DMZ Gateways

PreviousDeleting a STENG NextDMZ Clusters

Last updated 17 days ago

DMZ Gateways

In the DMZ Gateway section you can add, modify or delete a DMZ gateway.

DMZ Gateways can be filtered in the Filters panel on the right of the page. Entries can be filtered by Name, Internal port, Internal address, and External address.

Learn how to use the toolbar at the top of the page .

To create a new DMZ Gateway, click Setup → DMZ Gateways → New and complete these properties:

Name

The Name field can only contain alphanumeric characters. The minus '-' and underscore '_' characters are accepted, as long as they are NOT at the beginning/end of the Name. For example:

DMZ_Gateway is accepted
_DMZGateway is not accepted

Other special characters are not accepted, e.g. no hash #, asterisk *, percent %, dollar sign $, ampersand &, pipe | and so on.

Description
Internal Address
External Address
Internal Port

🚀 Blocking users automatically at the DMZ level

The DMZ can be configured to reject authentication attempts from invalid users, without needing to request verification from the STENG.

To prevent unauthorized access to the DMZ, a blacklist must be created and added to an internal DMZ directory:

wlp/usr/server/dmzgw/dmz/conf/blacklist.users.txt

A whitelist can also be created and added to the same directory:

wlp/usr/server/dmzgw/dmz/conf/whitelist.users.txt

The file blacklist.users.txt contains the usernames or patterns of usernames to be blocked.

The file whitelist.users.txt contains usernames or patterns of usernames that are permitted to access the DMZ by bypassing the blacklist, as long as their credentials are correct. The whitelist does not grant access without credentials; it only creates exceptions to the blacklist. For example, if the blacklist includes the pattern prim*, no users whose usernames start with "prim" will be able to authenticate. However, if it's necessary to allow the user primeur-prod to authenticate, this username can be added to the whitelist. This creates an exception to the blacklist, enabling only the user primeur-prod to log in.

If a user is on both the blacklist and whitelist, they are allowed to access the system. If a blacklisted user attempts to log in, they will receive a bad credentials error.

In the .txt files:

Usernames are case-insensitive.
The * special character is allowed for any character, string or space.
Any spaces at the beginning or end of the line are removed.
Blank lines are removed.

Each line of the .txt file should contain either individual usernames or patterns that include multiple users. For example, you can use prim* to represent all usernames that begin with prim.

If two or more usernames are listed on the same line of the blacklist, none of them will be blocked. For instance, if you list JANEDOE JOHNSMITH on the same line, the system will not block user JANEDOE or user JOHNSMITH from logging in. To correctly block both users, enter each username on a separate line, in this way:

JANEDOE JOHNSMITH

No reboot is required after updating the .txt files, but reading the blacklist and whitelist is not immediate. The system will read them after 60 seconds.

If there are multiple DMZs, a file must be added to each DMZ gateway.

🚀 Load balancing across active DMZ clusters for outbound file transfers

In a complex architecture composed of multiple DMZ components, load distribution can be implemented across all elements to optimize and enhance overall performance. The load can be distributed equally, either randomly or in round robin mode, on each STENG.

To manage and balance outbound file transfer loads across all active DMZ clusters with at least one active gateway, add the load-balancing-policy advanced setting by following these steps:

Go to Setup → Advanced Settings.
Click the New button and enter these fields:
1. Module: ghibli-dmz
2. Section: outbound-routes
3. Property name: load-balancing-policy
4. Property value: random (default) or roundrobin
  1. random: the STENG randomly selects which cluster to route the outbound connection to.
  2. roundrobin: the STENG sequentially cycles through all its DMZ clusters for outbound connections.
Click Confirm.

This advanced property is read at runtime and takes effect after a one-minute interval. If the key is not set, the default is set to random.

If a gateway is disabled, it will be automatically excluded from the load-balancing process.

If a new active gateway is added, it will be automatically included in the load balancing. If this active gateway belongs to a DMZ cluster configured on the peer, it will be used from the set of DMZ clusters available for selection.

PreviousDeleting a STENG NextDMZ Clusters

Last updated 17 days ago

In the DMZ Gateway section you can add, modify or delete a DMZ gateway.

DMZ Gateways can be filtered in the Filters panel on the right of the page. Entries can be filtered by Name, Internal port, Internal address, and External address.

Learn how to use the toolbar at the top of the page .

Select the 3-dot icon at the end of each result to Edit or Delete the DMZ Gateway.

To create a new DMZ Gateway, click Setup → DMZ Gateways → New and complete these properties:

Name

The Name field can only contain alphanumeric characters. The minus '-' and underscore '_' characters are accepted, as long as they are NOT at the beginning/end of the Name. For example:

DMZ_Gateway is accepted
_DMZGateway is not accepted

Other special characters are not accepted, e.g. no hash #, asterisk *, percent %, dollar sign $, ampersand &, pipe | and so on.

Description
Internal Address
External Address
Internal Port

🚀 Blocking users automatically at the DMZ level

The DMZ can be configured to reject authentication attempts from invalid users, without needing to request verification from the STENG.

To prevent unauthorized access to the DMZ, a blacklist must be created and added to an internal DMZ directory:

wlp/usr/server/dmzgw/dmz/conf/blacklist.users.txt

A whitelist can also be created and added to the same directory:

wlp/usr/server/dmzgw/dmz/conf/whitelist.users.txt

The file blacklist.users.txt contains the usernames or patterns of usernames to be blocked.

If a user is on both the blacklist and whitelist, they are allowed to access the system. If a blacklisted user attempts to log in, they will receive a bad credentials error.

In the .txt files:

Usernames are case-insensitive.
The * special character is allowed for any character, string or space.
Any spaces at the beginning or end of the line are removed.
Blank lines are removed.

Each line of the .txt file should contain either individual usernames or patterns that include multiple users. For example, you can use prim* to represent all usernames that begin with prim.

JANEDOE JOHNSMITH

No reboot is required after updating the .txt files, but reading the blacklist and whitelist is not immediate. The system will read them after 60 seconds.

If there are multiple DMZs, a file must be added to each DMZ gateway.

🚀 Load balancing across active DMZ clusters for outbound file transfers

To manage and balance outbound file transfer loads across all active DMZ clusters with at least one active gateway, add the load-balancing-policy advanced setting by following these steps:

Go to Setup → Advanced Settings.
Click the New button and enter these fields:
1. Module: ghibli-dmz
2. Section: outbound-routes
3. Property name: load-balancing-policy
4. Property value: random (default) or roundrobin
  1. random: the STENG randomly selects which cluster to route the outbound connection to.
  2. roundrobin: the STENG sequentially cycles through all its DMZ clusters for outbound connections.
Click Confirm.

This advanced property is read at runtime and takes effect after a one-minute interval. If the key is not set, the default is set to random.

If a gateway is disabled, it will be automatically excluded from the load-balancing process.