General Architecture

A DMZ server is a separate Lobster Integration Server, on which, for security reasons, only the required communication services, such as FTP or SMTP, are executed. The firewall between the DMZ server and the internet only allows the required ports and protocols.

Communication between the DMZ server and Lobster_data in the intranet is executed via a proprietary protocol of Lobster, the Message Service. A penetration from the outside is thus prevented. The Message Service is an HTTP-tunnelled protocol that uses TCP/IP exclusively. See also section General‌ Configuration‌.

A firewall between the DMZ server and the inner Lobster_data server is also required. It must grant communication on the specified Message Service port (usually 8020, but can be configured) in both directions. In addition, HTTP requests and responses are also passed through in both directions, so the HTTP port (usually 80, but can be configured) must also be open.

For maximum security needs, the Message Service can also be configured in pushback mode. In this case, the connection is always established from the inner server and no incoming connections from the internet are required.

If a maximum message size is specified or Lobster_data should send/provide files via the DMZ server, those files need to be copied from the internal system to the DMZ server. In order to do this, the firewall needs to be configured to allow for FTP or SFTP connections between inner and DMZ server.

Using the DMZ in the Lobster_data GUI

Communication Scenarios

Kubernetes/Docker Environment

If you are running a DMZ server in a Kubernetes or Docker environment, you can set the system property -Dhub.datawizard.enableDmzIpResolving=true. This will force the DMZ server URL to always be resolved, instead of just using the initial (and possibly no longer valid) IP of the DMZ server. You must set the system property on the inner Integration Server, or on the Node Controller and all Working Nodes if you are using Load Balancing.