DMZ Gateway

Version 21.0.8222

DMZ Gateway

ArcESB can receive secure connections through a demilitarized zone (DMZ) gateway. Using a DMZ protects corporate firewalls and maintains network security by funneling all external connection attempts to the DMZ.

Note: This feature is currently only available when using the embedded web server included with the Windows edition of ArcESB.

How the Gateway Works

ArcESB supports establishing an SSH reverse tunnel to receive data sent to the DMZ. Here’s how it works:

  • An SSH server sits in the DMZ and transfers data between ArcESB and external trading partners.
  • ArcESB connects to this SSH server and opens an SSH reverse tunnel on any open port (for example, port 7777).
  • Once the tunnel has been opened, the SSH server forwards any traffic it receives on port 7777 directly to ArcESB.
  • Trading partners connect to the SSH server and send any data intended for ArcESB to port 7777.
  • The data is forwarded from the SSH server to ArcESB using the SSH standard for transport security.

This configuration allows trading partners to send arbitrary business data to ArcESB while only ever having access to the SSH server in the DMZ.

Setting Up the Gateway

Follow these steps to enable DMZ gateway support:

  1. Install an SSH server in the DMZ or choose a DMZ with an SSH server already installed—for example, an Amazon Machine Instance pre-loaded with an SSH server, or a free OpenSSH server implementation installed on a DMZ machine.

  2. Enable port forwarding in the SSH server. To do this, open the server’s sshd_config file and set GatewayPorts to yes.

  3. Right-click the ArcESB icon in the system tray, select Server Options, and navigate to the Cloud Gateway tab.

  4. Select the Enable Cloud Gateway checkbox.

  5. In the Server section, configure the connection settings for the SSH server sitting in the DMZ.

  6. In the Forwarded Port section, set the Forwarding Port to the port on the SSH server to use when forwarding data to ArcESB.

  7. Click Test Connection button to verify that the connection is successful.

  8. Restart the ArcESB embedded web sever to automatically open an SSH reverse tunnel on the specified port.

After the above steps are complete, provide trading partners with connection details to the SSH server in the DMZ. Instruct them to send data to this SSH server on the port specified by Forwarding Port instead of the default port (22).

Maintaining the Gateway

ArcESB automatically opens the gateway when the server (re)starts. ArcESB also handles reconnecting to the SSH server if the connection is dropped for any reason. No user maintenance is required to keep the gateway up and running.