DMZ server

For security reasons, you can operate an additional DMZ server.

The Integration Server usually operates in an intranet to provide direct and quick access to internal systems like databases, mail servers and file systems. Firewalls are used to protect the intranet from attacks from the internet. But this also locks out partners.

However, it is often desired that partners are able to deliver data themselves, e.g. by FTP or email. One option would be to instruct the IT department to set up a white list of all IP addresses of all partners. This is tedious work and not sufficiently secure. If a partner has no access to a fixed IP address, this method fails completely.

This problem can be solved by using a 'Demilitarised Zone' (DMZ), a special network section placed between internet and intranet.

A DMZ can communicate both with external systems (customers/partners) and an internal system (the inner Integration Server in this case), while a direct communication between the external and internal system is prevented.

The DMZ also has the further advantage that during a restart of the inner Integration Server, the system appears operable to the outside world, because the DMZ server buffers requests and delivers them after the re-availability of the inner Integration Server. Also, no outgoing data is lost if you restart the DMZ server.

Shared folders and ports to be opened


The message port 8020 (default) must be enabled bidirectionally between the inner Integration Server and the DMZ server.

In addition, if the SSH module is licensed, port 22 must be opened from the inner Integration Server to the DMZ server, otherwise FTP port 21.

To allow the DMZ server to be monitored and administered internally, it is recommended that ports 21 (FTP), 22 (SSH), 25 (SMTP), 80 (HTTP), 443 (HTTPS), 3305 (OFTP TCP), 6619 (OFTPS), 9000 (Admin Console) are opened internally to the DMZ server.

Important note: Of course, the ports mentioned are only to be opened if you actually use the respective communication and if there is no deviation from these standard ports.

Important note: If two or more DMZ servers are used, a shared directory (file share) is required for folders with transaction data (./as2, ./as4, ./transfer). You need a TCP/IP load balancer that can determine which of the DMZ servers can be reached. Some firewalls can also take care of this.