GlobalSCAPE® DMZ Gateway is designed to reside in the demilitarized zone and provide secure communication with EFT Server behind intranet firewalls without requiring any inbound firewall holes between the internal network and the DMZ, and with no sensitive data stored in the DMZ, even temporarily.
DMZ Gateway (single-Site) supports connections from EFT Server or EFT Server Enterprise.
DMZ Gateway Enterprise (multi-Site) connects to EFT Server Enterprise only. DMZ Gateway Enterprise supports multiple simultaneously connected Sites through the use of Profiles.
As illustrated below, when an EFT Server Site is started, EFT Server establishes an outbound connection to the DMZ Gateway (1). This proprietary, non-encrypted connection is called the Peer Notification Channel (PNC). EFT Server and DMZ Gateway use the PNC to setup subsequent communications between EFT Server and incoming client connections.
When a client (web browser, FTP client, etc.) connects to the DMZ Gateway (2) on the pre-approved ports (21, 22, 80 443, etc.), DMZ Gateway creates a new “listener” (3), called an ephemeral port, and gives this port and other relevant information to EFT Server over the PNC (4).
EFT Server then generates a new outbound connection (5) to the ephemeral port created by the DMZ Gateway. Next, the DMZ Gateway "glues" the incoming client connection together with EFT Server’s new connection (6), and from that point forward, the client’s communications are streamed through the DMZ Gateway to EFT Server over this connection (7).
The DMZ Gateway routes all client data to EFT Server over the EFT Server-initiated socket without any translation or modification to the packet’s payload. Thus, if the client is using HTTPS, then HTTPS traffic goes over that streaming connection. Unlike a network hardware bridge/router device, the DMZ Gateway does not "pass through" modified packets. The DMZ Gateway reads in a buffer full of data from the client TCP/IP stream (~4KB) and then sends that data over the EFT Server TCP/IP socket. They are completely different TCP/IP packets with different source and destination locations; however, the payload is NOT changed at all.
The DMZ Gateway does not forward client requests. The Peer Notification Channel (PNC) is used for brokering new incoming client connections using the process outlined above. Once the incoming client connection and the EFT Server connection are "glued" together, the client’s requests are streamed through the DMZ Gateway to EFT Server.
Both external (DMZ Gateway cloud facing) and internal (EFT Server network facing) listening ports are specified from within EFT Server for each supported (and enabled) protocol. These ports can be the same or different (even for the same protocol).
Once configured to work with the DMZ Gateway, EFT Server (when running) will always attempt to initiate, maintain, and if necessary reconnect to the DMZ Gateway server. No further administrative action is required in EFT Server to establish or maintain communications after the initial setup. From the DMZ Gateway server perspective, if the PNC channel is broken, it will refuse new (and existing) client connections until EFT Server re-establishes a connection.
EFT Server queries the DMZ Gateway once every 5 minutes. If a reply is not received within 10 seconds, EFT Server considers the connection lost, severs the current connection, and then attempts to reconnect. The DMZ Gateway also maintains its own awareness (ping/pong) of whether EFT Server is connected. Every 30 seconds, DMZ Gateway determines whether it has received a pong message from EFT Server since the last ping. If it has, it will ping again; if not, it drops the connection. This allows it to free up ports if EFT Server is not available (no longer responds to ping) and for error reporting.
DMZ Gateway performs client impersonation, which means none of the sockets created via the DMZ Gateway have the DMZ Gateway IP address and port; instead, all sockets created through the DMZ Gateway have the IP address and port of the client connection. This results in EFT Server’s logs showing the actual connecting client IP addresses and ports, rather than those of the DMZ Gateway.
Because the client connection is streamed through the DMZ Gateway to the EFT Server, user authentication is handled by EFT Server, as if the client were logging in directly to EFT Server from the internal network.
The DMZ Gateway can restrict incoming EFT Server PNC connections based upon IP address. The DMZ Gateway can also restrict incoming client connections via the IP address ban feature. Any IP addresses banned (manually or automatically) in EFT Server will also be banned by the DMZ Gateway.
The EFT Server and DMZ Gateway PNC connection does not employ username and password credentials. There is nothing sensitive contained in the PNC notifications that requires encryption.