DMZ Gateway® is designed to reside in the demilitarized zone and provide secure communication with a server behind intranet firewalls without requiring any inbound firewall holes between the internal network and the DMZ, and with no sensitive data stored in the DMZ, even temporarily. Currently, DMZ Gateway is supported with Globalscape's EFT platform and Mail Express®. DMZ Gateway supports connections to the applications using Profiles. Depending on the license purchased, you can have up to 15 Profiles (unique IP address:port connections).
How Does It Work?
When the EFT or Mail Express service is started, it will establish (and maintain) an outbound connection to the DMZ Gateway. This proprietary, non-encrypted connection is called the Peer Notification Channel (PNC). EFT or Mail Express and DMZ Gateway use the PNC to setup subsequent communications between EFT or Mail Express and incoming client connections.
When a client (web browser, FTP client, etc.) connects to DMZ Gateway on a pre-approved port (21, 22, 80 443, etc.), DMZ Gateway will cross reference the client’s IP with the IP access list (provided by EFT or Mail Express over the PNC) before proceeding any further. (Mail Express currently only support HTTPS and does not use an IP ban/access list, as EFT does.
If the IP is accepted, DMZ Gateway will notify EFT or Mail Express over the PNC of the new client connection, providing data such as the client’s IP address and the port to which they are connected.
EFT or Mail Express will subsequently create a new outbound connection to the DMZ Gateway to the same port that is being used by the PNC for associating with the client connection made in step 2.
DMZ Gateway will then proceed to read the inbound payload data from the client and send the payload data to EFT or Mail Express for processing. DMZ Gateway will also read any outbound data communication from EFT or Mail Express and send it to the client.
The graphic below describes the flow in EFT (similar in Mail Express):