DMZ server

DMZ Server


For security reasons, you can operate Lobster_data with an additional DMZ server.

Lobster_data usually operates in an intranet to provide direct and quick access to internal systems like databases, mail servers and file systems. Firewalls are used to protect the intranet from attacks from the internet. But this also locks out partners.

However, it is often desired that partners are able to deliver data themselves, e.g. by FTP or email. One option would be to instruct the IT department to set up a white list of all IP addresses of all partners. This is tedious work and not sufficiently secure. If a partner has no access to a fixed IP address, this method fails completely.

This problem can be solved by using a 'Demilitarised Zone' (DMZ), a special network section placed between internet and intranet.

A DMZ can communicate both with external systems (customers/partners) and an internal system (Lobster_data in this case), while a direct communication between the external and internal system is prevented.

The DMZ also has the further advantage that during a restart of the internal server (i.e. the intranet server with Lobster_data), the system appears operable to the outside world, because the DMZ server buffers requests and delivers them after the re-availability of the Lobster_data system. Also, no outgoing data is lost if you restart the DMZ server.

Shared Folders and Ports to Be Openend (DMZ)


The message port 8020 (default) must be enabled bidirectionally between the inner Lobster_data and the DMZ server.

In addition, if the SSH module is licensed, port 22 must be opened from the inner Lobster_data to the DMZ server, otherwise FTP port 21.

To allow the DMZ server to be monitored and administered internally, it is recommended that ports 21 (FTP), 22 (SSH), 25 (SMTP), 80 (HTTP), 443 (HTTPS), 3305 (OFTP TCP), 6619 (OFTPS), 9000 (Admin Console) are opened internally to the DMZ server.

Important note: Of course, the ports mentioned are only to be opened if you actually use the respective communication and if there is no deviation from these standard ports.

Important note: If two or more DMZ servers are used, a shared directory (file share) is required for folders with transaction data (./as2, ./as4, ./transfer). You need a TCP/IP load balancer that can determine which of the DMZ servers can be reached. Some firewalls can also take care of this.