit and 64-bit
o Ubuntu 8.04LTS Server Edition 32-bit and 64-bit
o Solaris 10 10/09 32-bit and 64-bit
x86-compatible processor (Itanium 64-bit processors are not supported)
1GB memory
1024x768 resolution or higher display (headless computer supported on non-Windows systems)
Remote administration must be available.
On Solaris and Linux-based systems, the administration interface will operate locally; therefore,
you must:
o Export the display to a remote X-Server to access the user interface.
o Make available on the DMZ Gateway computer the subset of X11 libraries necessary for
exporting the display.
o Properly configure a remote X11 server. The DMZ Gateway Server may be manually
configured without the use of the administration interface.
13
DMZ Gateway User Guide
Installing DMZ Gateway on a Windows System
DMZ Gateway and the connecting server must be installed on separate computers. For details of
installing DMZ Gateway in a cluster configuration, refer to
http://help.globalscape.com/help/guides/InstallingDMZGatewayInCluster.pdf. If a previous product version
is installed, the installer prompts you to uninstall the previous version before installing the new version.
To install DMZ Gateway
1. Close all unnecessary applications so that the installer can update system files without rebooting
the computer.
2. Start the installer. The Welcome page appears.
3. Click Next. The License Agreement appears.
4. Read the license, then click I Agree.
14
Installing DMZ Gateway
5. If an existing installation is detected, refer to Upgrading or Repairing DMZ Gateway. Otherwise,
the Choose Installation Location page appears.
6. The Destination Folder box displays the default location. Keep the default displayed in the box
or click Browse to specify a different location. Also displayed is the amount of hard drive space
required to install the program.
7. Click Next. The Choose Configuration Location page appears.
8. In the Configuration Folder box, specify the path at which to store configuration files for DMZ
Gateway. The installation location is specified by default, but you can specify a separate location
for backup and disaster recovery or for shared resources, such as with a cluster environment.
9. Click Next. The shortcuts page appears.
15
DMZ Gateway User Guide
A shortcut to open the DMZ Gateway interface will be installed on the Start menu in a folder
called GlobalSCAPE. You can keep this default location or specify a different location in which to
install the shortcut.
10. Click Install. The product is installed and the installation log appears.
11. Click Next. The completed page appears.
16
Installing DMZ Gateway
The Start the Administration Interface, Create a desktop shortcut, and Start the DMZ
Gateway Server service check boxes are selected by default. Select the Show version history
check box if you want to read the release notes. (You can also access the release notes in the
installation folder.)
11. Click Finish. If you left the Start the Administration Interface check box selected, the DMZ
Gateway Administration Interface appears.
A default Profile is defined using the IP address of the computer on which you installed DMZ Gateway
and the default port of 44500.
Refer to Editing a Profile to change the IP address/port assignments.
Refer to Creating a Profile to create new/additional Profiles.
Refer to Controlling Access by IP Address to specify which IP addresses or IP masks are allowed
or denied connections.
Installing DMZ Gateway on a non-Windows System
The installation process on each non-Windows operating system is basically the same with a few minor
differences. The basic process of installation can be described as follows:
1. Copy the appropriate installer archive file (.tgz) to the target machine.
2. Extract the contents of the installer archive. The archive contains 2 files: an installation script and
an archive of the actual program files.
3. Run the installation script as root and follow the prompts.
The process for supported non-Windows operating systems is described below. (For installation on
Windows systems, refer to Installing DMZ Gateway.)
The installation script includes registering and starting the DMZ Gateway server daemon (configuring it to
auto-start on system start and auto-stop on system stop). Alternately, you can start the server manually
using the command <InstallDir>/bin/dmzgatewayd start. Refer to Manually Registering and
Deregistering the DMZ Gateway Server Daemon if you decide not to register the daemon during the
installation process.
17
DMZ Gateway User Guide
Installing DMZ Gateway on RedHat or SuSE Linux 32-Bit or 64-Bit
To install DMZ Gateway
1. Transfer the DMZ Gateway Linux x86 installer archive to a convenient directory on the target
machine.
2. On the target machine, open a terminal window. The installation package must be run with root
privileges. If not already logged on as the root user, change to root using the su command in the
terminal window:
su
3. Change to the directory containing the installer archive and perform the following:
On 32-bit systems:
gunzip dmz-gateway-linux-x86-32.tgz
tar xvf dmz-gateway-linux-x86-32.tar
./Install.sh
On 64-bit systems:
gunzip dmz-gateway-linux-x86-64.tgz
tar xvf dmz-gateway-linux-x86-64.tar
./Install.sh
4. Follow the prompts to complete the installation.
o You will be prompted to accept the license agreement, and to specify the installation and
configuration directories (e.g., /opt/dmzgateway), etc.
o After everything is installed, you will prompted to register and start the DMZ Gateway
daemon service.
o If you start the service, you can execute the DMZ Gateway Administration interface script
(e.g., type: /opt/dmzgateway/bin/DMZGatewayAdmin).
Refer to the example below for details of the installation process.
Installing DMZ Gateway on Ubuntu Linux 32-Bit or 64-Bit
To install DMZ Gateway
1. Transfer the DMZ Gateway installer archive into a convenient directory on the target machine.
2. On the target machine, open a terminal window.
3. Change to the directory containing the installer archive and perform the following:
gunzip dmz-gateway-linux-x86-32.tgz (or dmz-gateway-linux-x86-64.tgz)
tar xvf dmz-gateway-linux-x86-32.tar (or dmz-gateway-linux-x86-64.tar)
sudo ./Install.sh
4. Follow the prompts to complete the installation.
18
o You will be prompted to accept the license agreement, and to specify the installation and
configuration directories (by default, /opt/dmzgateway), etc.
o After everything is installed, you will prompted to register and start the DMZ Gateway
daemon service.
Loading...