R66DMZ

For DMZ configuration, several options are available with Waarp.

1) Waarp Gateway FTP

By installing a Waarp Gateway FTP in DMZ, you can have FTP transfers from outside in connection with a Waarp R66 server installed in the DMZ too. The Gateway FTP will allow sending or receiving of file through FTP to/from outside, while the Waarp R66 will allow sending or receiving to/from internal side. The links will be made through rules, bot in Gateway FTP and in Waarp R66.

In that case, the R66 DMZ server does not need necesseraly to be accessible from outside natively, since it is accessed through FTP service.

  • Gateway FTP

    • Each put will be followed by a send file request from R66 DMZ server to an internal R66 partner
    • Each recv will be prefixed by a recv file request from R66 DMZ server to an internal R66 partner, then followed by the FTP recv file transfer

  • Waarp R66

    • Each send file request received by the R66 DMZ server from an internal R66 partner will be followed by a put request in FTP (within R66 as a task) to a remote FTP server
    • Each recv file request received by the R66 DMZ server from an internal R66 partner will be prefixed by a recv request in FTP (within R66 as a task) to a remote FTP server, then followed by the R66 internal transfer

2) Waarp R66 in forward mode

By installing a DMZ R66 server, through the rules, it could act as a forward request will full checking.

The interest is to have full checking at once for all type of transfers, without having to directly connect to internal R66 servers from outside. The drawback is that this DMZ R66 server has a full configuration (using database and all host authentications), which could lead to some issues in very high level protected area.

  • Waarp R66
    • Each send file request received by the R66 DMZ server from an internal R66 partner will be followed by a send request in R66 (within R66 as a task) to a remote R66 server
    • Each recv file request received by the R66 DMZ server from an internal R66 partner will be prefixed by a recv request in R66 (within R66 as a task) to a remote R66 server, then followed by the R66 internal transfer

3) Waarp Proxy R66

By installing a Proxy R66 server, it will forward in both ways requests directly to external or internal R66 servers.

The interest is to have a minimalist R66 server in DMZ, with no configuration that could be a source of attack. The drawback is that no control is made within this Proxy R66 server, meaning that the packet are just transmistted as is to the internal or external R66 partner. However, if some attacks as deny of service are made, this will be probably the first level of catch, then enhancing the security level of the R66 solution.

The configuration is made by pair, meaning that each listening interface (address, port, ssl mode) is linked to one and only one proxified interface (address, port, ssl mode). Therefore, let say that on internal side we have a R66 server named A, on external side a R66 server named B, the configuration will be as follow:

  • Listening B' in DMZ through address/port/SSL mode (probably none) accessible from inside, linked to B
  • Listening A' in DMZ through address/port/SSL mode (probably yes) accessible from outside, linked to A

Therefore, in A, the configuration to access to B is made through address/port/SSL mode defined in B', while the remote partner B will access to A through address/port/SSL mode defined in A'.