With regulations such as PCI DSS, Sarbanes-Oxley and HIPAA in effect many companies are now required to put measures in place to ensure that no sensitive data is stored in the DMZ (de-militarized zone). However, for those businesses who need to provide outside users access to this data, whether it be employees working remotely or trading partners, this poses an interesting problem. How do you make data available in the DMZ without storing that data in the DMZ? The answer is DMZ file transfer streaming.
DMZ file transfer streaming is accomplished by using a feature in JSCAPE Secure FTP Server known as a Reverse Proxy. A Reverse Proxy provides a way to create a virtual directory at the user or group level and map it to the account of a remote FTP/S, SFTP or WebDAV server.
In order to setup DMZ streaming an instance of JSCAPE Secure FTP Server is installed in the DMZ. A Reverse Proxy is then created in JSCAPE Secure FTP Server that is mapped to an account on any FTP/S, SFTP or WebDAV server located behind the firewall. A virtual directory is then created at the user or group level that maps to the Reverse Proxy created earlier.
When a user uploads a file it is streamed from client to server in DMZ to server behind firewall. Similarly when a client attempts to download a file it is streamed from server behind firewall to server in DMZ to client. This process is completely transparent to the user. Using DMZ streaming ensures that no data is stored in the DMZ allowing companies to meet compliance requirements while still providing external users access to data.
Can you explain the licensing requirements for this setup?
Posted by: Tim | April 12, 2008 at 04:27 PM
Re: Can you explain the licensing requirements for this setup?
Yes. This depends on whether the Resource target is also an JSCAPE Secure FTP Server service, or is a service run by some other file transfer server. In the event that target Resource is a JSCAPE Secure FTP Server service then a minimum of 2 licenses would be needed, 1 for the JSCAPE Secure FTP Server running in DMZ and a 2nd for the JSCAPE Secure FTP Server running behind firewall. If Resource target is not a JSCAPE Secure FTP Server service then only 1 license would be needed.
Posted by: Van | May 13, 2008 at 04:32 PM
When using DMZ Streaming can you still have triggers that are executed on the Jscape DMZ server that can do things with the file (PGP it for example) if you have it setup to stream to an internal file server (that isn't jscape).
Posted by: Lance | October 02, 2008 at 10:16 AM
"When using DMZ Streaming can you still have triggers that are executed on the Jscape DMZ server that can do things with the file (PGP it for example) if you have it setup to stream to an internal file server (that isn't jscape)."
Triggers will be executed, however you can only run actions that are local to the JSCAPE server running in the DMZ. For example, you could not PGP a file that resides on the remote server. To do this you would need to have 2 instances of JSCAPE Secure FTP Server running. 1 would reside in the DMZ and stream data to the internal file server, the second (your internal file server) would have a Trigger that responds to File Upload event and PGP encrypts the file.
Posted by: Van | October 02, 2008 at 10:37 AM