Adding proxy services

Top  Previous  Next

A reverse proxy service is an IP/Host, Port and Protocol combination that accepts client FTP/S, TCP (e.g. SFTP) or HTTP/S connection requests.  To view existing reverse proxy services click on the Services node.  A list of services are displayed.

 

Figure 2

 

clip002

 

 

 

 

Client Protocol - The protocol used by the client to connect to the MFT Gateway Server. See Protocol types.

 

Server Protocol - The protocol used by the MFT Gateway Server to the remote host.

 

Local Host - The local IP that connections are accepted on.

 

Local Port - The local port that connections are accepted on.

 

Remote Address / Cluster - The remote host:port or cluster that connections are forwarded to.

 

Agent Delegation - Indicates whether connections are delegated to listening agents or handled by gateway directly.

 

State - The state of service (running, stopped).

 

Uptime - The total uptime since service start.

 

Current Connections - The current number of active connections.

 

Total Connections - The total number of connections since service start.

 

Buttons

 

Add - Click this button to add a new proxy service

 

Edit - Click this button to edit an existing proxy service

 

Start - Click this button to start a stopped proxy service

 

Delete - Click this button to delete an existing proxy service

 

 

 

Protocol types

 

 

Client protocol

Server protocol

Description

FTP

FTP

Forwards standard unencrypted FTP connections

FTP

Implicit FTPS

Forwards standard unencrypted FTP connections to a target encrypted Implicit SSL FTP service

FTP

SFTP

Forwards standard unencrypted FTP connections to a target SFTP service

FTPS

FTP

Forwards encrypted Implicit SSL FTP connections to a target standard FTP service

FTPS

FTPS

Forwards both standard unencrypted FTP connections and encrypted explicit SSL connections using AUTH TLS or AUTH SSL client commands

FTPS

SFTP

Forwards both standard FTP connections and encrypted FTPS connections to a target SFTP service

Implicit FTPS

FTP

Forwards encrypted implicit SSL FTP connections to a target FTP service

Implicit FTPS

Implicit FTPS

Forwards only encrypted implicit SSL FTP connections

Implicit FTPS

SFTP

Forwards encrypted implicit SSL FTP connections to a target SFTP service

HTTP

HTTP

Forwards HTTP connections to a target HTTP service

HTTP

HTTPS

Forwards HTTP connections to a target HTTPS service

HTTPS

HTTP

Forwards encrypted HTTPS connections to a target HTTP service

HTTPS

HTTPS

Forwards only encrypted HTTPS connections

TCP

TCP

Forwards connections without any protocol translation performed (Read and Write)

TCP

TCP/SSL

Forwards SSL encrypted connections without any protocol translation performed (Read and Write)

TCP/SSL

TCP

Forwards SSL encrypted connections to any TCP service

TCP/SSL

TCP/SSL

Forwards SSL encrypted connections without any protocol translation performed (Read and Write)

SFTP/SSH

SFTP/SSH

Forwards SFTP/SSH connections

SMTP

SMTP

Forwards plain SMTP connections

POP3

POP3

Forwards plain POP3 connections

IMAP4

IMAP4

Forwards plain IMAP4 connections

MySQL

MySQL

Forwards plain MySQL connections

UDP

UDP

Forwards connections without any protocol translation performed (Read and Write)

 

 

 

Add service

 

To add a service, click the Add button.

 

When the next screen appears, select the Client protocol and Server protocol. Click OK to proceed.

 

Figure 55

 

clip055

 

 

 

 

Figure 3

 

clip003

 

Configure the following settings:

 

Basic

 

Local host - The local IP that connections are accepted on.

 

Local port - The local port that connections are accepted on.

 

Remote host - The remote host/IP that connections are forwarded to.

 

Remote port - The remote port that connections are forwarded to.

 

Timeout - The maximum time in seconds before the reverse proxy times out when attempting to establish a connection with the remote service

 

Cluster - The cluster to forward connections to.  This is used for load balancing purposes.

 

Delegate connections to available agents - If checked then connections will be handled by connected agents rather than by gateway directly.

 

 

Advanced

 

The contents of the Advanced tab will vary depending on the proxy service chosen.

 

 

FTP/S service Advanced settings

 

 

Figure 85

 

clip085

 

 

Command channel timeout (sec) - The time in seconds that a client may remain inactive on command channel before MFT Gateway forcefully disconnects it

 

Data channel timeout (sec) - The time in seconds that a client may remain inactive on data channel before MFT Gateway forcefully disconnects it

 

Data channel buffer size - The buffer size (in bytes) the OS will use in the socket when buffering data coming in from the network via the data channel

 

Data transfer buffer size - The buffer size (in bytes) that MFT Gateway  will use when reading data from the socket

 

Passive IP - The IP address to use in response to passive client requests. (See Setting passive IP for FTP/S services)

 

Do not use Passive IP for client IP matching regex - Passive IP will not be used for clients connecting from IP matching the specified regular expression.  This is useful in cases where you do not want internal users to have passive connection re-routed to an external IP address.

 

Passive port range - The passive port range to use in response to passive client requests.  If not enabled a random port range will be used.  Ensure that this port range is open on any firewall that may be in front of the gateway.

 

Ignore PASV/LPSV/EPSV IP of server host - Ignores the IP address returned by server when issuing PASV, LPSV or EPSV commands to server.  Instead the IP address that gateway is connected to will be used.  This is only applicable to FTP/S protocols.

 

Block bounce attack - If enabled FTP/S services will only be allowed to make PORT requests to originating host.

 

Block PASV attack - If enabled users will only be allowed to connect to passive data ports that are initiated by same client on command channel.

 

Shutdown server SSL - If enabled server must properly shutdown SSL connections for command channel when issuing CCC command.

 

Shutdown client SSL - If enabled client must properly shutdown SSL connections for command channel when issuing CCC command.

 

Enable FIPS compliance - This setting is not available in plain FTP. If switched ON, administrators will not be allowed to change allowed ciphers, whether through the GUI or administrative API. This setting is ideal for environments that need to comply with regulations requiring 'strong cryptography'. Many of these regulations only allow cryptographic algorithms recommended by duly recognized standards such as the Federal Information Processing Standards (FIPS).

 

SSL/TLS Ciphers - The SSL/TLS ciphers enabled for FTP/S services.

 

 

HTTP/S service Advanced settings

 

 

Figure 86

 

clip086

 

 

Connection timeout - The connection timeout for HTTP requests in seconds

 

NAT host - The hostname or IP address to be used if MFT Gateway is running on a server that uses NAT. See Setting NAT host...

 

Channel buffer size - The buffer size (in bytes) the OS will use in the socket when buffering data coming in from the network

 

Cache - The directory where the cache will be stored. See Caching HTTP/S content

 

Enable FIPS compliance - This setting is not available in plain HTTP. If switched ON, administrators will not be allowed to change allowed ciphers, whether through the GUI or administrative API. This setting is ideal for environments that need to comply with regulations requiring 'strong cryptography'. Many of these regulations only allow cryptographic algorithms recommended by duly recognized standards such as the Federal Information Processing Standards (FIPS).

 

 

TCP-based service Advanced settings

 

 

Figure 87

 

clip087

 

 

Connection timeout - The connection timeout for TCP requests in seconds

 

Channel buffer size - The buffer size (in bytes) the OS will use in the socket when buffering data coming in from the network

 

Transfer buffer size - The buffer size (in bytes) that MFT Gateway  will use when reading data from the socket

 

 

UDP service advanced settings

 

 

Figure 88

 

clip088

 

 

Connection timeout - The connection timeout for UDP requests in seconds

 

 

 

See also

 

Adding service clusters

 

 

 

 

 





Home | Company | Products | Solutions | Purchase | Support | Services | Blog

© 2023 Redwood Software, Inc.